From owner-freebsd-questions Sun Nov 7 9: 6:47 1999 Delivered-To: freebsd-questions@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 50BDB14BE4; Sun, 7 Nov 1999 09:06:41 -0800 (PST) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2887 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Sun, 7 Nov 1999 11:01:25 -0600 (CST) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Sun, 7 Nov 1999 11:01:25 -0600 (CST) From: James Wyatt To: Alexandr Gribenko Cc: security@freebsd.org, QuestionsBSD Subject: Physical security hints (Was: Encrypted HDD) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, 7 Nov 1999, Alexandr Gribenko wrote: > Has anyone tried/seen something like this on FreeBSD BOX?? > I am not paranoic, I am just creating VERY public FreeBSD server, anyone > have access to the box itself > I used all my ideas like loading splash screen and setting timeout to 1 > second ;o) > the idea is to disable access to file systems by loading from fixit/other > floppy > Do not recommend me to remove FDD driver, I did it ;o) > I do have a backup ;o) > The problem is that it is too public (Da school man ;o) Like everyone says: "You can't stop the determined individual in the right circumstances." That said, you can do a few things: 1) See if you can secure the case 1a) I'm guessing that buying a secure case is too expensive here. 1b) If you can find a system the university (or a company) is tossing that they bought a secure case or case lock for, gut the case and replace it's guts with your favorites or move the lock to your case. 1c) Last resort: Replace case screws with Torx (or other) 'security screws'. 'They' can get the tool at Home Depot or an auto supply, but it is better than Phillips or 'standard' screws on most techie pocket knives will usually take care of. 2) Remove the knobs on the front 2a) If there is a 'keylock' key switch on the front, use it for reset. 2b) If there is a reset or power-off button, disconnect it. 2c) Set the BIOS to always-on and ignore-front-switch. 2d> If there is a power switch on front, bypass it or superglue it on. 3) Set the BIOS to discourage tampering 3a) Password protect the BIOS; the rest of these kinda depend on it. Put the password on a folded sticky note inside so you don't have to lose the settings if you forget. If they can read the note sealed in the machine,they can reset the password anyway. 3b) Set it boot from wd0/ATAPI before fd0/floppy. If you can't, set it to swap the fd0/fd1 drives. Floppy still usable, but not bootable. 3c) Disable any network or CDROM boot. All this stuff is OS neutral for kiosks and such, the FreeBSD points are more tricky and should cover the fact they can still reach the power cord in the back. Has anyone been able to make network booting work for FreeBSD? - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message