Robert K Coffman Jr - Info From Data Corporation wrote:
To disable the compact flash after boot - you rmmod the modules needed to mount the flash and rm them from the filesystem. (The modules are still on the CF /boot/lib/modules directory so a reboot will work). To make a backup, I scp the modules over the net, and run a script to reinstall them. This is a fairly good write protect, since the hacker would have to bring the correct versions of the modules with him and know the proper load order to access the boot media.A compact flash uses a lot less energy than a hard drive - especiallysince it is only needed for loading and backup. I write protect mine with software after boot up.
Very true. No router should have a running HD in it. However with hdsupp you can spin the HD down after boot. I use the following script to accomplish this which I believe has been posted here before:
#! /bin/sh # Script to spin down hard drive # /etc/init.d/spindown RCDLINKS="2,S98" # Spin it down then. /usr/sbin/hdparm -y /dev/hda exit 0
As far as securing this, I don't know that you can disable a HD until the next boot, so the flash drive has an advantage there. (Although if someone has gotten that far, couldn't they circumvent your write protection?) When running backups, or mounting /dev/hda1, it spins back up on its own. Remember to run this script when you are done backing up etc...
- Bob Coffman
I made cfprotec.lrp written for uClibc LEAF. ***** #! /bin/ash # by Victor McAllister # rm-ide # This script removes modules for # access to the CF ide disk echo
MODULES="ide-disk ide-detect ide-core" BOOTDIR="/boot/lib/modules" LIBDIR="/lib/modules"
for MODULE in ${MODULES} do rmmod ${MODULE} rm ${BOOTDIR}/${MODULE}.o rm ${LIBDIR}/${MODULE}.o done echo echo "The modules needed for IDE access are not plugged into" echo "the kernel or located in the TWO modules directories." echo echo "The Compact Flash is NOT accessable." ***** #! /bin/sh # by Victor McAllister # load-ide echo "Ths script installs ide modules to access Compact Flash" echo "First copy the files ide-core.o ide-dectect.o ide-disk.o" echo "using SCP to the /lib/modules directory." echo
MODULES="ide-core ide-detect ide-disk"
for MODULE in ${MODULES} do insmod ${MODULE} done
if (lsmod | grep ide-)
then
echo
echo "Mount the CF possibly using: mount -t msdos /dev/hda1 /mnt"
echo
echo "DO NOT BACKUP INITRD or BACKUP EVERYTHING because the IDE"
echo "modules are not in /boot/lib/modules in the RAM filesystem."
else
echo
echo "IDE modules not loaded - CF drive not accessable."
echo "Did you forgot to SCP the files to /lib/modules."
fi
*****
My cfprotec.lrp simply loads these two files to /usr/sbin and does not run them. I run them manually as needed.
------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html