<HTML ><HEAD ><TITLE >Magic SysRq key</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK REL="HOME" TITLE="Remote Serial Console HOWTO" HREF="index.html"><LINK REL="UP" TITLE="Security" HREF="security.html"><LINK REL="PREVIOUS" TITLE="Non-interactive boot sequence" HREF="security-rhl-prompt.html"><LINK REL="NEXT" TITLE="Adjust behaviour of CtrlAltDelete" HREF="security-ctrlaltdel.html"></HEAD ><BODY CLASS="SECTION" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >Remote Serial Console HOWTO</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="security-rhl-prompt.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" >Chapter 9. Security</TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="security-ctrlaltdel.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="SECTION" ><H1 CLASS="SECTION" ><A NAME="SECURITY-SYSRQ" ></A >9.9. Magic <B CLASS="KEYCAP" >SysRq</B > key</H1 ><P >The <SPAN CLASS="QUOTE" >"magic <B CLASS="KEYCAP" >SysRq</B > key"</SPAN > is a key sequence that allows some basic commands to be passed directly to the kernel. Kernel software developers use this interface to debug their software. Under most circumstances it can also be used to uncleanly reboot the computer, something that is otherwise difficult or expensive to do remotely.</P ><P >For computers that are not used for kernel software development the magic <B CLASS="KEYCAP" >SysRq</B > key makes an ideal denial of service device. A few unauthenticated keystrokes and the computer is dead in the water. The console, serial or otherwise, must be in an area with access limited to trusted people.</P ><P >The serial console uses the <SPAN CLASS="ACRONYM" >RS-232</SPAN > break function as the <SPAN CLASS="QUOTE" >"magic <B CLASS="KEYCAP" >SysRq</B > key"</SPAN >. A <SPAN CLASS="QUOTE" >"break"</SPAN > is a period of no transmission on the serial line, on traditional terminals it is activated by pressing a key labeled <B CLASS="KEYCAP" >Break</B >.</P ><P >Anyone can dial into a modem and send a break, so if the serial console is attached to a modem we need to disable the magic <B CLASS="KEYCAP" >SysRq</B > key . If the serial console is attached to a terminal server which asks for authentication, or is attached directly to another terminal using a null modem cable then you may decide to activate the magic <B CLASS="KEYCAP" >SysRq</B > key.</P ><P >The magic <B CLASS="KEYCAP" >SysRq</B > key can be disabled by setting a kernel variable or by not compiling support for the key.</P ><P >Writing a <TT CLASS="LITERAL" >0</TT > into <TT CLASS="FILENAME" >/proc/sys/kernel/sysrq</TT > will disable the magic <B CLASS="KEYCAP" >SysRq</B > key. The command <B CLASS="COMMAND" >sysctl</B > can also be used:</P ><DIV CLASS="FIGURE" ><A NAME="SECURITY-SYSRQ-SYSCTL" ></A ><P ><B >Figure 9-10. Using <B CLASS="COMMAND" >sysctl</B > to defeat the magic <B CLASS="KEYCAP" >SysRq</B > key</B ></P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ><TT CLASS="PROMPT" >bash#</TT > <B CLASS="COMMAND" >sysctl -w kernel.sysrq=0</B ></PRE ></FONT ></TD ></TR ></TABLE ></DIV ><P >Your Linux distribution may have a file <TT CLASS="FILENAME" >/etc/sysctl.conf</TT > which is used to run <B CLASS="COMMAND" >sysctl</B > during the boot of the machine. Add the lines:</P ><DIV CLASS="FIGURE" ><A NAME="SECURITY-SYSRQ-SYSCTLCONF" ></A ><P ><B >Figure 9-11. Configuring <TT CLASS="FILENAME" >/etc/sysctl.conf</TT > to defeat the magic <B CLASS="KEYCAP" >SysRq</B > key</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="PROGRAMLISTING" ># Disables the magic SysRq key kernel.sysrq = 0</PRE ></FONT ></TD ></TR ></TABLE ></DIV ><P >Even when setting the magic <B CLASS="KEYCAP" >SysRq</B > key off in <TT CLASS="FILENAME" >/etc/sysctl.conf</TT > there is a period of vulnerability after the kernel boots but before contents of the file are applied.</P ><P >It is much better to compile your own kernel and set the following configuration parameter:</P ><DIV CLASS="FIGURE" ><A NAME="SECURITY-SYSRQ-MENUCONFIG" ></A ><P ><B >Figure 9-12. Kernel <B CLASS="COMMAND" >make menuconfig</B > showing disabled <B CLASS="KEYCAP" >SysRq</B > key</B ></P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" >Kernel hacking ---> [ ] Magic SysRq key</PRE ></FONT ></TD ></TR ></TABLE ></DIV ><P >This should place the following configuration parameter in <TT CLASS="FILENAME" >/usr/src/linux/.config</TT >.</P ><DIV CLASS="FIGURE" ><A NAME="SECURITY-SYSRQ-DOTCONFIG" ></A ><P ><B >Figure 9-13. Kernel <TT CLASS="FILENAME" >.config</TT > showing disabled <B CLASS="KEYCAP" >SysRq</B > key</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="PROGRAMLISTING" ># CONFIG_MAGIC_SYSRQ is not set</PRE ></FONT ></TD ></TR ></TABLE ></DIV ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="security-rhl-prompt.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="security-ctrlaltdel.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Non-interactive boot sequence</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="security.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Adjust behaviour of <B CLASS="KEYCAP" >Ctrl</B >-<B CLASS="KEYCAP" >Alt</B >-<B CLASS="KEYCAP" >Delete</B ></TD ></TR ></TABLE ></DIV ></BODY ></HTML >