[sllug-members]: Security Question: To password protect GRUB or
not?
Lamont R. Peterson
lamont at gurulabs.com
Wed Aug 2 11:34:28 MDT 2006
On Wednesday 02 August 2006 11:02am, Evan Dillon wrote:
> I understand that physical security is compromised when bios and grub
> passwords are not used, but is remote security compromised in any way?
No.
However, I don't want anyone to think that the GRUB or BIOS passwords are some
kind of magic silver bullet. If someone can get physical access to your box,
it's not hard to get around those. Some examples:
1. Open the box and reset the BIOS. This will allow you to boot from a
rescue CD and you'd be able to reset passwords or add additional accounts to
the system on the hard drive.
2. Pull the hard drive and hook it up to another box you have control over.
3. Add another hard drive (USB?) and make a copy of the built-in one.
4. Insert a keylogger (might require retrieving it later).
5. Take the box (or just the hard drive) with you and deal with it's content
later.
Remember, most security is about keeping honest people honest; not for keeping
dishonest people honest.
So, what can you do to better protect your systems?
1. Provide better physical security. Lock your box so that someone has to
find the key (or break the lock or ... ) to get in. Never leave the server
room/closet door unlocked or propped open. Don't let people "short-cut"
through the server room (how hard would it be to just pick up a stray hard
drive while walking by). The moral of the story here is to not make it
simple and tempting.
2. Encryption. See [
http://blogs.gurulabs.com/lamont/archives/2006/07/encrypting_part.html ].
This will even help keep dishonest people honest.
This response barely scratches the surface. You shouldn't think that
encryption is a silver bullet either, but is sure is a big hurdle.
--
Lamont R. Peterson <lamont at gurulabs.com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
GPG Key fingerprint: F98C E31A 5C4C 834A BCAB 8CB3 F980 6C97 DC0D D409
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://sllug.org/pipermail/sllug-members/attachments/20060802/f88e1ba7/attachment.pgp
More information about the sllug-members
mailing list