root Password

Protecting your Linux box

root Password

Postby farhantoqeer » Fri Oct 11, 2002 9:22 am

How can i prevent somebody to boot from a floppy or cd and get access to my linux box? how can i stop her to not to execute chroot or mounting my root filesystem by booting from removeable media.
farhantoqeer
Major General
 
Posts: 917
Joined: Thu Jun 27, 2002 5:45 pm
Website: http://www.emergen.biz
Location: Karachi

Postby mrkkhattak » Fri Oct 11, 2002 3:28 pm

CMOS setup passsword ... what do u say ? :wink:
mrkkhattak
Site Admin
 
Posts: 285
Joined: Wed Aug 07, 2002 8:00 pm
ICQ: 173967661
WLM: mrkkhattak
Yahoo Messenger: mrkkhattak
AOL: mrkkhattak
Location: Karachi

Postby farhantoqeer » Fri Oct 11, 2002 10:30 pm

but i dont want to do it, there should be some other way.
farhantoqeer
Major General
 
Posts: 917
Joined: Thu Jun 27, 2002 5:45 pm
Website: http://www.emergen.biz
Location: Karachi

cryptic answer

Postby AsadR » Sat Oct 12, 2002 11:36 pm

Use encrypted filesystems :)
AsadR
Lance Naik
 
Posts: 36
Joined: Sat Sep 14, 2002 11:27 am
ICQ: 8374759
Location: Khi.pk

Postby fawad » Sun Oct 13, 2002 8:06 am

Asad, is it possible to have an encrpyted root filesystem?

Also, most common distros (except slackware maybe?) have the md5 password option, which is probably strong enough for all but the most paranoid users. If the root password is good enough, it should be hell on earth for a potential cracker to crack the password. If it isn't, the admin is probably apt to set up a bad security layer around it as well.
fawad
Site Admin
 
Posts: 918
Joined: Wed Aug 07, 2002 8:00 pm
ICQ: 17672437
Website: http://www.fawad.net
WLM: fawadhalim@hotmail.com
Yahoo Messenger: fawad2048
AOL: fawadhalim
Location: Addison, IL

Postby AsadR » Tue Oct 15, 2002 7:42 pm

Yes, root filesystems can indeed by encrypted. (http://koeln.ccc.de/~drt/crypto/linux-disk.html)

Even though MD5 is a relatively secure algorithm for storing passwords, I beleive that is not what "farhantoqeer" is trying to say. I beleive (pls correct me if i'm wrong) he's trying to secure himself from someone booting the computer using a floppy or CD and then mounting the current Linux ext2/whatever partition. This would bypass any and all passwords that may be set on the now offline partition and give full read/write access to the attacker.

There is no proper way to prevent this other then placing the hardware in secure locations (under lock and key with only the UI devices exposed). If this is not possible, there is no other way to prevent a boot into the system (or for that matter, no way to prevent someone taking out your harddisk and reading the data in another computer). What you can do is place all your important data into an encrypted partition which you can mount yourself when needed. This way, even if someone can access your entire harddisk, they will not be able to read the encrypted data.

Once again, this isn't a sure-shot solution since if someone has physical access to your computer, there's not much you can do to stop him/her (even with encryption). The would-be attacker could simply replace critical system files with his own modified copies that could, for example, record your keystrokes as you mount the encrypted drive thus exposing the encryption key.

Time to invest in one of those Rs. 40,000 rack mounting lock-and-key server casings? ;)

Asad
AsadR
Lance Naik
 
Posts: 36
Joined: Sat Sep 14, 2002 11:27 am
ICQ: 8374759
Location: Khi.pk

Postby farhantoqeer » Sun Oct 20, 2002 10:54 pm

ok asad, i will order then :lol:
farhantoqeer
Major General
 
Posts: 917
Joined: Thu Jun 27, 2002 5:45 pm
Website: http://www.emergen.biz
Location: Karachi

Postby newbie » Mon Oct 28, 2002 11:54 pm

single user mode also do the same job as chroot .
better to protect your lilo and grub with password.
newbie
Company Havaldaar Major
 
Posts: 156
Joined: Thu Aug 08, 2002 4:18 am
WLM: usman_fool@hotmail.com
Location: lahore

Postby AsadR » Tue Oct 29, 2002 5:55 pm

I believe through all the naming mistakes I see what "newbie" is trying to say.

I believe he(?) is trying to say that you should control entry into your operating system(s) by using any password protection provided by your boot loader, since they can be used to boot linux into "single" mode, which gives direct root access without any authentication.

Though this is a valid solution, it is incapacitated by the
situation "farhantoqeer" is trying to prevent in which the locally installed boot loader is totally bypassed by loading a completely foreign operating system through a CD or Floppy and then accessing the computer's hardware, ie: the harddisk containing the linux partition(s) "farhantoqeer" wants to protect using the foreign operating system.

Asad
AsadR
Lance Naik
 
Posts: 36
Joined: Sat Sep 14, 2002 11:27 am
ICQ: 8374759
Location: Khi.pk

Postby majorwoo » Sun Nov 24, 2002 10:29 am

I know you didn't want to use a BIOS/CMOS password - but you can do it very easily...

many BIOS now ship with a supervisor password and a normal user.
Setting the SUpervisor password and setting the boot order to check the hard drive first will prevent anyone without the supervisor password from booting it, but allow normal users to reboot etc...

However, there really is no way to stop it totally - even encrypted file systems only go so far, someone can open the case, flash the BIOS, or mount the drive as part of another system, etc... there has to be a balance between security and practicality
_________________
majorwoo

Quiet brain, or I'll stab you with a Q-tip.
majorwoo
Lance Naik
 
Posts: 19
Joined: Sun Nov 24, 2002 8:35 am
Website: http://majorwoo.hopto.org
AOL: majorwoo
Location: Daytoan Beach, FL - USA

want to be secure

Postby farhanksa » Mon Dec 30, 2002 4:41 am

1. use alpha numeric and special key password as a system password of motherboard bios
2.same is the same for the root password
3. must set the init 1 single user (but the problem still exist:)
remove the floopy and cdrom and try to have a key lock to ur cpu casing :)
farhanksa
Subedar
 
Posts: 359
Joined: Sun Nov 03, 2002 6:40 am
ICQ: 116765501
WLM: farhan12@msn.com
Yahoo Messenger: commdsl@yahoo.com
Location: Lahore

Postby newbie » Wed Jan 01, 2003 2:25 am

yes farhan is right and a better idea is to unplug the harddrive and put in your bag or jacket and keep it everytime with yourself :wink:
newbie
Company Havaldaar Major
 
Posts: 156
Joined: Thu Aug 08, 2002 4:18 am
WLM: usman_fool@hotmail.com
Location: lahore

Postby gh4z4nf4r » Wed Feb 19, 2003 2:26 am

an old thread this one but i would like to add one thing here we can use xosl as mahin said somewhere with it we can set password for booting from floppy,cdrom,mbr etc ...
www.xosl.org
gh4z4nf4r
Naik
 
Posts: 65
Joined: Mon Oct 14, 2002 3:51 pm
WLM: gh4z4nf4r@hotmail.com
Yahoo Messenger: gh4z4nf4r@yahoo.com
Location: Wah Cantt

Postby lambda » Tue May 27, 2003 7:31 pm

fawad wrote:Asad, is it possible to have an encrpyted root filesystem?


yes. here's one a friend wrote: http://www.rubberhose.org/.
there are several different filesystems; google for "linux encrypted filesystem". it's common enough that people have written howtos on them.
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore


Return to “%s” Security

Who is online

Users browsing this forum: No registered users and 1 guest

cron