I see this article how I can do this for FreeBSD

[mfaridi]

I see this article

http://www.cyberciti.biz/tips/tips-to-protect-linux-servers-physical-console-access.html

I think it is good article
I want know I can use part 3 and 4 .... for FreeBSD
this article is about Linux
but I want use it for FreeBSD

 

[DutchDaemon]

Enable Authentication for Single-User Mode -> go to /etc/ttys and mark console 'insecure' (last field), followed by 'kill -HUP 1' (all ttyv* lines below it should be 'insecure' already). This will require a root password when going into single-user mode.

Passwording the loader: loader.conf(5) ->

[U]password[/U]      Provides a password to be required by check-password before execution is allowed to continue.

 

[SirDice]

Enable authentication for single user mode:

Edit /etc/ttys. Change this line:

console none                            unknown off secure

Change the secure to insecure.

prevent ctrl-alt-delete on console add to your kernel config

options SC_DISABLE_REBOOT

Also make sure you don't have any debugging hotkeys active..


One thing to note though... None of this will protect you from me..
I'd just take out your harddrive and read it in my own system

 

[richardpl]

prevent ctrl-alt-delete on console add to your kernel config

options SC_DISABLE_REBOOT

That is overkill, instead of recompiling whole kernel
just add two lines to /etc/sysctl.conf:

hw.syscons.kbd_reboot=0
hw.syscons.kbd_debug=0

 

[SirDice]

That is overkill, instead of recompiling whole kernel
just add two lines to /etc/sysctl.conf:

hw.syscons.kbd_reboot=0
hw.syscons.kbd_debug=0

Ah.. I knew about the kernel option but not these sysctls

 

[arp242]

Passwording the loader: loader.conf(5) ->

[U]password[/U]      Provides a password to be required by check-password before execution is allowed to continue.

This may be obvious for some people, but just to make sure:
Do *not* use the root password (Or any other password you use somewhere else for that matter) in /boot/loader.conf.
/boot/loader.conf is not created by default, and most people have a umask of 022, meaning that /boot/loader.conf not only contains a cleartext password, but that the file is also world-readable.

So using a unique password and # chmod 600 /boot/loader.conf is highly recommended.

As a somewhat unrelated - but also related - subject, some time ago I came across a (HP) laptop with a hard disk that only worked in that specific laptop, other computers/laptops did not recognize the disk, FreeBSD for examples gave READ_DMA errors.
This is an option you can enable/disable in the BIOS, IIRC it was called a `disk lock'.

Does anyone happen to know how this exactly works? And how secure it actually is? I suspect this is some TPM feature, but wasn't able to find a lot of information about it (Although I must admit I did not search very thoroughly).

 

[trev]

This is an option you can enable/disable in the BIOS, IIRC it was called a `disk lock'.

Does anyone happen to know how this exactly works? And how secure it actually is? I suspect this is some TPM feature, but wasn't able to find a lot of information about it (Although I must admit I did not search very thoroughly).

It is an optional security feature set detailed in the ATA specification which seems to generally be implemented for laptop hard drives for obvious reasons. See http://www.t10.org/t13/project/d1321r3-ATA-ATAPI-5.pdf.

 

[Maurovale]

Yes, the first generation xbox used that same trick to lock the disk to the motherboard, it is a ATA specification.

But beware there is payed applications that can unlock that drives, the good side is the actual unlock method implies erasing the drive