LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 11-09-2009, 08:37 AM   #1
athreyavc
Member
 
Registered: May 2004
Location: bangalore
Distribution: Cent OS, Ubuntu
Posts: 105

Rep: Reputation: 15
Linux Desktop with Citrix Client


Hi All,

We are planning to deploy linux on all the desktops in our organization with Citrix client.

We are able to install the citrix client and connect to the remote server too.

But my queries are as below,

If we deploy linux desktop what is best distribution I should look for. It should be free( I have done the testing on the Fedora Core 11 and it runs smooth)

How much customization I should do? Ideally the users must only use Firefox nothing else. They connect to citrix servers and work there.

If anyone has done a large deployment of linux desktops please help me.

I Understand this question is generic, but I will take motivation from your replies.

Regards,

Athreya
 
Old 11-09-2009, 06:23 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
It doesn't really matter that much as long as you use a current distro.. in regards to locking down the desktop you could go with KDE in kiosk mode, there's an admin gui available here as well:

http://extragear.kde.org/apps/kiosktool/

cheers
 
Old 11-20-2009, 05:24 AM   #3
athreyavc
Member
 
Registered: May 2004
Location: bangalore
Distribution: Cent OS, Ubuntu
Posts: 105

Original Poster
Rep: Reputation: 15
Hi,

Thanks for the reply.

I have completed the Citrix 9.0 client with Fedora Client. It works well.

Also, I have openoffice which I am using as a substitute, basically if there is a need to work from the local machine may be sometimes.

I have also tested the working of the Ekiga , it is connecting to Asterik server and talking to Xlite extensions on the windows machines

Overall seems a nice setup.

The boot time with fedora 11 observed is 50 seconds.

Are the OS, openoffice, ekiga all are free for me ?

I am using fedora 11.

And what are the security considerations I may need to take ? As per now, I have disabled the telnet, SSH

Regards,

Athreya
 
Old 11-20-2009, 06:42 AM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
They are all open source... lockdown may take a little practice/trial and error, I suggest you build a test host specifically for this. Let me know once you have a test machine and I'll provide some of the hardening from kickstart scripts that I use. You will need to test very thoroughly after locking down to ensure that everything works as expected

cheers
 
Old 11-23-2009, 12:47 AM   #5
athreyavc
Member
 
Registered: May 2004
Location: bangalore
Distribution: Cent OS, Ubuntu
Posts: 105

Original Poster
Rep: Reputation: 15
Hi,

Thanks for the reply.

The locking happens with Fedora 11 by default. I am using GNOME. And as we are connecting to citrix servers (Windows servers we will access from the citrix) , i feel no need lock the local machine.

Local machine is not in any domain, instead it will receive only IPs and we connect to the citrix servers. So, if a local machine is unlocked also nothing much is lost as far as the data is concerned and security.

What I am now concerned is reducing the boottime and Hardening the system. I have not really gone to the internal of the system yet,

But please help me with the hardening

Thanks again for your support, it gives me lot of motivation go further.

Regards,

Athreya
 
Old 11-23-2009, 06:19 PM   #6
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,289

Rep: Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034
I'd like to point out that Fedora is Redhat's R&D distro, with a new version every 13 mths and only the current and prev versions supported. It's a bit bleeding edge.
For long term support/stability (especially for a business env) try Centos (free version of RHEL).
Quote:
The seven year life cycle for a major release of Red Hat Enterprise Linux is divided into three phases.
http://www.redhat.com/security/updates/errata/

Admin manual: http://www.linuxtopia.org/online_boo...ion/index.html
 
Old 11-23-2009, 07:42 PM   #7
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
Hardening stuff:

Code:
# openssh:
cat << EOF >> /etc/ssh/sshd_config
Protocol 2
ClientAliveInterval 600
ClientAliveCountMax 0
IgnoreRhosts yes
HostBasedAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
X11Forwarding no
Banner /etc/issue.net
EOF

# Set SELinux mode
perl -pi -e 's/^SELINUX=.*$/SELINUX=permissive/' /etc/selinux/config

# Configure mlocate to act like slocate - users will not be able to locate files
# they dont have permissions to see
perl -pi -e 's?^/usr/bin/updatedb.*?/usr/bin/updatedb -l 1 -f "\$nodevs"?' /etc/cron.daily/mlocate.cron

#Configure tcp wrappers host access to a mostly closed access policy.
cat <<EOF >> /etc/hosts.allow
ALL:localhost
sshd:ALL
EOF
cat <<EOF >> /etc/hosts.deny
ALL: ALL: spawn echo \$\(date\) denied %d
EOF

# Setup password policy.
perl -pi -e "s/PASS_MAX_DAYS.*$/PASS_MAX_DAYS 90/" /etc/login.defs
perl -pi -e "s/PASS_MIN_DAYS.*$/PASS_MIN_DAYS 7/" /etc/login.defs
perl -pi -e "s/PASS_WARN_AGE.*$/PASS_WARN_AGE 28/" /etc/login.defs
perl -pi -e "s/PASS_MIN_LEN.*$/PASS_MIN_LEN 6/" /etc/login.defs

# Disable core dumps and increase open files
cat << EOF >> /etc/security/limits.conf
* - core 0
* - nofile 8192
EOF

# Set daemon umask
cat << EOF >> /etc/sysconfig/init
umask 027
EOF

# Disable interactive boot
perl -pi -e 's/^PROMPT=yes/PROMPT=no/' /etc/sysconfig/init

cat << EOF >> /etc/sysctl.conf
fs.suid_dumpable = 0
kernel.exec-shield = 1
kernel.randomize_va_space = 1
EOF

# Restrict root login to console
cat << EOF > /etc/securetty
console
tty1
tty2
tty3
tty4
tty5
tty6
EOF

# Limit su to root access to members of wheel
sed -i 's/^#\(auth.*req.*wheel.*$\)/\1/' /etc/pam.d/su

cat << EOF >> /etc/sudoers
%wheel  ALL=(ALL)       ALL
EOF

# Block shell and login access for non-root system accts
for NAME in $(cut -d: -f1 /etc/passwd)
do
  if [ "$(id -u $NAME)" -lt 500 -a "$NAME" != 'root' ]
  then
    usermod -L $NAME
    usermod -s /sbin/nologin $NAME
  fi
done

# Lock accts with empty passwords
for NAME in $(awk -F: '($2 == "") {print $1}' /etc/shadow)
do
    usermod -L $NAME
done

# Set users umask
cat << EOF >> /etc/profile
umask 077
EOF

perl -pi -e 'if ($. == 9) {s/^umask.*/umask 077/}' /etc/bashrc
perl -pi -e 'if ($. == 7) {s/^umask.*/umask 077/}' /etc/csh.cshrc

perl -pi -e 's/^UMASK.*/UMASK   077/g' /etc/login.defs

# Set roots umask
for FILE in /root/.bashrc /root/.bash_profile /root/.cshrc /root/.tcshrc
do
    echo "umask 077" >> $FILE
done

# Require password for single user
cat << EOF >> /etc/inittab

# Require password for single user
~~:S:wait:/sbin/sulogin
EOF

#-------------------------------------------------------------------------------
# Network hardening:: Non-firewall/gateway system
#-------------------------------------------------------------------------------
cat << EOF >> /etc/sysctl.conf

# Additional hardening as per NSA RHEL5 guide
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_messages = 1
net.ipv4.conf.all.rp_filter = 1
EOF

# Harden permissions on cron dirs
chmod -R go-rwx /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly

cat << EOF > /etc/cron.allow
root
EOF

echo root > /etc/at.allow
chmod 400 /etc/{cron,at}.allow
chmod 400 /etc/crontab

rm -f /etc/cron.deny /etc/at/deny

cat << EOF > /etc/sysconfig/iptables
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1059:101844]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
EOF
enjoy,

kbp
 
Old 11-25-2009, 02:47 PM   #8
oasys
LQ Newbie
 
Registered: Nov 2009
Posts: 2

Rep: Reputation: 0
athreyavc
Our company is going down the same path as you. Any chance that we can compare notes. One of the problems that I'm having is with Citrix understanding the many different usb drives that might be put in the host machine.

thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
citrix client on linux ylrcom General 2 08-01-2008 03:30 AM
LXer: Windows to Linux desktop migration: How Citrix can help LXer Syndicated Linux News 0 04-28-2006 01:24 AM
Citrix Client Install pfunck123 Linux - Newbie 3 12-21-2005 08:18 AM
Citrix client problems slyhne Linux - Networking 2 09-18-2004 07:44 AM
citrix client 7.0 cabo Red Hat 1 09-08-2003 01:25 PM


All times are GMT -5. The time now is 04:28 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration