From owner-freebsd-questions@FreeBSD.ORG Wed Jul 13 13:32:05 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B4A616A41C for ; Wed, 13 Jul 2005 13:32:05 +0000 (GMT) (envelope-from nalists@scls.lib.wi.us) Received: from mail.scls.lib.wi.us (mail.scls.lib.wi.us [198.150.40.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30BEC43D48 for ; Wed, 13 Jul 2005 13:32:04 +0000 (GMT) (envelope-from nalists@scls.lib.wi.us) Received: from [172.26.2.238] ([172.26.2.238]) by mail.scls.lib.wi.us (8.12.9p2/8.12.9) with ESMTP id j6DDW2G1024708; Wed, 13 Jul 2005 08:32:02 -0500 (CDT) (envelope-from nalists@scls.lib.wi.us) Message-ID: <42D51732.4080106@scls.lib.wi.us> Date: Wed, 13 Jul 2005 08:29:22 -0500 From: Greg Barniskis User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: alexandre.delay@free.fr References: <1121252743.42d4f587ada2c@imp4-q.free.fr> In-Reply-To: <1121252743.42d4f587ada2c@imp4-q.free.fr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: securing FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2005 13:32:05 -0000 alexandre.delay@free.fr wrote: > hi guys > > I would like to secure my FreeBSD server. > I don't want anyone to be able to access to the disk using a bootable CD (or by > setting the actual hdd to secondary and plug an other primary hdd). > > I just don't want anyone to be able to hack this box nor any password. > > Do you have a solution? Securing a platform against a determined attacker who can put their hands on the physical hardware is a significant challenge for any OS. To protect against the type of attack you describe, encrypting all disk content (or at least the sensitive parts) is probably the only effective thing you can do, short of sealing the whole thing inside some other physically protected environment. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html Short of that, you could use a case with a trigger mechanism that informs the BIOS that the case has been opened, so that a warning is emitted at boot time re: physical security has been violated. Of course, that doesn't prevent intrusion, it just tells you that it occurred (and then, only if the intruder doesn't also violate your BIOS security and simply reset the "case has been opened" bits). -- Greg Barniskis, Computer Systems Integrator South Central Library System (SCLS) Library Interchange Network (LINK) , (608) 266-6348