From owner-freebsd-security  Wed Feb  6  8:39:21 2002
Delivered-To: freebsd-security@freebsd.org
Received: from joule.excelsus.com (joule.excelsus.net [209.96.190.225])
	by hub.freebsd.org (Postfix) with ESMTP id 13AA337B702
	for <freebsd-security@FreeBSD.ORG>; Wed,  6 Feb 2002 08:14:20 -0800 (PST)
Received: from joule.excelsus.com (localhost [127.0.0.1])
	by joule.excelsus.com (8.12.1/8.12.1) with ESMTP id g16GC2Rt057890;
	Wed, 6 Feb 2002 11:12:02 -0500 (EST)
Received: from localhost (weldon@localhost)
	by joule.excelsus.com (8.12.1/8.12.1/Submit) with ESMTP id g16GC2ri057887;
	Wed, 6 Feb 2002 11:12:02 -0500 (EST)
Date: Wed, 6 Feb 2002 11:12:02 -0500 (EST)
From: Weldon S Godfrey 3 <weldon@excelsus.com>
To: Greg Lane <gregory.lane@anu.edu.au>
Cc: Brett Glass <brett@lariat.org>,
	Victor Grey <victor@customdynamic.net>,
	<freebsd-security@FreeBSD.ORG>
Subject: Re: Is this evidence of a break-in attempt?
In-Reply-To: <20020207024804.A28463@nucl03.anu.edu.au>
Message-ID: <Pine.BSF.4.44.0202061105140.56746-100000@joule.excelsus.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


But isn't slowing down the name of the game?  If someone is good enough
and they want to break in bad enough, they are going to get in.  Nothing
replaces consistent security monitoring and investigation.

The more hoops you put up, the greater the likelihood you will be able to
catch it, stop it before it goes too far, or discourage them,
and/or circumvent the less knowledgeable (which accounts for more attempts
than the knowledgeable).

It is the same as your car and house.  If a thief is bold enough, no
matter how many alarms you have, that won't stop them.  It doesn't mean
you should give up and leave keys in the ignition :)



If memory serves me right, sometime around Tomorrow, Greg Lane told me:

> > I recommend that any box placed into a colo or a location that the
> > security isn't under your direct control to mark your console as
> > "insecure" in /etc/ttys so that root password will be asked when someone
> > boots into single user mode.
> >
> > Weldon
>
> It will slow someone down, but as you no doubt know, if a box is not under
> your direct control and someone has a clue then that doesn't help much. All
> it takes is the fixit floppy. Mount / and /usr, edit the passwd file,
> pwd_mkdb, instant root.
>
> We've had to do this to an embarrassingly large number of boxes where
> we've forgotten the root passwords.
>
> Bios passwords, disabled floppy drives and other tricks might slow you
> down, but in the end, physical access to the box and the game is
> pretty much already over...
>
> Greg
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message