Physical security

When most people think of computer security, the images are usually of young crackers sitting in a dark bedroom, attack dialling the corporate giants and defence installations of the USA, ala War Games and the Cuckoo's Egg.

The truth of the matter is somewhat different, with various industry surveys estimating the level of security breaches by 'internal sources' as being between 75 and 90%.

While it is virtually impossible to guarantee a 100% secure computer system (short of turning the computer off, encasing it in concrete and employing the SAS to guard it on a 24 hour basis), there are a number of steps you can take to ensure that your computer is physically secure.

The weak points for any Linux box are typically:

1. Rebooting the computer to either a root/boot floppy or a DOS partition. From there, the cracker can edit the root password, etc.
   
   
2. Rebooting the computer and exploiting the single user mode in LILO to give root access.
   
   
3. Opening the case and stealing the hard drive(s)

1. Configure the BIOS to boot from C: then A:

Any modern BIOS will allow you to select the primary drive to boot from. By selecting C: then A: over the (typically) default settings of A: then C:, you can ensure that an attacker can not forcibly boot the system from their own customised boot disk.

If you ever need to boot from a floppy, reverse the BIOS boot options to boot from A: then C:, boot from the floppy, and then when you are sure you have finished working from a boot floppy, reinstate the original BIOS boot option.

2. Enable BIOS passwords

To ensure that an attacker does not reconfigure the BIOS to allow them to boot from a floppy, enable the BIOS password system to protect BIOS configuration.

BIOS passwords can usually be selected between three states:

1. Off
   
   
2. Protect BIOS configuration - best for unattended servers, where you want to stop BIOS access, but otherwise need the computer to (re)boot without human intervention
   
   
3. Start-up access - this requires a password before the computer will boot; useful for laptops or any other computer that could be stolen (but there are ways of circumventing the password)

3. Secure LILO

With some Linux distributions, attackers can get root access at the LILO prompt stage with either of the following commands that put Linux in single-user mode:

        LILO: linux single
        LILO: linux 1

This can be prevented by either:

1. Edit your boot scripts to run sulogin so that a root password is required before the user is granted shell access (Debian 1.3 has this configuration by default).
   
   This can be circumvented with the linux init=... command.
   
   
2. Set up a LILO password by adding the following lines to /etc/lilo.conf:

   	    PASSWORD=<password>
   	    RESTRICTED
   	    

   This forces the user to enter the password if parameters (such as single have been specified on the command line.

You can also add password protection to specific images, such as DOS partitions from which a user could run Norton Disk Editor or some other nefarious disk editing tool.

4. Physically secure the computer

All of the measures above are useless if someone can remove the hard disk or steal the computer!

Some suggestions for preventing this are:

• Buy a cable and padlock system that locks the case to the chassis of the computer and then to the furniture. This will not stop the prepared thief with boltcutters, oxy-acetylene torch or an angle grinder, but it will hinder them!
  
  
• Etch your driver's licence into the computer in a non-obvious place in case it is ever recovered.
  
  
• Replace the chassis screws with non-standard screws (like Torq screws) - this prevents theft of the hard drive and RAM.