 |
 |
 |
 |
| Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits. |
24th August 2005, 05:23 PM
|
|
Registered User
|
|
Join Date: Jun 2005
Location: Puerto Rico!!!
Age: 44
Posts: 120
|
|
|
IF usb is a security breach, how do I close the ports?
Hi all,
IF unauthorized use of a usb pendrive is a security breach, how do I close the ports?
Or how do I limit them to root access?
Thanks
Agenol
|
24th August 2005, 05:57 PM
|
|
Registered User
|
|
Join Date: Apr 2004
Location: Euregio
Posts: 3,613
|
|
|
in /etc/udev/rules.d/50-udev.rules you can set the permissions for every device. If you set it the default values for the usb devices (ports), then the owner will be root and the chmod will be 600 (only owner can use it).
|
24th August 2005, 06:21 PM
|
|
Registered User
|
|
Join Date: Jun 2005
Location: Puerto Rico!!!
Age: 44
Posts: 120
|
|
|
Thanks Ilja!
I thought I colud limit the device with a simple chmod but didnt know that /etc/udev/rules.d/50-udev.rules exists.
Thanks again!
Agenol
|
24th August 2005, 10:29 PM
|
|
Registered User
|
|
Join Date: Feb 2005
Location: ark n saw out in the sticks
Posts: 2,316
|
|
|
or if really un-needed, turn them (usb ports) off in the CMOS/Bios setup--use a Bios password, etc.
|
25th August 2005, 12:39 PM
|
|
Registered User
|
|
Join Date: Jun 2005
Location: Puerto Rico!!!
Age: 44
Posts: 120
|
|
|
I was thinking more as to limit the ports to authorized users (root).
How does a Bios password affect usb port usage? (i have no idea)
Agenol
|
25th August 2005, 02:37 PM
|
|
Registered User
|
|
Join Date: Feb 2005
Posts: 675
|
|
|
You probably want to look at the udev rules. You should be able to have udev create the usb device files with root prermissions only. Per message #2 in this thread. Of course this assumes you do not allow any unauthorized users to have root access on the machine. If they do then they can use the usb ports regardless of the permissions you put on them.
I have read of a few secure environments where they expoxied over the usb ports to make sure no one could use them.
The bios password is only going to prevent someone from booting the system and/or changing the bios settings. Per w5set if you wanted to disable the usb ports in the bios you would need to set a bios password to prevent someone from rebooting the system, going into the bios, and enabling the usb ports.
And you may need to set the bios password up to prevent someone from booting the system using a CD. If they did that they would be able to access the harddrive and use the usb ports how they wanted.
How secure do you need this system to be?
|
25th August 2005, 03:35 PM
|
|
Registered User
|
|
Join Date: Jun 2005
Location: Puerto Rico!!!
Age: 44
Posts: 120
|
|
|
I read the udev rules last night. It was the first time I've even heard of them.
I was hoping I could have system where given no physical contact, no one could sneak in as root.
But given a few "legal" users, I was hoping to restrict them from uploading anything dangerous/destructive to the system. Like closing as many back doors as possible.
If i logon via a serial port and installed a pendrive, could a normal (not roor) user access the pendrive contents or not?
Thanks!
|
25th August 2005, 04:03 PM
|
|
Registered User
|
|
Join Date: Feb 2005
Posts: 675
|
|
|
If the machine has network access or email access a legal user can get code onto the box. If you have the box physically locked down and the legal users only have access to the keyboard/mouse/monitor access to the usb ports should be a non-issue since they would not have access to those.
If the legal users do not have root access via su or sudo and you have the permissions set correctly on the usb ports you should be fairly safe.
This may be an area that selinux can provide some help. With the right rules in selinux you should be able to block all access to usb devices except for root using certain programs. This would be another layer on top of the regular user permissions. Have not written any rules like that yet but I believe it should be doable.
But the best protection may be to use a lock box to put the computer in and use a good padlock. A better understanding of the environment you are putting this unit into would help. And a lot of this depends on just how secure and what kind of threat you are trying to protect against. A good written policy signed by the legal users may be sufficient (ie. if caught loading non-authorized software or copying data or software from the system they will be terminated.)
But as stated before if these legal users have root access via su or sudo or the root password nothing can prevent them from doing whatever they want.
|
25th August 2005, 11:53 PM
|
|
Registered User
|
|
Join Date: Feb 2005
Location: ark n saw out in the sticks
Posts: 2,316
|
|
I installed Bastille and associated perl-Tk stuff and ran it. This looks like maybe what you are looking for and it will run GUI or command line either.
It is capable of helping lock down FC any version it seems--this is certainly a step I would recommend if you are looking for a reasonably secure computer (at least in permissions, etc.)
This is suggested only as one possibility and aid--there are certainly a lot more availible.
Read here
http://www.bastille-linux.org/runnin...lle_on.htm#top
It didn't change much on my system, but did lock it a little tigher then I did have it.
Your milage may vary.....
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
Current GMT-time: 04:40 (Thursday, 23-05-2013)
|
|
 |
 |
 |
 |
|
|
