|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Prevent Brute Force Attack on Root Account
Dear All,
How to set up login attempt for root account? Thanks. |
|
||||
There's also a pf method to lock out ssh from an IP after a certain amount of attacks.
http://home.nuug.no/~peter/pf/en/bruteforce.html |
|
|||
Sorry to tell you all that my question is not clear.
How to set up login attempt for root account via local and not SSH since I don't have sshd running? For instance, a user had su more than 3 times, then it is disable to login again for several hours until the lock had released. Thanks. |
|
||||
To prevent local root login, you must disable local login by root. This is done via removing the secure option on all local tty records in ttys(5).
However, please note that physical access introduced many additional risks that you must consider, which have nothing to do with passwords. Keep in mind, any data on the system which is unencrypted is accessible to any attacker with physical access. |
|
||||
Peter, physical access to a computer provides many ways an attacker can gain access to your data. As an example, OpenBSD FAQ 8.1 discusses how to reset the root password when it is unknown. Anyone with physical access to the system can use this method to "become" root or change the root password.
While there are mitigation techniques discussed in that FAQ entry, such as forcing a root password to be used to boot into single-user mode, nothing prevents access to data stored in unencrypted form. But even encryption doesn't eliminate the problem, it only mitigates it. There is an entire class of physical access attacks, Evil Maid Attacks, which attack users of encrypted storage media. I encrypt the /home partition on an OpenBSD netbook I travel with. And my $DAYJOB laptop has full disk encryption by corporate policy. But neither of these encryption schemes protect me from Evil Maid attacks -- they only protect data stored on a powered-down netbook or laptop if lost or stolen. And, if the devices happen to be powered up and running when lost or stolen, disk encryption is less protective. |
|
|||
Thanks for the information. I had removed the secure keywords from /etc/ttys. Thanks.
Questions: 1. How to permit the root login on certain time only? For instance, allow root login between 9AM to 9.30AM only. 2. How to prevent user from local net login to OpenBSD box? Last edited by Peter_APIIT; 18th June 2015 at 07:31 AM. |
|
||||
Quote:
The OS has plenty of weapons that you can use to shoot yourself in the foot. Quote:
|
|
|||
Thanks.
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Root Account Timeout | Peter_APIIT | OpenBSD Security | 13 | 26th June 2015 02:56 AM |
Brute force attacks | Dr-D | OpenBSD Security | 1 | 18th July 2011 04:06 PM |
ssh brute force attacks | sniper007 | FreeBSD Security | 21 | 12th June 2011 01:28 AM |
prevent root ssh access | carpman | FreeBSD Security | 7 | 18th December 2009 04:24 PM |
pf.conf brute force rule | ijk | FreeBSD Security | 6 | 11th August 2008 04:54 PM |