On Thursday 06 August 2009 17:01:30 John Floren wrote: > On Thu, Aug 6, 2009 at 4:28 PM, Corey<co...@bitworthy.net> wrote: <snip> > > I honestly can't believe that this is even up for debate! <grin> > > > > It's just bizarre. > > Oh, if we're just protecting against people wandering by who are > obviously there by mistake--since we're discounting anyone coming > prepared for serious maliciousness--how about just not having a > terminal connected to your file server? >
Ok, that's reasonable. Especially when considering the idea that, apparently, once a Plan 9 cpu/auth/fs server has been set up, there's no reason to require further periodic access to its terminal. Removing the Plan 9 server's terminal peripherals is equivalent to - and follows the same exact line of reasoning for - implementing a password for said server's terminal. i.e. - both techniques increase the level of difficulty and effort and inconvenience one must suffer through before gaining unauthorized access to a hostowner prompt. In light of this, I'm still unconvinced that a terminal password is totally without merit. At least with a password, I don't force trusted admins to lug out the peripherals. > My cpu/auth/file servers don't > have anything connected except an ethernet cable and a remote serial > console. Oh, sure, there's a crash cart over in the corner that you > could drag over and plug in, but you've decided that we're only > talking about opportunists who see a prompt and decide to type some > stuff, so it's not a problem. > True. > The whole friggin' point of a colo is that you trust the people > running it-- > I have direct experience as a contractor where I have entered many a co-lo; and was unimpressed with their security to say the least. I had constant and easy access to a large number of nameless servers, it's a nobrainer to access keyboard/monitor pairs in many of these places. Interestingly enough - that simple, worthless password prompt is what made it effectively impossible to do anything with said servers. It was easy for me to reach keyboards; but would have been risky and difficult - and would have had _zero_ plausible deniability - to pop a chassis and snag hard drives. > I have not found a single sign that anyone has so much as touched the > keyboard, much less done "rm -r /" or whatever it is you're afraid of. > I'm afraid of all the same things you're afraid of - all the same reasons why authentication is necessary when accessing the server remotely. As far as I'm concerned, physical access to the terminal is no different than remote access. I differentiate between the server's terminal and the server's chassis, though they are often within reaching distance of each other. To conflate the terminal with the server, as Plan 9 servers apparently do, is a lazy and unnecessary abstraction in my mind. > I'm afraid you'll have to forgive me if I find the probability of > someone improperly accessing your headless colo'd box rather low. > > I invite you, though, to create some form of logging protection system > for the box. Put the box in a colo, and then in 3 years send us your > logs. I guess we'll see how many people tried to get into your cpu > server. > The co-lo situation was just one example. I agree the risk is sleight - after all, there are _lots_ of servers in a co-lo. So what's the chances of _mine_ getting abused? On Thursday 06 August 2009 17:17:19 John Floren wrote: > A note, please don't take this as a flame. > Not at all! It's good to hear others experiences and conclusions. Cheers, Corey
