Mike <[EMAIL PROTECTED]> writes: Mike> Is there some way to restrict root access to the physical terminal Mike> connected to my machine? I recently had a server rooted and I'm Mike> starting from scratch with serious security in mind. If I did Mike> restrict root access as above, would that successfully thwart root Mike> exploits?
It's safe to assume that anybody who can get physical access to your machine can get root access. (Anybody who can manage to reboot your machine and get it to boot from a floppy, for example, has instant root access if they want it.) If you're that paranoid about someone walking up to your machine and somehow breaking it, you should put the machine in a physically secure location. By far the greater risk in most cases is network-based attacks. You should never be making an unencrypted login to the server; it's probably worthwhile to completely disable telnet, ftp, and rsh services on the machine. In any case, run the minimum set of services you can get away with. Uninstall others (if they're in separate Debian packages) or keep them from running (by disabling their /etc/rc?.d links or by commenting them out in /etc/inetd.conf). Keep up on security updates. Don't let people who don't need to maintain the machine log in on it. Don't use network file services if you can help it (NFS is notoriously insecure, for example). -- David Maze [EMAIL PROTECTED] http://www.mit.edu/~dmaze/ "Theoretical politics is interesting. Politicking should be illegal." -- Abra Mitchell
