From owner-freebsd-security  Wed Feb  6  7:48:35 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mail.anu.edu.au (mail.anu.edu.au [150.203.2.7])
	by hub.freebsd.org (Postfix) with ESMTP id DAE5237B41D
	for <freebsd-security@FreeBSD.ORG>; Wed,  6 Feb 2002 07:48:07 -0800 (PST)
Received: from nucl03.anu.edu.au (nucl03.anu.edu.au [150.203.19.120])
	by mail.anu.edu.au (8.9.3/8.9.3) with ESMTP id CAA28526;
	Thu, 7 Feb 2002 02:48:05 +1100 (EST)
Received: (from gjl103@localhost)
	by nucl03.anu.edu.au (8.11.6/8.11.6) id g16Fm4Q28623;
	Thu, 7 Feb 2002 02:48:04 +1100 (EST)
	(envelope-from gjl103)
Date: Thu, 7 Feb 2002 02:48:04 +1100
From: Greg Lane <gregory.lane@anu.edu.au>
To: Weldon S Godfrey 3 <weldon@excelsus.com>
Cc: Brett Glass <brett@lariat.org>,
	Victor Grey <victor@customdynamic.net>, freebsd-security@FreeBSD.ORG
Subject: Re: Is this evidence of a break-in attempt?
Message-ID: <20020207024804.A28463@nucl03.anu.edu.au>
Reply-To: gregory.lane@anu.edu.au
References: <4.3.2.7.2.20020205125336.02758450@localhost> <Pine.BSF.4.44.0202060816280.56746-100000@joule.excelsus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <Pine.BSF.4.44.0202060816280.56746-100000@joule.excelsus.com>; from weldon@excelsus.com on Wed, Feb 06, 2002 at 08:19:15AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> I recommend that any box placed into a colo or a location that the
> security isn't under your direct control to mark your console as
> "insecure" in /etc/ttys so that root password will be asked when someone
> boots into single user mode.
> 
> Weldon

It will slow someone down, but as you no doubt know, if a box is not under
your direct control and someone has a clue then that doesn't help much. All
it takes is the fixit floppy. Mount / and /usr, edit the passwd file,
pwd_mkdb, instant root. 

We've had to do this to an embarrassingly large number of boxes where
we've forgotten the root passwords. 

Bios passwords, disabled floppy drives and other tricks might slow you
down, but in the end, physical access to the box and the game is
pretty much already over...

Greg

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message