DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 28th December 2009
milo974 milo974 is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 58
Thanked 0 Times in 0 Posts
Default disable console access

Hello,

I ve put a firewall using OpenBSD 4.6
I use SSH Connection with public key to administrate it.
I want now to disable console access(login on machine). How can i achieve this goal ?
(i want only ssh access)

Thank's
Reply With Quote
  #2   (View Single Post)  
Old 28th December 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Preventing users from logging on the console won't help with physical security, a user with access to the system can always boot single user or via a RAMDISK kernel.. perhaps steal the entire system (..or drives).

There is no supported way of doing what you ask, beyond simply unplugging the keyboard or monitor.. or setting up a serial console.
Reply With Quote
  #3   (View Single Post)  
Old 28th December 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,148
Thanked 182 Times in 149 Posts
Default

How about being generous with Superglue on the PS/2 and USB connectors on the firewall? That way nobody can use a keyboard

To be serious, if you cannot prevent physical access by unauthorized persons, there is no true security. Even if you would disable console access, they still can press the RESET button, pull out the power cord, or change the disk or CF card.

If they take your disk out, put it in another machine, reboot it single user mode, they can change the root password, remove or change your SSH keys. If after that, they put back the disk, you have a slight problem
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 28th December 2009 at 08:54 AM. Reason: typo
Reply With Quote
  #4   (View Single Post)  
Old 28th December 2009
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

Quote:
(i want only ssh access)
This wish is only going to cause you problems, speculate for a moment a misconfigured or other big OOPS that kills your SSH connectivity.

Do you believe that somebody with some knowledge is not going to be able to "break" into your machine via single user mode? or booting up from other media? If you have the option of physically locking up the room, this is perhaps what you may be really wanting and should focus on achieving.

I have "broken" into many a Linux box (VERY EASILY) because the "expert" that set it up had no clue about security or otherwise. I marvel at how many HTTP "servers" are running Bluetooth daemons and GUI's (and worse), just because it's enabled by default and they really have no clue.

Quote:
How about being generous with Superglue on the PS/2 and USB connectors on the firewall?
I got a BAD visual on that one i love my equipment but do agree with punishing unauthorized persons to the maximum, especially when the glue gets them and you can physically get an opportunity to deal with them
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
  #5   (View Single Post)  
Old 28th December 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,148
Thanked 182 Times in 149 Posts
Default

@There0, Superglue dries within minutes. It was meant to to make it impossible to connect a keyboard.

About 30 years ago a Marxist/Maoist group called "Rode Jeugd" (Red Youth) put Superglue in the slots of all parking meters of a big car park in front of the train station in Eindhoven, here in the Netherlands. For years everybody could park for free there
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #6   (View Single Post)  
Old 28th December 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,697
Thanked 214 Times in 189 Posts
Default

You can -logically- disable login from the console. See ttys(5) and the /etc/ttys file.

As stated, this will not prevent access to the boot> prompt, or to obtaining single user mode, only login and shell access to a running system.

In the event of an sshd(8) problem, single user mode would be required.
Reply With Quote
  #7   (View Single Post)  
Old 28th December 2009
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

Quote:
@There0, Superglue dries within minutes. It was meant to to make it impossible to connect a keyboard.
I am aware of how Superglue works (and have glued many items in my youth), FTR there is a product produced by GPAtom from Germany that makes SuperGlue look like water, and bonds in seconds. Just the thought of me doing that to things that i like (i spend mucho denaro on my equipment) i would rather break some fingers and set and example

Perhaps a (long) video with sound (triggered by walking into the room) of a persons getting mangled whilst trying to access your keyboard/mouse/console would deter would be evil-doers? And perhaps one of those Gimp fellows from Pulp Fiction as a second layer of defense? The Gimp can work the SuperGlue.

I would stay away
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
  #8   (View Single Post)  
Old 28th December 2009
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

Quote:
Originally Posted by J65nko View Post
How about being generous with Superglue on the PS/2 and USB connectors on the firewall? That way nobody can use a keyboard

To be serious, if you cannot prevent physical access by unauthorized persons, there is no true security. Even if you would disable console access, they still can press the RESET button, pull out the power cord, or change the disk or CF card.

If they take your disk out, put it in another machine, reboot it single user mode, they can change the root password, remove or change your SSH keys. If after that, they put back the disk, you have a slight problem

Quoted because it is the best post in the thread!!!
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
  #9   (View Single Post)  
Old 29th December 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,148
Thanked 182 Times in 149 Posts
Default

Quote:
Originally Posted by jggimi View Post
You can -logically- disable login from the console. See ttys(5) and the /etc/ttys file
If you leave then 'on' and remove the 'secure' option, even root will be asked for a password.
Code:
# name  getty                           type    status          comments
#
console "/usr/libexec/getty Pc"         vt220   off secure
ttyC0   "/usr/libexec/getty Pc"         vt220   on  secure
ttyC1   "/usr/libexec/getty Pc"         vt220   on  secure
ttyC2   "/usr/libexec/getty Pc"         vt220   on  secure
ttyC3   "/usr/libexec/getty Pc"         vt220   on  secure
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 29th December 2009
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,069
Thanked 198 Times in 156 Posts
Default

Actually, one of customers (Philips) once used j65nko's suggestion, using PUR someone glued all the cabled to the machine, both internal and external.
It was, by the way, not even a security critical machine, I think they did it to prevent vandalism since the machine was in a (semi)public place ...

In any case, I could have cut the cables and solder new connections to them, so if I would really want to I could have taken out the drive and accessed the data anyway.
I guess you can also glue or weld the case shut so it wouldn't be so easy to open, but then I would still have a circle saw

It does take more time to access the machine, and also more resources and skills, but at this point you have to wonder just how secure is "secure enough".

Personally, I think putting the machine in a room and locking the door would be more secure and a hell of a lot easier than the above "suggestions"
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Reply

Tags
/etc/ttys, disable console login, ttys

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PF rule to disable icmp? cyanide_christ OpenBSD Security 6 15th October 2009 05:35 AM
How to disable FreeBSD boot loader? Turquoise88 FreeBSD General 2 17th July 2009 03:11 PM
tmux disable automatic resize Carpetsmoker General software and network 7 25th June 2009 10:54 PM
Disable manual fsck on startup Malakim FreeBSD General 4 2nd September 2008 05:28 PM
Disable CTRL+ALT+DEL FreeBSD Gnome mfaridi FreeBSD Security 7 27th August 2008 07:10 PM


All times are GMT. The time now is 04:52 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick