[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing Debian Manual: 3.1 Choose a BIOS password



Commonly in a VPS environment you have access only inside the VM. I can't see any way to access BIOS.

Regards,

Fernando Mercês
Linux Registered User #432779
www.mentebinaria.com.br
------------------------------------
"Ninguém pode ser escravo de sua identidade; quando surge uma possibilidade de mudança é preciso mudar". (Elliot Gould)


On Tue, Mar 6, 2012 at 9:03 AM, shthead <lists@shthead.com> wrote:
On 6/03/2012 7:56 AM, Stayvoid wrote:
> Hello.
>
> "Before you install any operating system on your computer, set up a
> BIOS password. After installation (once you have enabled bootup from
> the hard disk) you should go back to the BIOS and change the boot
> sequence to disable booting from floppy, CD-ROM and other devices that
> shouldn't boot. Otherwise a cracker only needs physical access and a
> boot disk to access your entire system." [1]
> Is there a way to prevent such actions while using a VPS?
>
> [1] http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html
>
> Cheers
>
>

I probably going to say no but my experience with virtualisation has only been with ESX/VSphere, OpenVZ and Virtuozzo (OpenVZ and Virtuozzo are very similar). Do you have any particular virtualisation software in mind?

With ESX/Vsphere anyone with the appropriate permissions is able to force the VM into booting into the BIOS. This would be my preferred option - with an encrypted file system it should be pretty safe as the VM would need to be rebooted to change the root pass to get access from the console. It would give the server admin root access to the server but as long as your data is encrypted in a secure manner it won't be easy to get it out even if the disk is just mounted on another VM to browse around without changing passwords.

With OpenVZ and Virtuozzo you are able to enter the containers from the hardware node and get root access ('vzctl enter id'). I can't remember if this logged anything inside the container showing that the administrator did this. The admin can also just browse the files directly off the hardware node without "entering" the container. I don't think you can do much to prevent this at all. I generally stay away from paravirtualisation products for anything too important with this being one of the reasons.

What level of security do you want to achieve at the end of the day? It may turn out that going onto a shared platform out of your control isn't the best option.



Reply to: