Solved Server Hardening: Do I need ttys in the gettytab ?

[Peacekeeper2000]

My server has a VGA and several USB connectors to display the console. I am still using sc(4) as it works well and I do have a running setup which fit my needs. But I am using sc(4) only in case of hardware changes. My daily use is connection with ssh(1) through my Desktop Terminals. I also don't have a need for serial terminal.
Saying that, I wonder how many ttyvx I need to enable in the /etc/ttys? IMHO I don't need any beside the entry for the console ( which is in my case "none" )
Any comments ?

 

[Alain De Vos]

I have a few lines like,

ttyv4    "/usr/libexec/getty Pc"            xterm    onifexists  secure

For me it is unclear how this line make my PC more vulnerable to hacking.
Beacuse you must be connected on the keyboard, that is fysical in front of the PC and type Ctrl-Alt-X.
If you are not invited in my house boot my PC and type Ctrl-Alt-X i will put a knife in your stomach. [Just kidding]

 

[covacat]

well those are for local access so if you don't suspect your cat/dog/maid/family will hack you - you can leave them there

 

[Peacekeeper2000]

I agree with you, normally you would expect this behaviour. My experience in the past tells me: don't let something around , if you don't need it. E.g. I do have an old ILO (BMC) on the board, where they now have again identified some bugs. I don't use ILO, but now I have to take care as it is on the board.

So I am expecting the same that could happen with a /usr/libexec/getty process, that I don't need. Where getty is patched or distributes a passwd or ... or
In addition, I try to reduce the processes that run on the system to get more time and memory for idle

But what I read between your lines, there is no need for any of the getty's ?!

 

[mer]

In theory, my opinion only, one likely only "needs" the console entry. That is assuming all access is ssh sessions in, console should leave a single terminal on a console directly connected.
If you are not running X, you can probably comment out all the ttyv# entries. ttyu# same thing if you are not using serial console.
That's all my opinion, based on nothing in particular.
You may be able to get yourself wrapped into a "no console situation" that could cause problems, but heck, comment out everything but the console entry, reboot and see what happens.

 

[Peacekeeper2000]

Yeah, I think I will reduce the ttys - already did that on a server without any obvious trouble.

 

[gpw928]

In addition, I try to reduce the processes that run on the system to get more time and memory for idle

The getty(8) processes spend their time asleep in the kernel, awaiting a "carrier", so present no load to either the CPU (not running) or the memory (first choice to swap out).

But what I read between your lines, there is no need for any of the getty's ?!

If you never expect to need a console, this is true. But I wouldn't bet on that being true, because when the chips are down you need a console. Reducing the getty count technically reduces your threat surface, but only by a tiny amount.

 

[Alain De Vos]

Personally i think browsing-internet&javascript make a 100.000 times more threat.

 

[Peacekeeper2000]

The getty(8) processes spend their time asleep in the kernel, awaiting a "carrier", so present no load to either the CPU (not running) or the memory (first choice to swap out).

If you never expect to need a console, this is true. But I wouldn't bet on that being true, because when the chips are down you need a console. Reducing the getty count technically reduces your threat surface, but only by a tiny amount.

You know, every "penny" counts When the chips are down, I am still in the boot-chain. There is no getty started and I am expecting to either use a different BE ( as I use zfs for on the boot drive ) or I use the old Linux rescue system that is in boot-phase-0 selected by grub. (It is a bit of a special setup to allow the boot from disk4 instead of disk0 (disk0-3 are ZRAID-Z1 without boot ) Disk4 is installed instead of an OD and HP was not supporting the boot from a HD on that connector.) In this phase the video card is used as output. Anyhow, that is a total different story .
I will try tomorrow a reboot with no ttyvx to see if the sc or vt driver still could handle the console.

 

[Alain De Vos]

What is the problem and what do you want to solve in which way ?

 

[Peacekeeper2000]

What is the problem and what do you want to solve in which way ?

Alain, there. is no actual problem. With hardening i just want to prevent to get into trouble. My Home systems are more for learning purpose, while I need to say, that I do have now more than 40 IP-Addresses at home. I also have 3 separated networks (guest, home, admin) to prevent the heating company or others to snif around. In my last 45 years, I never had a virus or even worst scenario at home. And I am sure that this is also , because I try to secure as much as possible the whole environment - and there is still room for improvement ( like the reductions of the unnecessary ttyvx's ) . I think "hardening" is a very essential topic when you use a standard (OS) distribution.
You are right, using javascript inside a browser might be more dangerous, but you also could prevent that with a virtual machine around the browser. Anyhow, I will solve this tomorrow, when the server is free for reboot.