On passwords, securtiy and real -sweat, blook and tears- life
Bruno Wolff III
bruno at wolff.to
Sat Apr 29 04:01:15 UTC 2006
On Sat, Apr 29, 2006 at 05:45:10 +0200,
"A.J. Bonnema" <abonnema at xs4all.nl> wrote:
> What I wonder about is the following:
>
> * given that all ports are closed to external contact through a physical
> allbeit consumer oriented firewall, just means I am safe for
> port-scanners. But does it mean that I am safe from cracker systems /
> programs? Is there a way to break in, without allowing external contact
> through one of the ports? (not including trojans and the like).
Since the firewall lets some packets through, there is a vector to
compromise your system using the network connection. Blocking inbound
connections reduces the risk a lot. You don't say what the firewall does
for UDP (which is connectionless). If it passes any UDP packets through
(or ICMP packets), then if there were bugs in your network stack or if
you have processes listening for UDP requests with bugs, you could be attacked
that way.
> * A second issue is: suppose I would force my family to use really
> random passwords (like characters picked from a one-time pad). And now
> suppose I lose my root-password: would I be able to rectify this,
> without destroying the data?
You have physical access to the machine right? Unless you have encrypted
file systems, you can boot in single user mode and change the password.
Have a boot loader password? Boot off a rescue/live CD.
Have the BIOS set only to boot off the first disk drive, password protected
and you forgot the password? Pull the battery and the BIOS will reset to
a state where you can change boot device settings.
If your firewall is blocking inbound connections, it sounds like you aren't
expecting your family memebers to connect to your machine remotely. If that
is the case then they don't need particularly strong passwords (since they
have physical access, there isn't a lot of point of having them even to
protect against each other). If you go this route, you should take some
extra steps to prevent remote connections on your box in case something
happens to the firewall.
More information about the fedora-list
mailing list