# I see this article how I can do this for FreeBSD



## mfaridi (Mar 18, 2009)

I see this article

http://www.cyberciti.biz/tips/tips-to-protect-linux-servers-physical-console-access.html

I think it is good article 
I want know I can use part 3 and 4 .... for FreeBSD 
this article is about Linux 
but I want use it for FreeBSD


----------



## DutchDaemon (Mar 18, 2009)

Enable Authentication for Single-User Mode -> go to /etc/ttys and mark console 'insecure' (last field), followed by 'kill -HUP 1' (all ttyv* lines below it should be 'insecure' already). This will require a root password when going into single-user mode.

Passwording the loader: loader.conf(5) ->


```
[U]password[/U]      Provides a password to be required by check-password before execution is allowed to continue.
```


----------



## SirDice (Mar 18, 2009)

Enable authentication for single user mode:

Edit /etc/ttys. Change this line:

```
console none                            unknown off secure
```
Change the secure to insecure.

prevent ctrl-alt-delete on console add to your kernel config

```
options SC_DISABLE_REBOOT
```
Also make sure you don't have any debugging hotkeys active..


One thing to note though... None of this will protect you from me..
I'd just take out your harddrive and read it in my own system


----------



## richardpl (Mar 18, 2009)

SirDice said:
			
		

> prevent ctrl-alt-delete on console add to your kernel config
> 
> ```
> options SC_DISABLE_REBOOT
> ```


That is overkill, instead of recompiling whole kernel
just add two lines to /etc/sysctl.conf:

```
hw.syscons.kbd_reboot=0
hw.syscons.kbd_debug=0
```


----------



## SirDice (Mar 18, 2009)

richardpl said:
			
		

> That is overkill, instead of recompiling whole kernel
> just add two lines to /etc/sysctl.conf:
> 
> ```
> ...


Ah.. I knew about the kernel option but not these sysctls


----------



## Carpetsmoker (Mar 18, 2009)

DutchDaemon said:
			
		

> Passwording the loader: loader.conf(5) ->
> 
> 
> ```
> ...



This may be obvious for some people, but just to make sure:
Do *not* use the root password (Or any other password you use somewhere else for that matter) in /boot/loader.conf.
/boot/loader.conf is not created by default, and most people have a umask of 022, meaning that /boot/loader.conf not only contains a cleartext password, but that the file is also world-readable.

So using a unique password and `# chmod 600 /boot/loader.conf` is highly recommended.

As a somewhat unrelated - but also related - subject, some time ago I came across a (HP) laptop with a hard disk that only worked in that specific laptop, other computers/laptops did not recognize the disk, FreeBSD for examples gave READ_DMA errors.
This is an option you can enable/disable in the BIOS, IIRC it was called a `disk lock'.

Does anyone happen to know how this exactly works? And how secure it actually is? I suspect this is some TPM feature, but wasn't able to find a lot of information about it (Although I must admit I did not search very thoroughly).


----------



## trev (Mar 19, 2009)

Carpetsmoker said:
			
		

> This is an option you can enable/disable in the BIOS, IIRC it was called a `disk lock'.
> 
> Does anyone happen to know how this exactly works? And how secure it actually is? I suspect this is some TPM feature, but wasn't able to find a lot of information about it (Although I must admit I did not search very thoroughly).



It is an optional security feature set detailed in the ATA specification which seems to generally be implemented for laptop hard drives for obvious reasons. See http://www.t10.org/t13/project/d1321r3-ATA-ATAPI-5.pdf.


----------



## Maurovale (Mar 21, 2009)

Yes, the first generation xbox used that same trick to lock the disk to the motherboard, it is a ATA specification.

But beware there is payed applications that can unlock that drives, the good side is the actual unlock method implies erasing the drive


----------

