on hammer's, security, and centrifuges...

Roland Smith rsmith at xs4all.nl
Tue Feb 7 21:47:22 UTC 2012 

On Tue, Feb 07, 2012 at 07:03:50AM -0500, Henry Olyer wrote:
> So I was coding along...
> 
> On my laptop, on session #1, and I get a notice that someone did an su.
>  Except I'm the only user and I didn't have an ethernet cord connected.
>  (And no, it wasn't me...)

Were you using ppp by any chance? The rc script for ppp uses su. See
/etc/rc.d/ppp.

By default, only those in the wheel group can use su. If an attacker already
has wheel privileges, you're basically screwed.

Normally you need to have some services running to be able to log in over
wireless. I don't think it would work by default.

Can you post the output of the following;

  grep su: /var/log/messages
  bzgrep su: /var/log/messages.*.bz2

> I just built this laptop a few days ago.  Fresh.  I did have to get on the
> net to download/make/install a few critical packages.  I do development.
>  And research.
> 
> My guess, not one shred of evidence, is that someone got in while I was

Guesses without a shred of evidence are basically worthless.

> re-building packages.  Some, (for example Maxima,) take hours.  And because
> of problems with gnuplot and pdflib, won't build as packages without
> re-compilation.

On a laptop, during the install be sure to disable ssh and other services you
don't need. And configure your firewall to drop unrelated incoming
connections, since a laptop isn't a server. I can send you my pf.conf if
you're willing to use the pf firewall.

> Look, I'm going to use FreeBSD as long as both it and I am around, it's
> just the best choice for me, for my user's.  But we need to improve
> security.

Not much services are started automatically by default. See the output of

  grep '_enable="YES"' /etc/defaults/rc.conf

This gives (irrelevant lines removed) the following services started
automatically by default:

devd_enable="YES" 	# Run devd, to trigger programs on device tree changes.
syslogd_enable="YES"		# Run syslog daemon (or NO).
cron_enable="YES"	# Run the periodic job daemon.

Only syslogd would be vulnerable to network attacks, I think. And only if it
were configured to log from other machines, which is not the default

So for the most part security depends on the operator. The installer asks you
which additional services to start. You have to make a wise choice there.

> I'm not a security expert, my work is in another area.  But I would like to
> suggest that the FBSD be enhanced so that each load module, each compiled
> program, contain a DSA-based public key.  Yes, this would make installing
> and maintaining systems an all-day run.  But some of us need a higher
> degree of security than is presently available.

Quis custodiet ipsos custodes?
 
> For now, until I remake my laptop, I'm going to disable the ath0 wireless.
> How?  What's the best method to make certain that my wireless chip is
> turned off?

My laptop has a physical switch to disable it. It you don't have that, you
can:
  * turn it off in the BIOS
  * build a kernel without the required driver and module.

Roland
-- 
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20120207/84769f3d/attachment-0001.pgp

More information about the freebsd-questions mailing list