Date: Mon, 8 Feb 1999 15:25:41 +1100 From: jonathan michaels <jon@caamora.com.au> To: freebsd-questions@FreeBSD.ORG Subject: Re: Fw: HELP!!!! Message-ID: <19990208152541.C28384@caamora.com.au> In-Reply-To: <199902072231.RAA01367@cc942873-a.ewndsr1.nj.home.com>; from Crist J. Clark on Sun, Feb 07, 1999 at 05:31:09PM -0500 References: <36BE0A83.4D82D496@confusion.net> <199902072231.RAA01367@cc942873-a.ewndsr1.nj.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 07, 1999 at 05:31:09PM -0500, Crist J. Clark wrote: > Laurence Berland wrote, > > Is there a way to keep people from doing this who aren't supposed to? Like if I set up a BSD box in a library and someone knows how to do that, is there a way to stop them? (Or do I just put a password on the BIOS so they can't reboot fully?) > > "There is no security without physical security." no truer words were ever said. > > See 'man 5 ttys' and 'more /etc/ttys' (if you still have the comments > from the installed version) on how to prevent people from going into > single-user mode without root's password. > > Even if you stop them from going into single-user mode from the HD disk > boot, what stops them from slipping a floppy in the drive and booting > off of that? a twist on this solution ... i had a freiend in a similar position, not a library, worse, a busy it dept office in a big company. what they ended up doing is removing teh floppy drive, replaced the an old adaptec 1542b with a newer adaptec 2940 adding a "laying in bottom drawer" (c) scsi cdrom 2x and enabled boot from cdrom in teh bios as teh only bootable filesystem. another feature that was able to ne added as a direct result from this descison ws that the 'live filesystem' could be mounted quickly if it was needed. this 'secure' mainframe accessesterminal had a 100 mb sd0 solely for root partition (fs) and sd1 and sd2 made up teh other 5 odd gb abd a dlt jukebox to round out the 'toy intel box' as it was sometimes not so affectionalely known. > You need to prevent access to the reset button, power supply, and > bootable floppy drive. the reset button was disconnected as was teh power on off swithc. the machine itself was connected to the mainframes uninteruptable powersupply, a 10kwh diesel generator ... and a 2 kwh diesel as a 'justing, in case teh real ups failed" (tm). > If that is not possible and you are concerned, do not put bootstrap > code on the machine. Boot from floppy and then control physical access > to the floppy only. Better than nothing I guess. this always helps in security concious positions. > That's MHO, anyway. Any discussion more in-depth than this should > probably move to freebsd-security. thier are also several good o'riely book on teh subgect. this has been my personal experience, hope ti sheds some light on teh still described as a 'black art', that of the 'secure machine'. hope this helped. regards jonathan -- =============================================================================== Jonathan Michaels PO Box 144, Rosebery, NSW 1445 Australia ===========================================================<jon@caamora.com.au> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990208152541.C28384>