Page 3 of 3 FirstFirst 123
Results 21 to 29 of 29
  1. #21
    SMR
    SMR is offline
    Master Untangler SMR's Avatar
    Join Date
    Feb 2010
    Location
    Iowa, United States
    Posts
    201

    Default

    Quote Originally Posted by pirateghost View Post
    i can confirm this. i just had to do this recently to a system at work. a programmer had set up an esxi box and put some vms on it that the other programmers were using in production. the guy left the company and didnt tell anyone what his root password was.

    the sad part is, that we didnt know any of those servers were in production, we were told they were all test, until i took the server down to do some work in the server room. then they all screamed....lesson learned. dont allow anyone but the system admin to set up esx boxes
    You'd think I'd be embarrassed by how many times I don't get things quite right on these forums, but I'm surprisingly not. Just more for me to realize what I have to work towards. Thanks for the heads up, lesson learned! I didn't know this was a possibility before now. I might take a look at that ability so that I know what I'm up against.
    Sam Reeves
    Disclaimer: I know nothing.. There, that should satisfy any doubt you had!
    "on the outside, I was an honest man, straight as an arrow. I had to come to prison to be a crook." - Shawshank Redemption (1994 film - Andy Dufresne)

  2. #22
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    SMR you can do this with any form of linux. The user passwords are simply files stored in the etc directory. I'm not going to spell it out here due to the implications of Untangle. But, let's just say it's trivial to take a hashed password from one file in a known working system and replace an unknown hash in a "locked" install.

    Heck, if you have an account on a linux server you have physical access to. And that account isn't root. Assuming grub isn't password locked you can reboot the system into diagnostic mode, mount the / file system, and replace the root password hash with your own accounts password, reboot again and wham you have access to root.

    Windows is actually more secure in these regards, at least it takes special tools to replace these things. But on the other hand linux is easier to fix... and if you setup your servers correctly there is zero reason to grant users access to the console of a linux server.

    So at the end of the day this axiom applies. If you have physical access to the unit, you own the unit. Once physical access is gained it's only a matter of time before the box is breached.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #23
    Newbie
    Join Date
    May 2010
    Posts
    1

    Default

    I think you guys are missing the point here. While I agree that physical access to the machine overrides any kind of software based security, what chrisb (my boss) is looking for is a simple console lock. You know, like just about any other server OS ever made has!

    The issue at hand here is that the onsite IT guy is junior and has a penchant for spending hours on youtube. This is exactly why untangle was installed in the first place. Only problem is that the young blighter has figured out that if he resets the password he can change his profile through the untangle web ui and give himself access to whatever he wants. I agree wholeheartedly that repeat abuse of company IT resources is grounds for firing the guy but having a console lock seems like an obvious deterrent. It's also about accountability to our client. Example conversation:

    Us: "Your IT guy seems to have reset the Untangle password and now we cant gain access to the web ui"

    Client: "What! He never had the password to begin with, how can he just reset it?"

    Us: "Well sir, you see Untangle allows anyone with physical access to the machine to reset the password. Might we suggest locking the physical machine away or perhaps raising the issue with the IT guy"

    Client: "He needs physical access to the machine* why can't you just password protect the thing like any of the other (windows-based) servers we have?"

    Us: "Sorry sir, well look into a solution"

    *This guy has to have access to the machine for many reasons, one being that in South Africa we have regular power failures. Although we make use of UPS's, we configure our servers to not power on after AC back because of the fact the power often drops and returns several times intermittently before staying on for good. So to avoid file system corruption because of the UPS not having any charge left, someone needs to physically power on the machines once the power seems stable. Even then, in SA you cross your fingers and hope for the best.

    Phew! After all the digging and trying to get Untangle to run on Virtualbox (cant get Guest additions to install which renders the mouse unusable over VRDP) I'm just about ready to give up and tell our client to get screwed, unfortunately its not my call to make.

    All that back and forth aside, having a simple (although unsecured) console lock is enough of a deterrent in 99% of cases
    Last edited by sidster; 05-28-2010 at 02:39 AM.

  4. #24
    Master Untangler mozerd's Avatar
    Join Date
    Nov 2008
    Location
    Nepean Ontario Canada
    Posts
    253

    Default Experience has no substitute

    Quote Originally Posted by SMR View Post
    You'd think I'd be embarrassed by how many times I don't get things quite right on these forums, but I'm surprisingly not. Just more for me to realize what I have to work towards.
    Which is why it is very important to comprehend that:

    Experience has no substitute
    Inexperience carries significant cost and risk.

  5. #25
    Master Untangler
    Join Date
    Oct 2008
    Posts
    913

    Default

    Quote Originally Posted by sidster View Post
    Us: "Well sir, you see Untangle allows anyone with physical access to the machine to reset the password.
    and you can do the same with any other OS out there. This is not an Untangle problem. Any linux distro can be reset in similar way and a simple boot cd will bypass any windows logins that might be in place on a machine.

    I am sorry that you dont understand that physical access to a box means it is unsecure. period. no matter what OS it is.

  6. #26
    Master Untangler
    Join Date
    Apr 2007
    Posts
    594

    Default

    I have created a simple method to password protect access to the recovery console. Please look here.

    http://forums.untangle.com/hacks/159...y-console.html

  7. #27
    Untangler astrodanco's Avatar
    Join Date
    Mar 2010
    Location
    Nairobi
    Posts
    40

    Default

    You can configure the bios to boot only from the disk, password protect the bios, password protect grub and lock the machine's case.

  8. #28
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    Sure if you want to input a password every time the power button is pressed...

    No thanks I'll continue to use locked cabinets, and closets.

    And if you have an IT guy that isn't abiding policy... well that's a trust issue that needs to be resolved with employment termination. I understand your concerns, but to be honest this situation is illustrative of a human resource problem that is far more dangerous than the technological problem raised.
    Last edited by sky-knight; 06-01-2010 at 11:40 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #29
    Newbie
    Join Date
    Jul 2010
    Posts
    1

    Default

    Quote Originally Posted by fasttech View Post
    I'm kinda a fan of blunt force trauma.
    I was hoping to remove the reset option as this box is not locked away, unable to lock away, everybody can see the box and the on-site IT guy is not trusted.

Page 3 of 3 FirstFirst 123

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2