On Mon, 26 Mar 2001, Wolfgang Pfeiffer wrote:
> Message from Mikkel L. Ellertson on Mon, 26 Mar 2001, 12:14 <-0600>:
>
> > On Mon, 26 Mar 2001, Wolfgang Pfeiffer wrote:
> >
> > > Just read the thread on how to create a new password for root (entering
> > > single user mode, writing "linux single" at the lilo prompt then typing
> > > "passwd" etc. ...
> > >
> > > How can I prevent this, because this possibility (as convenient it may be
> > > for a poor admin having lost his password) basically leaves my system
> > > vulnerable for every creep knowing the trick, too ...
> > >
> > > Please tell me someone I'm wrong ...
> > >
> > > Regards.
> > > Wolfgang.
> > >
> > >
> > Yo are basicly at the mercy of anyone that can get at the physical
> > console. There are ways you can protect yourself to some extent.
> >
> > Password protect LILO - for each boot lable, or to enter options
> > at the LILO prompt.
> > Disable booting from anything except the hard drive.
> > Do not have DOS or Windows on the machine. (Loadlin lets me boot what I
> > want and get full access.)
> > Set BIOS passwords for setup, and booting.
>
> .. that's what I did, but I have just studied my motherboard manual:
> AFAIUI anybody having access to the CMOS pins there simply can jumper away
> my passwd for booting (because one of the jumper settings there says:
> 'Clear CMOS data' (thanks, Bret ...) ... long live progress, or so ....
>:-/
>
> Regards.
> Wolfgang
>
> > Lock the case of the machine.
> > Lock the machine to an inmovable object.
> > Restrict physical access to the machine.
> >
> > Basicly, if someone can get at the machine itself, knows what they are
> > doing, and has enough time, they will get in.
> >
> > Know your cleaning staff, and any maintence workers that work when the
> > building is otherwise deserted. I have lost cound of the offices,
> > banks, and computer rooms I have had unrestricted access to just because
> > I was an electrician doing work after hours. It is a good thing I am
> > honest - imagine what I could do with a BBC CD in my pocket...
> >
> > Mikkel
> >
The list is not a pick one of the methods list. It is a list of smoe of
the steps necessary to secure a machine. How may steps you take depends
on your assment of the risks. That is why I said:
"Basicly, if someone can get at the machine itself, knows what they are
doing, and has enough time, they will get in."
And restricting access means 24 hours/day, 7 days/week security. I do
not know why, but a lot of companys are only worried about access to
machines during the work day. They have great physical security from 9
to 5, but do not give a thought to what goes on after the office staff
goes home. I guess they don't figure the cleaning people, or the guy
changing lamps in the light fixtures knows anything about computers.
Now, what it comes to network security, you would think companys would
restrict access the patch pannels in the data closets. You do not want
to know how many times I have been alone in a data closet with a laptop
and a Omni-tester checking new data runs. I spent days terminating and
testing cat 5 cables for an accounting firm, and the routers in the
racks were live. It would not have taken any work to put a sniffer on
the net.
So, when you start thinking security, think about the people that have
access after hours, as well as during the day...
Mikkel
--
Do not meddle in the affairs of dragons,
for you are crunchy and taste good with ketchup.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
