LINUX SECURITY --- September 26, 2000
Published by ITworld.com, the IT problem-solving network
http://www.itworld.com/newsletters
*********************************************************************
HIGHLIGHTS
* Physically securing your system to prevent your system from being
compromised the internal menace
*********************************************************************
Let's Get Physical
by Rick Johnson
Recently, I received a frantic call from a friend whose servers sit in a
co-location facility. One of the boxes was cracked. He had absolutely no
idea how it could have happened. Throughout the server's life, he
followed all the rules. It had the latest security updates; a solid
firewall policy; and even intrusion detection measures. With all this in
place, somehow his box was compromised.
How you ask? Well, it happened in a much less publicized way. Someone
actually sat down at the console and compromised the server. At this
point, all I only could recommend a complete restoration or, preferably,
a reinstall. Here are a few important steps to enhance the physical
security of your servers.
* Do you really need a floppy drive installed? If not, take it out
or at least disable it. If you do need one, be sure to change the
boot sequence in the BIOS to have it boot off the hard drive
first. Not having access to a floppy drive will ensure that an
attacker cannot circumvent any other security measures by using a
boot disk.
* Password protect the BIOS. This will not affect rebooting of the
system, but will stop someone from trying to change the boot
sequence or re-enable the floppy drive. This does not provide much
security but it sure does not hurt.
* Password protect the boot loader. If you are using LILO, it is
possible for an attacker to put the box into single user mode.
Even in single user mode, they must still supply the root password
for access; but, if they type "init=/bin/sh" at the prompt, it is
possible to bypass it. To get around this, you can add the
"restricted" parameter into the lilo.conf file. With this enabled,
a password is only required to boot the image if parameters are
specified on the command line (e.g. single). Be sure to read the
man page before making any changes
A top of the line professional co-location facility usually has
preventative measures in place to stop this type of attack. At the very
least, you will find locked cabinets or cages for each customer.
Unfortunately, the cost of such a facility is often outside the budget
of most start-up or dotcoms. As an alternative, they turn to regional
Internet providers who offer the convenience of locating a server on a
high-speed backbone without the enormous costs. As a trade off, these
facilities usually locate all servers in one open network room or shared
rack with little or no physical security. With no individual security,
each customer's equipment is only as secure as the staff chooses
There is not much to prevent an attacker from physically cracking open
the case and removing the hard drive but aside from that, following
these simple yet often overlooked steps will provide a reasonable amount
of security in an otherwise insecure environment.
Resources
Locking doors, latching windows
Keep those pesky script-kiddies out of your system
http://www.itworld.com/jlw/linsecnl/lw-1999-12/lw-12-vcontrol_1.html
Security experts say: "Don't ignore threat from within"
Pack monkeys, script kiddies, and ankle biters are just part of the
problem
http://www.itworld.com/jitw/linsecnl/cma/ett_content_article/0,2849,1125_1
124,00.html
Are you ready for your audit?
A security audit by any other name would not be so intimidating
http://www.itworld.com/jsw/linsecnl/swol-08-1995/f_swol-08-security.html
************************************************************************
About the author
----------------
Rick Johnson is currently the Manager of Security Services for
FusionStorm, a remote managed services company. When not writing, he
heads the development team for PMFirewall, an Ipchains Firewall and
Masquerading Configuration Utility for Linux. Rick can be contacted via
email at rick@pointman.org or on the web at http://www.pointman.org.
*********************************************************************
<<attachment: winmail.dat>>