Re: restrict root access to physical console
Mike <mike@iolo.com> writes:
Mike> Is there some way to restrict root access to the physical terminal
Mike> connected to my machine? I recently had a server rooted and I'm
Mike> starting from scratch with serious security in mind. If I did
Mike> restrict root access as above, would that successfully thwart root
Mike> exploits?
It's safe to assume that anybody who can get physical access to your
machine can get root access. (Anybody who can manage to reboot your
machine and get it to boot from a floppy, for example, has instant
root access if they want it.) If you're that paranoid about someone
walking up to your machine and somehow breaking it, you should put the
machine in a physically secure location.
By far the greater risk in most cases is network-based attacks. You
should never be making an unencrypted login to the server; it's
probably worthwhile to completely disable telnet, ftp, and rsh
services on the machine. In any case, run the minimum set of services
you can get away with. Uninstall others (if they're in separate
Debian packages) or keep them from running (by disabling their
/etc/rc?.d links or by commenting them out in /etc/inetd.conf). Keep
up on security updates. Don't let people who don't need to maintain
the machine log in on it. Don't use network file services if you can
help it (NFS is notoriously insecure, for example).
--
David Maze dmaze@mit.edu http://www.mit.edu/~dmaze/
"Theoretical politics is interesting. Politicking should be illegal."
-- Abra Mitchell
Reply to: