root access...

[zencoder]

Is this still true? This is a basic security "feature" that I thought was being removed from most of the Linuxes and that default boot security was being put in place to prevent access to single-user mode.

Hmm, I'm not sure. I think for awhile it was a matter of security through obscurity. I don't recall exactly, but I think it was RH8 or 9 or so, where it was damned near impossible for me to find single user mode flags/instructions from the actual LILO/Grub interface. So they didn't give up the keys to the house, but they still allowed anyone who knew how to enter --single or whatever it was to waltz right in.

[MrLinus]

Hrmm.. important reasons, if using LILO, to enable restricted and password (I have to admit still preferring LILO to GRUB for simplicity reasons).


Info on securing LILO to prevent single user access

Hints on securing GRUB

[gore]

Since this turned into somewhat a Physical security part, what about the CD-ROM drive? I don't need LILO or Grub to give me root, my bootable Slackware CD does that. I can change the password for root, copy things. Lots of stuff.

[MrLinus]

Since this turned into somewhat a Physical security part, what about the CD-ROM drive? I don't need LILO or Grub to give me root, my bootable Slackware CD does that. I can change the password for root, copy things. Lots of stuff.

This is why one disables the CDRom from the boot process or physically unhook it inside the case. Same applies for Floppy. Because we now can have USB-based Linux drives, it may be necessary (worse case) to fill the USB ports up to prevent their access or get a lock of sometype for them. The case, of course, should be in a locked cage and an access controlled room.

General accepted belief is, however, that once physical access is obtained, all bets are off. That doesn't mean that one shouldn't make it difficult for an attacker to reach his goals..

Remember: it's always layered security (backups of backups of backups of backups and redundant systems backing up redundant systems backing up redundant systems... )

[gore]

Hehe, I for one have gotten access to a Hospital's Main IT area. Locking a CD-ROM drive is good, but I know how to pick locks and can usually even get the numerical locks. And, it's quite easy to slip inside with a rubber glove on and open the case. Now I know a lot of servers will report that the case has been recently removed. Trust me, I've made that message pop up and almost pissed myself.

But again, you can make that go away as well.

I guess it really depends on why someone wants in. If all they want it to destroy your servers, then well, that's easy all you need to have is rubber gloves, and wear a thick suit (It helps with the skin particles that fall off every second you're alive so sniffer dogs have a hard time finding you as well).

Another thing to look into is how a dog smells you. Every human smells different and no two are the same, and dogs can smell fear, but there are people in this World who can hold back that smell and get passed a guard dog.

Security cameras are nothing, you can spray over them, or get lucky and see they are hooked up to computer and edit them.

A locked door is nothing more than an intteruption. Someone will find a way in.

And even employees, they are your easiest targets. There is no patch for user stupidity. You can get temp passes and change what you can access with it and you can do stake out work to see where each part of the building leads syou can escape if needed by crawling through ceiling tiles.

[MrLinus]

Originally posted here by gore
Hehe, I for one have gotten access to a Hospital's Main IT area. Locking a CD-ROM drive is good, but I know how to pick locks and can usually even get the numerical locks. And, it's quite easy to slip inside with a rubber glove on and open the case. Now I know a lot of servers will report that the case has been recently removed. Trust me, I've made that message pop up and almost pissed myself.

But again, you can make that go away as well.

I guess it really depends on why someone wants in. If all they want it to destroy your servers, then well, that's easy all you need to have is rubber gloves, and wear a thick suit (It helps with the skin particles that fall off every second you're alive so sniffer dogs have a hard time finding you as well).

I think someone would notice if you're wearing a rubber suit. It's one of those obvious things.

Another thing to look into is how a dog smells you. Every human smells different and no two are the same, and dogs can smell fear, but there are people in this World who can hold back that smell and get passed a guard dog.

Guard dogs aren't used for that kind of detection. They are used more for EWS rather than tracking someone.

Security cameras are nothing, you can spray over them, or get lucky and see they are hooked up to computer and edit them.

This is why you have discretionary security with random check guards and system administrators that check everything (paranoia).

A locked door is nothing more than an intteruption. Someone will find a way in.

Sure. But if you get a decent door with a decent frame, they're going to have to make a lot of noise to break in. Remember, none of this is 100% security but rather to slow down an attacker, make it more difficult and/or deter the casual attacker. For some, a locked door is more than enough. For someone determined and willing to take the risk, it may be nothing.

And even employees, they are your easiest targets. There is no patch for user stupidity. You can get temp passes and change what you can access with it and you can do stake out work to see where each part of the building leads syou can escape if needed by crawling through ceiling tiles.

