From owner-freebsd-questions@FreeBSD.ORG Tue Feb 7 21:47:22 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CD1A106566B for ; Tue, 7 Feb 2012 21:47:22 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr7.xs4all.nl (smtp-vbr7.xs4all.nl [194.109.24.27]) by mx1.freebsd.org (Postfix) with ESMTP id EDE368FC0A for ; Tue, 7 Feb 2012 21:47:21 +0000 (UTC) Received: from slackbox.erewhon.net (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr7.xs4all.nl (8.13.8/8.13.8) with ESMTP id q17Lkn7g025977; Tue, 7 Feb 2012 22:46:49 +0100 (CET) (envelope-from rsmith@xs4all.nl) Received: by slackbox.erewhon.net (Postfix, from userid 1001) id 7CBDA12357; Tue, 7 Feb 2012 22:46:49 +0100 (CET) Date: Tue, 7 Feb 2012 22:46:49 +0100 From: Roland Smith To: Henry Olyer Message-ID: <20120207214649.GA59467@slackbox.erewhon.net> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="cWoXeonUoKmBZSoM" Content-Disposition: inline In-Reply-To: X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.21 (2010-09-15) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: FreeBSD Mailing List Subject: Re: on hammer's, security, and centrifuges... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Feb 2012 21:47:22 -0000 --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 07, 2012 at 07:03:50AM -0500, Henry Olyer wrote: > So I was coding along... >=20 > On my laptop, on session #1, and I get a notice that someone did an su. > Except I'm the only user and I didn't have an ethernet cord connected. > (And no, it wasn't me...) Were you using ppp by any chance? The rc script for ppp uses su. See /etc/rc.d/ppp. By default, only those in the wheel group can use su. If an attacker already has wheel privileges, you're basically screwed. Normally you need to have some services running to be able to log in over wireless. I don't think it would work by default. Can you post the output of the following; grep su: /var/log/messages bzgrep su: /var/log/messages.*.bz2 > I just built this laptop a few days ago. Fresh. I did have to get on the > net to download/make/install a few critical packages. I do development. > And research. >=20 > My guess, not one shred of evidence, is that someone got in while I was Guesses without a shred of evidence are basically worthless. > re-building packages. Some, (for example Maxima,) take hours. And becau= se > of problems with gnuplot and pdflib, won't build as packages without > re-compilation. On a laptop, during the install be sure to disable ssh and other services y= ou don't need. And configure your firewall to drop unrelated incoming connections, since a laptop isn't a server. I can send you my pf.conf if you're willing to use the pf firewall. > Look, I'm going to use FreeBSD as long as both it and I am around, it's > just the best choice for me, for my user's. But we need to improve > security. Not much services are started automatically by default. See the output of grep '_enable=3D"YES"' /etc/defaults/rc.conf This gives (irrelevant lines removed) the following services started automatically by default: devd_enable=3D"YES" # Run devd, to trigger programs on device tree changes. syslogd_enable=3D"YES" # Run syslog daemon (or NO). cron_enable=3D"YES" # Run the periodic job daemon. Only syslogd would be vulnerable to network attacks, I think. And only if it were configured to log from other machines, which is not the default So for the most part security depends on the operator. The installer asks y= ou which additional services to start. You have to make a wise choice there. > I'm not a security expert, my work is in another area. But I would like = to > suggest that the FBSD be enhanced so that each load module, each compiled > program, contain a DSA-based public key. Yes, this would make installing > and maintaining systems an all-day run. But some of us need a higher > degree of security than is presently available. Quis custodiet ipsos custodes? =20 > For now, until I remake my laptop, I'm going to disable the ath0 wireless. > How? What's the best method to make certain that my wireless chip is > turned off? My laptop has a physical switch to disable it. It you don't have that, you can: * turn it off in the BIOS * build a kernel without the required driver and module. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --cWoXeonUoKmBZSoM Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk8xm8kACgkQEnfvsMMhpyVppwCfVcenMDkqBSLGaXeJD+lB6lBG SOAAn1hSMaxWmF4M1YPqycAFjAv/B7i1 =h2DU -----END PGP SIGNATURE----- --cWoXeonUoKmBZSoM--