* Rogers, Paul <[EMAIL PROTECTED]> writes:
> I have a server which I am required to put in our computer room. To
> prevent others playing with it I wish to lock the console. I
> thought either
A server doesn't need a screen or keyboard (all administration is done
remotely), so just physically remove the screen and keyboard.[1] That'd
make it pretty darn hard to play with, locally at least.
While you are at it disable the floppy drive in the bios [2] and put a
password on the bios as well.
Other things I'd do are:
- turn off whatever services you don't need
- setup /etc/hosts.allow & ipchains to restrict the access
further
- setup ssh and do your administration via ssh [3]
- use good passwords of at least 8 characters and change them
often
- use permissions properly [4]
- read your logs (that's what they're there for)
> start X with a blank screen screensaver
I wouldn't run X on a server at all.
> 1. Is it possible to disable and/or trap the <CTRL><Alt><DEL>
> combination,such that the only way to shutdown is "shutdown -h" etc?
Yes, I do it here.
,----[ /etc/inittab ]
| # What to do at the "Three Finger Salute".
| ca::ctrlaltdel:/bin/cat /etc/msgs/nocld
`----
,----[ /etc/msgs/nocld ]
|
| ++++++++++++++++WARNING++++++++++++++++
| Rebooting the system via Ctrl-Alt-Del
| IS NOT PERMITTED HERE!!
|
| We view it as a security breach!
|
| If you want to restart the system
| use the shutdown command
| +++++++++++++++++++++++++++++++++++++
`----
> 2. If X is running (with no applications and a blank screensaver)
> does
> this put much overhead on the machine?
Of course it does, but not on the server because X isn't running on
the server is it. :-)
> 3. Does any one know fo any console screen savers which both blank
> the
> screen and need to a password to unlock?
I have heard of some, check <http://www.freshmeat.net/> But you won't
need them if you take the steps I suggested.
> 4. Is it possible to put a comment on the end of line in the group
> database (ie /etc/group) such as
> Mail:x:528:fred,bill,joe #\Maildata
I couldn't find anything that says whether or not you can do this, so
I tried it to see what would happen. It appears to work ok.
===========================
Want to really learn Linux?
... Install Slackware
===========================
Footnotes:
[1] Don't forget to disable the "Halt on keyboard error" in the bios.
[2] Linux can access the floppy without it being set in the bios. Of
course, if you want to boot from a floppy you will need to
re-enable it in the bios.
[3] If you use ssh you can login remotely as root if needed and you
can also disable telnet and ftp.
[4] If Joe Bloggs has no reason to run xyz he doesn't have any reason
to read it either, so chown root.group-joe-isn't-in xyz and chmod
750 xyz
--
|---<Regards, Steve Youngs>-------------------------------------|
| Failures are divided into two classes - those who thought and |
| never did, and those who did and never thought. |
|------------------------------------<[EMAIL PROTECTED]>---|
