> I recommend that any box placed into a colo or a location that the
> security isn't under your direct control to mark your console as
> "insecure" in /etc/ttys so that root password will be asked when someone
> boots into single user mode.
>
> Weldon

It will slow someone down, but as you no doubt know, if a box is not under
your direct control and someone has a clue then that doesn't help much. All
it takes is the fixit floppy. Mount / and /usr, edit the passwd file,
pwd_mkdb, instant root.

We've had to do this to an embarrassingly large number of boxes where
we've forgotten the root passwords.

Bios passwords, disabled floppy drives and other tricks might slow you
down, but in the end, physical access to the box and the game is
pretty much already over...

Greg

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]