[ale] SSH attempts
Bob Toxen
transam at VerySecureLinux.com
Mon Sep 19 12:10:38 EDT 2011
On Fri, Sep 16, 2011 at 02:38:40PM -0400, Michael B. Trausch wrote:
...
> Of course, if you have a malfunctioning system and even init won't boot
> up, you can always specify "init=/bin/bash" on the command line.
...
> The reason that locking root's password doesn't decrease the amount of
> security is because you don't need root's password to truly boot the
> system if you have access to the boot loader. Sure, if root has a
> password you put a very minor road block in the way if someone attempts
> to boot "single", "1", or "emergency". But they'll just reboot the
> system again and swap it out with "init=/bin/bash", and they'll get a
> very barebones environment. Now all you have to do is "openvt
> -l /bin/bash" and you have a job-control enabled bash session
> on /dev/tty2, and you don't have to worry about a thing. Maybe remount
> the root filesystem read-write, and have yourself a field day.
>
> --- Mike
This is why it is critical to have both a bootloader (grub or lilo)
password and also a BIOS password. They can be set so that the password
is needed ONLY when booting other than the default device (BIOS) or
default kernel environment (bootloader).
Bob Toxen
bob at verysecurelinux.com [Please use for email to me]
http://www.verysecurelinux.com [Network&Linux security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
Quality spam and virus filters.
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond where
the shadows lie...and the Eye is everwatching"
-- The Silicon Valley Tarot Henrique Holschuh with ... Bob
More information about the Ale
mailing list