[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security for a home system

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Douglas Allan Tutty wrote:
> On Sat, Apr 21, 2007 at 09:14:27PM +0200, Joe Hart wrote:
>> Douglas Allan Tutty wrote:
>>> Reflecting on recent posts re allowing root login (related, but I didn't
>>> want to steal the thread), I'm wondering about a home network and what
>>> to bother with.  There's a touch of devil's advocate in this but the
>>> concept that physical access == root access causes one to wonder.
>> Well, if you consider that, you also might want to consider making sure
>> the systems cannot boot from a CD, USB or anything else than the HD
>> where Debian is installed and make sure that the BIOS has a password
>> protect to prevent someone from changing this.  Because if someone with
>> a liveCD comes along, all the strong passwords you want won't save your
>> data.  
> 
> Right, but someone on a recent thread argued that securing the bios is
> useless since physical access to the box means that they can get root
> access anyway.  Right now, my box has an administrator password set for
> accessing the bios but unless I set a power-on password, anyone can hit
> F8 and get a boot menu.  Even with the bios password set, I guess
> someone could pop the bios battery; or do such settings get put in NV to
> survive a removed battery.  I don't really want to test this on my main
> box (maybe next time I reinstall...).
> 
>> Now encrypting it all might save you, but do you really need to
>> go that far?  I guess this is what you mean by hyper vigilance.
>>
>>> If ssh isn't even listening on external interfaces, does it matter if I
>>> allow root to ssh (useful for rsyncing backups between the boxes)?
>>>
>>> Why bother to rsync instead of just nfs mounting the backup repository?
>>>
>> If you are positive there are no ways into the computer through your
>> internet connections, then nfs is fine.  For a closed system, there is
>> no problem.
>>
>>> If I need to run a backup, other than it being 'proper', why not just
>>> login as root instead of myself and su?
>> That is what I do, but I make sure that the internet is down when I do
>> that, so there is no chance of someone coming in, or anything going out
>> while I am backing up, just a safety precaution.  One can never be too
>> careful.
>>
> 
> How does running a backup as root make it more likely that someone can
> come in from the net and get root?
> 
> Doug.
> 
> 

To be honest, I don't know, but I do know that if you leave a tty just
sitting around logged in a root, it is a bad idea.  Perhaps I am just
being too cautious.

I would think that anyone hacking into my system would face a login
prompt, but who knows?  I'm not running a ssh daemon, so it I don't see
what would give them such prompt, and my firewall should block anyone
attempting to come in, but I also know that there are some really weird
hacks out there and people who can do things like surf the web while
tunneling through an IMCP connection (becuase ping is open) can do some
pretty tricky things and I know if I pull the plug, there's no way
anything can get in.

Perhaps one of the gurus in this field will take the opportunity to
explain why having a root console open all the time is a bad thing
(other than the obvious local accessibility).  My backups take a while,
that's why I do it.

Joe

- --
Registerd Linux user #443289 at http://counter.li.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGKmwhiXBCVWpc5J4RAvTjAKCHhbj6gkRCylc6TNU/uXZ4Nyw3dwCfcPox
LX3R34GBSyiAJCE+W0jYTZM=
=MQgJ
-----END PGP SIGNATURE-----
Reply to: