Okay. So question for #linux or #security folks.
-
Okay. So question for #linux or #security folks.
I want to set up a #nixbook (#nixos) computer set up as a public access computer.
I know how to harden the OS to avoid tampering. But how can I filter content? I'm already getting questions like, how can we prevent people from looking up inappropriate things?
How would you do it?
-
Okay. So question for #linux or #security folks.
I want to set up a #nixbook (#nixos) computer set up as a public access computer.
I know how to harden the OS to avoid tampering. But how can I filter content? I'm already getting questions like, how can we prevent people from looking up inappropriate things?
How would you do it?
@codemonkeymike
A local docker with pihole as the DNS (filters could be controlled from a git repo, haven’t tried this) -
Okay. So question for #linux or #security folks.
I want to set up a #nixbook (#nixos) computer set up as a public access computer.
I know how to harden the OS to avoid tampering. But how can I filter content? I'm already getting questions like, how can we prevent people from looking up inappropriate things?
How would you do it?
@codemonkeymike There are certain aspects you can look into like DNS filtering and blacklisting.
However, after some decades in IT I can tell you that it is virtually impossible to prevent all conceivable misuse.
If you have a browser that is not in a *whitelist* mode, they will access stuff.
Just as an example, for cases like these, I have a VPN machine with a dedicated IP somewhere* I can ask to reverse-proxy stuff for me.
* Not gonna tell you
-
Okay. So question for #linux or #security folks.
I want to set up a #nixbook (#nixos) computer set up as a public access computer.
I know how to harden the OS to avoid tampering. But how can I filter content? I'm already getting questions like, how can we prevent people from looking up inappropriate things?
How would you do it?
@codemonkeymike You may use the /etc/hosts file if you're wanting to block sites from the device itself, problem being you'd most likely have to manually maintain it / add it as a nixOS package and then have to auto update your hosts.
-
Okay. So question for #linux or #security folks.
I want to set up a #nixbook (#nixos) computer set up as a public access computer.
I know how to harden the OS to avoid tampering. But how can I filter content? I'm already getting questions like, how can we prevent people from looking up inappropriate things?
How would you do it?
@codemonkeymike Depends on how technical you are , I would just filter that shit at the layer 3 so a router. Or at layer 7 application and use a firewall tool. Or setup #opnsense or #pf
-
Okay. So question for #linux or #security folks.
I want to set up a #nixbook (#nixos) computer set up as a public access computer.
I know how to harden the OS to avoid tampering. But how can I filter content? I'm already getting questions like, how can we prevent people from looking up inappropriate things?
How would you do it?
@codemonkeymike could use a separate pi-hole as a DNS server and filter using that. All DNS lookups would go through it. And you can put strict filters there, Its separate piece of equip the user has 0 access to. My 2 cents.
-
Okay. So question for #linux or #security folks.
I want to set up a #nixbook (#nixos) computer set up as a public access computer.
I know how to harden the OS to avoid tampering. But how can I filter content? I'm already getting questions like, how can we prevent people from looking up inappropriate things?
How would you do it?
what means public access computer?
webserver or do they access over ssh?
ufw and fail2ban maybe? -
Okay. So question for #linux or #security folks.
I want to set up a #nixbook (#nixos) computer set up as a public access computer.
I know how to harden the OS to avoid tampering. But how can I filter content? I'm already getting questions like, how can we prevent people from looking up inappropriate things?
How would you do it?
@codemonkeymike
Remember to lock down browsers and apps to only use port 53 for dns. And no access to browser configs.
