Question/ security concern with Pfsense 2 and console
-
Hi,
I have just see a thing that really bugs me with pfsense 2 (current release 2.0-BETA4 (i386) built on Wed Dec 15 07:49:38 EST 2010)It seems that I juste have to plug a monitor and and keyboard and then at the console press the '8' key to have full root access to the pfsense box…
I have to fully tested this but assuming I am root without asking any password then I could reconfigure PFsense, change settings, reboot and so one... it seems to me a major security concern.Can you explain this behaviour?
Thanks -
System > Advanced > Password protect the console menu
-
Thanks! I can breath again ;-)
I have checked the help link to learn more about this option but there are not too much informations. Am I too impatient and the doc will be posted at some time? :-)A big thanks for the quick reply
-
Due to the beta-status of 2.0 the doc is not complete. But it will be completed. 1.2-release not even has a documentation, there is a book too. So please be patient, it will be cleared all.
-
There is not much to learn about the option, it does exactly what it says: It password protects the console menu. :)
Though I would also call your attention to this:
http://doc.pfsense.org/index.php/I_locked_myself_out_of_the_WebGUI,_help!#Forgotten_Password_with_Locked_ConsoleIf you really don't trust users that much you really need some kind of locked cage to hold such equipment in, or keep it in a locked datacenter room.
Controlling physical access is key if you are really worried that someone would hook up a keyboard and monitor that shouldn't be doing that.
-
jimp is correct. This feature is more security theater than security. If the attacker has physical access to your hardware, the fact that the console has a password prompt is entirely trivial to bypass.