This is why ceiling tiles are a no-no for server rooms or why some server rooms are encased in a steel cage. One of the more ingenious server room setups I've seen (and I like this one) is a circular room, that is entirely of bullet-proof glass located behind reception (I know of one major backbone ISP here that has this). The servers are at the center of the room, single file.

While not all enterprises have perfect security that doesn't mean that some don't. I've been to places that have lax security and some that have way over-the-top (safeguard costs well more than what's being protected). No security is a be-all but rather part of a larger system. I wouldn't rely solely on cameras but would include things like motion/heat detection and/or audio detection as well as cages for servers, a secure room (this means raised floor and secure ceiling/walls), solid door and frame with appropriate access controls (physical, technical and administrative). Security is a whole package, not one thing.

[gore]

Wow, I've never seens ome of the things you have. At the hospital I was in, I was able to make it to pretty much any place I wanted. I even had a security guy behind me and he didn't even stop and ask what I was doing (Pretending to be lost looking for the bathroom is great) And don't get me started on the bathroom heh, people sit down in a stall, leave the laptop case at the side and no one is going to get up and chase you with their pants down while you walk away with the laptop case.

This type of security is my little area, it's something I'm actually good at. At my school, they know how I am, but they know that even though I'm a good social Engineer, and though I could get in there and really **** things up, they allow me into places most students aren't allowed to be inside.

I think it's because for one they know I really wouldn't, and two, they know I could anyway heh.

At my college the doors for the servers are locked with key codes and the glass is steel framed. And the glass has a steel net so breaking it would do you no good.... Well it would do the common theif no good but me, I know how to work wire cutters and melt steel in a few seconds with a moded lighter.

I know I won't be able to get into anything some places are expecting people like me, but I can get into a fair amount of places I shouldn't be allowed too.

I don't steal anything and I've never taken, I just like getting in.

get in, get out, don't leave anything that could be traced to you, and it's like sex. Lol. I've never been inside an ISP, but for my Network analysis and design class I have now, We are going to be setting up a Network for an apartment complex and get paid for it.

Me and my buddy are the ones who got drafted for the security aspect. this should be fun, the only networks I've set up are for my relatives and of course for me. And well I did do about 2 of them at school.

Oh I wanted to bring something up:

My school has no wireless policy, meaning I can use wireless and break into servers and they can do nothing because there is no policy telling me not too and this would work fine, it happened here in Michigan last year and the people got out of it because no policy said not to do that.

Just wanted to bring up the importance of a good policy.

[zencoder]

Originally posted here by gore
And don't get me started on the bathroom heh, people sit down in a stall, leave the laptop case at the side and no one is going to get up and chase you with their pants down while you walk away with the laptop case.

That's ingenious! One more example to use when talking about 'accessibility to your systems and devices'. Awesome! I'm laughing to myself, picturing a person with suit trousers around ankles, skivvies barely protecting what little modesty is left, running after someone yelling "That's my bag!"

My school has no wireless policy, meaning I can use wireless and break into servers and they can do nothing because there is no policy telling me not too and this would work fine, it happened here in Michigan last year and the people got out of it because no policy said not to do that.

Just wanted to bring up the importance of a good policy.

I wouldn't depend on the absence of successful previous prosecution (or conviction) to protect you from their lack of an adequate policy. I mean, theoretically, if the DA could identify you and link you to your username here, they could use your participation this site as a basis for an argument that you do know what is accepted as 'legal' use and behavior.

I know, you're about to reply with how ultra secure and anonymous your connections are. That's not the point. The point is, do you think it would be easier or harder to get away with something a second time due to a technicality like that? They've learned from their mistakes, have no doubt. They may not have fixed the overt problem, but they certainly remember how pissed they where that the case was dismissed or plead down because of something THEY did (or failed to do, in this case.)

So just because someone got away with it once doesn't give the (smart) user carte-blanche to do things that would be considered inappropriate, wrong, or illegal. If you leave a bar drunk and ask a cop for a ride home, his refusing to drive you does NOT give you legal protection if you choose to drive drunk.

[gore]

I don't secure my connection to the net. The faster they find me the less agitated they are when questioning. Besides, I think I'd have more explaining to do that just Computer related. I don't even use a proxy. Proxy and pussy start with the same letter for a reason.

[ashtified]

thanx u all guys for ur help..
i think it will be more then good for me..
bt let's get to the obvious point out of the way..
wid zencoder speaking of some real stuff han..
bt u guys didn't tell me if its really possible or not.
afterall troajans n backdoors must be not the only way to get in there..
i know abt backdoors coding stuff n all that..
bt any1 out there can tell me if we can write script on console on login screen .
not jus only editing lilo.conf
n jinx there is one more thing for u frnd..
in case of red hat fedora core 2 in grub .
that grub edit didn't really work out.
soo guys take care..
n help me out if u can..
ashtified