Re: Securing Debian Manual: 3.1 Choose a BIOS password
It really depends on the virtualisation technology that is being used -
as far as I know if its a paravirt it won't have the BIOS but
hypervisors will (the ones I have had a play around with such as
Xen/Hyper V/ESX). VMWare (ESX at least, probably workstation too) for
example appears to run PhoenixBIOS which you can even modify to suite
your needs with a bit of hackory. Generally speaking the lower end of
the VPS cost scale won't have the BIOS due to being paravirtualisation.
I had a brief look at the link provided in the first email - it doesn't
really mention anything about encryption or the like which I would say
is a larger issue than a BIOS password. Especially in a virtual
environment, the BIOS password may only stop the VM from booting without
it (It may very well be possible to reset the password from the hyper
visor, never looked into it) but not a lot else.
The question is what does the OP want to prevent and to what end will
they go to achieve it? Providing you have administrative access to the
server running the virtualisation software it is as good if not better
than physically being infront of it - the BIOS password may stop a VM
booting but whats stopping the administrator mounting the disk on
another VM or if its something like VZ just browsing the files directly
from the parent (not to mention there is more than likley a way to reset
the BIOS password if it is enabled in a VM)? The same thing applies to
physical servers - you can set a BIOS password but that alone will not
prevent someone with unfettered access to the server from say plugging
the disks in somewhere else (sure it will cause an outage and alert etc.
etc.).
If the main concern is an administrative user taking the files, consider:
* Not using paravirts - some security risks outlined above and in
previous email. Files can generally be modified online from the parent
container (eg. root passwords changed without reboot).
* Set up an encrypted file system for important data - if the server is
rebooted to gain root access the file system will no longer be mounted.
Appropriate monitoring should be in place to catch events like these
(see next point).
* Offsite logging/system integrity monitoring - if someone does get root
access and something (eg. system binaries) replaced or modified you want
to know about it. Things like ossec can accomplish this easily.
* Protect single user mode by enabling authentication
At the end of the day you can protect your (virtual) server as much as
you want - if someone has physical access (or administrative privileges
to the host running the VPS) I would say encrypting the files in a
secure manner is the best bet. Just don't let convenience get the better
of you, eg. mounting an encrypted file system automatically on boot
without user action (storing the keys locally on disk - just pointless
unless they are protected in some manner). With that being said, there
may be a secure way to do that but I can't think of it/don't know of one.
Thats just a few things I can think of straight away, but without
knowing a few more details on what the OP wants and on what technology I
can only give broad pointers like that.
sht
On 6/03/2012 8:26 PM, Fernando Mercês wrote:
> Commonly in a VPS environment you have access only inside the VM. I
can't see any way to access BIOS.
>
> Regards,
>
> Fernando Mercês
> Linux Registered User #432779
> www.mentebinaria.com.br <http://www.mentebinaria.com.br>
> ------------------------------------
> "Ninguém pode ser escravo de sua identidade; quando surge uma
possibilidade de mudança é preciso mudar". (Elliot Gould)
Reply to: