If an attacker has physical access to your system, you lose. That's why
data centers and computer rooms in large companies have keycard access,
locked racks, and video monitoring.
The best defenses against someone with physical access are a bios
password, which will at least force them to shut down and open up the
computer to move the jumper around to reset it, or an encrypted
filesystem. However, both of those prevent an unattended remote reboot,
which make them unsuited for some applications and the overhead for an
encrypted filesystem may make it unsuitable for BackupPC pool storage.
Bowie
On 7/28/2016 10:59 AM, lanceh1412-busin...@yahoo.co.uk wrote:
It is quite easy to reset your user password in ubuntu if you have
physical access to the machine. See
https://help.ubuntu.com/community/LostPassword. This is why I wanted
to encrypt the ssh keys. That way if someone resets the password they
can't access the keys.
On Thursday, 28 July 2016, 14:23, Bowie Bailey <bowie_bai...@buc.com>
wrote:
"if someone had physical access to backuppc server they could easily
logon as backuppc user by resetting the password"
How would that work? Unless you leave the backuppc user logged in,
they would still need to either know the password or use some sort of
hack to get access before being able to reset the password (such as
rebooting with a live cd and accessing the OS partition directly).
Always protect physical access to important computers. If someone has
physical access to your server, all bets are off. Also, if a user
account has passwordless ssh keys giving root access to any of your
systems, then you should make sure that the account has a strong
password (at the least), or that the ssh keys that give access do
require (strong) passwords.
Bowie
On 7/28/2016 9:01 AM, lanceh1412-busin...@yahoo.co.uk
<mailto:lanceh1412-busin...@yahoo.co.uk> wrote:
I hadn't really thought about the danger from a restore. I guess that
would require quite a bit of technical knowledge of backuppc to
engineer an attack on a server? It would require significantly less
knowledge to steal the ssh keys on an unencrypted server and then
have root access.
On Thursday, 28 July 2016, 13:11, Carl Wilhelm Soderstrom
<chr...@real-time.com> <mailto:chr...@real-time.com> wrote:
On 07/28 10:53 , lanceh1412-busin...@yahoo.co.uk
<mailto:lanceh1412-busin...@yahoo.co.uk> wrote:
> Just trying to harden security. My concern is if someone had
physical access to backuppc server they could easily logon as
backuppc user by resetting the password and therefore gain access to
the ssh keys. Now I see it is possible to put the ssh keys in
an encrypted private directory (See EncryptedPrivateDirectory -
Community Help Wiki). This would mean that even if someone could
reset the password and logon as backuppc they wouldn't have access to
the keys.
> Has anyone done this or would recommend this way or got any other
suggestions?
My logic for my setup is:
if someone has access to the BackupPC server, they have all the data
on all
the computers being backed up. At that point, the risk is whether
they could
modify data on the live server.
To avoid that risk, I don't allow the BackupPC server write access to the
machines being backed up, only read access. The restores aren't
really much
more inconvenient (I tend to use tar+netcat for restores on Linux
boxen, and
zipfile downloads on Windows boxen), and I feel like I have more
confidence
that I'm not going to accidentally clobber the wrong data.
--
Carl Soderstrom
Systems Administrator
Real-Time Enterprises
www.real-time.com <http://www.real-time.com/>
------------------------------------------------------------------------------
_______________________________________________
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
<mailto:BackupPC-users@lists.sourceforge.net>
List:https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:http://backuppc.wiki.sourceforge.net
<http://backuppc.wiki.sourceforge.net/>
Project:http://backuppc.sourceforge.net/
------------------------------------------------------------------------------
_______________________________________________
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
<mailto:BackupPC-users@lists.sourceforge.net>
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
<http://backuppc.wiki.sourceforge.net/>
Project: http://backuppc.sourceforge.net/
------------------------------------------------------------------------------
_______________________________________________
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
------------------------------------------------------------------------------
_______________________________________________
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
