|
|||
disable console access
Hello,
I ve put a firewall using OpenBSD 4.6 I use SSH Connection with public key to administrate it. I want now to disable console access(login on machine). How can i achieve this goal ? (i want only ssh access) Thank's |
|
|||
Preventing users from logging on the console won't help with physical security, a user with access to the system can always boot single user or via a RAMDISK kernel.. perhaps steal the entire system (..or drives).
There is no supported way of doing what you ask, beyond simply unplugging the keyboard or monitor.. or setting up a serial console. |
|
|||
How about being generous with Superglue on the PS/2 and USB connectors on the firewall? That way nobody can use a keyboard
To be serious, if you cannot prevent physical access by unauthorized persons, there is no true security. Even if you would disable console access, they still can press the RESET button, pull out the power cord, or change the disk or CF card. If they take your disk out, put it in another machine, reboot it single user mode, they can change the root password, remove or change your SSH keys. If after that, they put back the disk, you have a slight problem
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 28th December 2009 at 08:54 AM. Reason: typo |
|
|||
Quote:
Do you believe that somebody with some knowledge is not going to be able to "break" into your machine via single user mode? or booting up from other media? If you have the option of physically locking up the room, this is perhaps what you may be really wanting and should focus on achieving. I have "broken" into many a Linux box (VERY EASILY) because the "expert" that set it up had no clue about security or otherwise. I marvel at how many HTTP "servers" are running Bluetooth daemons and GUI's (and worse), just because it's enabled by default and they really have no clue. Quote:
__________________
The more you learn, the more you realize how little you know .... |
|
|||
@There0, Superglue dries within minutes. It was meant to to make it impossible to connect a keyboard.
About 30 years ago a Marxist/Maoist group called "Rode Jeugd" (Red Youth) put Superglue in the slots of all parking meters of a big car park in front of the train station in Eindhoven, here in the Netherlands. For years everybody could park for free there
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Quote:
Perhaps a (long) video with sound (triggered by walking into the room) of a persons getting mangled whilst trying to access your keyboard/mouse/console would deter would be evil-doers? And perhaps one of those Gimp fellows from Pulp Fiction as a second layer of defense? The Gimp can work the SuperGlue. I would stay away
__________________
The more you learn, the more you realize how little you know .... |
|
||||
Quote:
Quoted because it is the best post in the thread!!!
__________________
My Journal Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''. |
|
|||
Quote:
Code:
# name getty type status comments # console "/usr/libexec/getty Pc" vt220 off secure ttyC0 "/usr/libexec/getty Pc" vt220 on secure ttyC1 "/usr/libexec/getty Pc" vt220 on secure ttyC2 "/usr/libexec/getty Pc" vt220 on secure ttyC3 "/usr/libexec/getty Pc" vt220 on secure
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
Actually, one of customers (Philips) once used j65nko's suggestion, using PUR someone glued all the cabled to the machine, both internal and external.
It was, by the way, not even a security critical machine, I think they did it to prevent vandalism since the machine was in a (semi)public place ... In any case, I could have cut the cables and solder new connections to them, so if I would really want to I could have taken out the drive and accessed the data anyway. I guess you can also glue or weld the case shut so it wouldn't be so easy to open, but then I would still have a circle saw It does take more time to access the machine, and also more resources and skills, but at this point you have to wonder just how secure is "secure enough". Personally, I think putting the machine in a room and locking the door would be more secure and a hell of a lot easier than the above "suggestions"
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. |
Tags |
/etc/ttys, disable console login, ttys |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
PF rule to disable icmp? | cyanide_christ | OpenBSD Security | 6 | 15th October 2009 05:35 AM |
How to disable FreeBSD boot loader? | Turquoise88 | FreeBSD General | 2 | 17th July 2009 03:11 PM |
tmux disable automatic resize | Carpetsmoker | General software and network | 7 | 25th June 2009 10:54 PM |
Disable manual fsck on startup | Malakim | FreeBSD General | 4 | 2nd September 2008 05:28 PM |
Disable CTRL+ALT+DEL FreeBSD Gnome | mfaridi | FreeBSD Security | 7 | 27th August 2008 07:10 PM |