Question/ security concern with Pfsense 2 and console
I have just see a thing that really bugs me with pfsense 2 (current release 2.0-BETA4 (i386) built on Wed Dec 15 07:49:38 EST 2010)
It seems that I juste have to plug a monitor and and keyboard and then at the console press the '8' key to have full root access to the pfsense box…
I have to fully tested this but assuming I am root without asking any password then I could reconfigure PFsense, change settings, reboot and so one... it seems to me a major security concern.
Can you explain this behaviour?
System > Advanced > Password protect the console menu
Thanks! I can breath again ;-)
I have checked the help link to learn more about this option but there are not too much informations. Am I too impatient and the doc will be posted at some time? :-)
A big thanks for the quick reply
Due to the beta-status of 2.0 the doc is not complete. But it will be completed. 1.2-release not even has a documentation, there is a book too. So please be patient, it will be cleared all.
There is not much to learn about the option, it does exactly what it says: It password protects the console menu. :)
Though I would also call your attention to this:
If you really don't trust users that much you really need some kind of locked cage to hold such equipment in, or keep it in a locked datacenter room.
Controlling physical access is key if you are really worried that someone would hook up a keyboard and monitor that shouldn't be doing that.
jimp is correct. This feature is more security theater than security. If the attacker has physical access to your hardware, the fact that the console has a password prompt is entirely trivial to bypass.