root Password
-
- Major General
- Posts: 917
- Joined: Thu Jun 27, 2002 5:45 pm
- Location: Karachi
- Contact:
root Password
How can i prevent somebody to boot from a floppy or cd and get access to my linux box? how can i stop her to not to execute chroot or mounting my root filesystem by booting from removeable media.
-
- Site Admin
- Posts: 285
- Joined: Wed Aug 07, 2002 8:00 pm
- Location: Karachi
- Contact:
-
- Major General
- Posts: 917
- Joined: Thu Jun 27, 2002 5:45 pm
- Location: Karachi
- Contact:
cryptic answer
Use encrypted filesystems :)
Asad, is it possible to have an encrpyted root filesystem?
Also, most common distros (except slackware maybe?) have the md5 password option, which is probably strong enough for all but the most paranoid users. If the root password is good enough, it should be hell on earth for a potential cracker to crack the password. If it isn't, the admin is probably apt to set up a bad security layer around it as well.
Also, most common distros (except slackware maybe?) have the md5 password option, which is probably strong enough for all but the most paranoid users. If the root password is good enough, it should be hell on earth for a potential cracker to crack the password. If it isn't, the admin is probably apt to set up a bad security layer around it as well.
Yes, root filesystems can indeed by encrypted. (http://koeln.ccc.de/~drt/crypto/linux-disk.html)
Even though MD5 is a relatively secure algorithm for storing passwords, I beleive that is not what "farhantoqeer" is trying to say. I beleive (pls correct me if i'm wrong) he's trying to secure himself from someone booting the computer using a floppy or CD and then mounting the current Linux ext2/whatever partition. This would bypass any and all passwords that may be set on the now offline partition and give full read/write access to the attacker.
There is no proper way to prevent this other then placing the hardware in secure locations (under lock and key with only the UI devices exposed). If this is not possible, there is no other way to prevent a boot into the system (or for that matter, no way to prevent someone taking out your harddisk and reading the data in another computer). What you can do is place all your important data into an encrypted partition which you can mount yourself when needed. This way, even if someone can access your entire harddisk, they will not be able to read the encrypted data.
Once again, this isn't a sure-shot solution since if someone has physical access to your computer, there's not much you can do to stop him/her (even with encryption). The would-be attacker could simply replace critical system files with his own modified copies that could, for example, record your keystrokes as you mount the encrypted drive thus exposing the encryption key.
Time to invest in one of those Rs. 40,000 rack mounting lock-and-key server casings?
Asad
Even though MD5 is a relatively secure algorithm for storing passwords, I beleive that is not what "farhantoqeer" is trying to say. I beleive (pls correct me if i'm wrong) he's trying to secure himself from someone booting the computer using a floppy or CD and then mounting the current Linux ext2/whatever partition. This would bypass any and all passwords that may be set on the now offline partition and give full read/write access to the attacker.
There is no proper way to prevent this other then placing the hardware in secure locations (under lock and key with only the UI devices exposed). If this is not possible, there is no other way to prevent a boot into the system (or for that matter, no way to prevent someone taking out your harddisk and reading the data in another computer). What you can do is place all your important data into an encrypted partition which you can mount yourself when needed. This way, even if someone can access your entire harddisk, they will not be able to read the encrypted data.
Once again, this isn't a sure-shot solution since if someone has physical access to your computer, there's not much you can do to stop him/her (even with encryption). The would-be attacker could simply replace critical system files with his own modified copies that could, for example, record your keystrokes as you mount the encrypted drive thus exposing the encryption key.
Time to invest in one of those Rs. 40,000 rack mounting lock-and-key server casings?
Asad
-
- Major General
- Posts: 917
- Joined: Thu Jun 27, 2002 5:45 pm
- Location: Karachi
- Contact:
I believe through all the naming mistakes I see what "newbie" is trying to say.
I believe he(?) is trying to say that you should control entry into your operating system(s) by using any password protection provided by your boot loader, since they can be used to boot linux into "single" mode, which gives direct root access without any authentication.
Though this is a valid solution, it is incapacitated by the
situation "farhantoqeer" is trying to prevent in which the locally installed boot loader is totally bypassed by loading a completely foreign operating system through a CD or Floppy and then accessing the computer's hardware, ie: the harddisk containing the linux partition(s) "farhantoqeer" wants to protect using the foreign operating system.
Asad
I believe he(?) is trying to say that you should control entry into your operating system(s) by using any password protection provided by your boot loader, since they can be used to boot linux into "single" mode, which gives direct root access without any authentication.
Though this is a valid solution, it is incapacitated by the
situation "farhantoqeer" is trying to prevent in which the locally installed boot loader is totally bypassed by loading a completely foreign operating system through a CD or Floppy and then accessing the computer's hardware, ie: the harddisk containing the linux partition(s) "farhantoqeer" wants to protect using the foreign operating system.
Asad
-
- Lance Naik
- Posts: 19
- Joined: Sun Nov 24, 2002 8:35 am
- Location: Daytoan Beach, FL - USA
- Contact:
I know you didn't want to use a BIOS/CMOS password - but you can do it very easily...
many BIOS now ship with a supervisor password and a normal user.
Setting the SUpervisor password and setting the boot order to check the hard drive first will prevent anyone without the supervisor password from booting it, but allow normal users to reboot etc...
However, there really is no way to stop it totally - even encrypted file systems only go so far, someone can open the case, flash the BIOS, or mount the drive as part of another system, etc... there has to be a balance between security and practicality
many BIOS now ship with a supervisor password and a normal user.
Setting the SUpervisor password and setting the boot order to check the hard drive first will prevent anyone without the supervisor password from booting it, but allow normal users to reboot etc...
However, there really is no way to stop it totally - even encrypted file systems only go so far, someone can open the case, flash the BIOS, or mount the drive as part of another system, etc... there has to be a balance between security and practicality
_________________
majorwoo
Quiet brain, or I'll stab you with a Q-tip.
majorwoo
Quiet brain, or I'll stab you with a Q-tip.
want to be secure
1. use alpha numeric and special key password as a system password of motherboard bios
2.same is the same for the root password
3. must set the init 1 single user (but the problem still exist:)
remove the floopy and cdrom and try to have a key lock to ur cpu casing
2.same is the same for the root password
3. must set the init 1 single user (but the problem still exist:)
remove the floopy and cdrom and try to have a key lock to ur cpu casing
an old thread this one but i would like to add one thing here we can use xosl as mahin said somewhere with it we can set password for booting from floppy,cdrom,mbr etc ...
www.xosl.org
www.xosl.org
yes. here's one a friend wrote: http://www.rubberhose.org/.fawad wrote:Asad, is it possible to have an encrpyted root filesystem?
there are several different filesystems; google for "linux encrypted filesystem". it's common enough that people have written howtos on them.