From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 01:39:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2A1916A4B3 for ; Tue, 16 Sep 2003 01:39:03 -0700 (PDT) Received: from amk-drives.bg (ns.amk-drives.bg [62.73.77.208]) by mx1.FreeBSD.org (Postfix) with SMTP id A14A243F3F for ; Tue, 16 Sep 2003 01:38:57 -0700 (PDT) (envelope-from niki@amk-drives.bg) Received: (qmail 26908 invoked by uid 1005); 16 Sep 2003 08:39:37 -0000 Received: from unknown (HELO kanchev) (192.168.0.13) by 192.168.0.100 with SMTP; 16 Sep 2003 08:39:34 -0000 Message-ID: <01c901c37c3e$a5425430$0d00a8c0@amkdrives.bg> From: "Nikolay Kanchev" To: References: <014001c37c39$956ec2f0$0d00a8c0@amkdrives.bg> <20030916101414.54b145ca.db@traceroute.dk> Date: Tue, 16 Sep 2003 11:38:19 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Virus-Scanned: by AMaViS perl-11 Subject: Re: boot -s - can i detect intruder X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 08:39:03 -0000 ----- Original Message ----- From: "Socketd" To: Sent: Tuesday, September 16, 2003 9:14 AM Subject: Re: boot -s - can i detect intruder > On Tue, 16 Sep 2003 11:02:05 +0100 > "Nikolay Kanchev" wrote: > > > Several people have physical access to my FreeBSD box and I have the > > feeling that somebody try to get access with boot -s options . Can I > > log activity after boot -s option (change user password, install > > software and etc.). I use boot -s and change user password, but after > > reboot i can't find this atcivity in log files. > > The BSD box is shutdown and run again many time at day. > > Why not set console in /etc/ttys to insecure? Then you can't login > without a password. > > br > socketd I will set this but first I want to try catch the intruder. If I understand when someone try to use boot -s and what is doing in box I can get him. --------------- G. Hasse wrote --------------- Why is the box shutdown??? Are you doing kernel development or advanced devicedriver development? Why are you many persons on sutch a system in that case? And if you are doing kernel development all must have root access anyway? There is *no* reason to shut down the system in ordinary maintainance! GH ----------------------- The box is a test box for training and people that work with box can reboot it. But this people not know that this is only test box, I tell them that this is small server for LAN becaus I want to test this mans.