From owner-freebsd-questions  Thu Nov  8  0:15:14 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from atkielski.com (atkielski.com [161.58.232.69])
	by hub.freebsd.org (Postfix) with ESMTP id 608E537B41D
	for <questions@FreeBSD.ORG>; Thu,  8 Nov 2001 00:15:11 -0800 (PST)
Received: from contactdish (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by atkielski.com (8.11.6) id fA88ESs19176; Thu, 8 Nov 2001 09:14:28 +0100 (CET)
Message-ID: <003401c1682d$7a623cc0$0a00000a@atkielski.com>
From: "Anthony Atkielski" <anthony@atkielski.com>
To: "Giorgos Keramidas" <charon@labs.gr>, <questions@FreeBSD.ORG>
References: <15330.23714.263323.466739@guru.mired.org> <00b501c1637b$1cd2f880$0a00000a@atkielski.com> <20011102095554.A38169@student.uu.se> <00d801c1637c$d3264640$0a00000a@atkielski.com> <20011102055416.B67495@klatsch.org> <012101c16391$3f31ca80$0a00000a@atkielski.com> <20011108045340.A2965@hades.hell.gr>
Subject: Re: Lockdown of FreeBSD machine directly on Net
Date: Thu, 8 Nov 2001 09:15:06 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Giorgos writes:

> Think of the damage that someone can do, if
> they come with a floppy and steal the keypair
> that you use to SSH as root.

An important prerequisite to good security is physical security of the server.
If you allow direct physical access to the machine, all bets are off.  Some
machines can be secured well enough to prevent any kind of non-violent
penetration, by disallowing disk and CD-ROM boots, putting passwords on the
BIOS, locking the case, etc., but someone can still just rip the machine out and
carry it off, or pry it open and disable the BIOS password, and so on.

I don't know of any non-trivial system that is physically secure, although
organizations like the NSA do design small devices that are highly (but not
completely) tamperproof.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message