March 14th, 2005, 07:23 AM
secure linux partitioning?
Question. What are some secure ways to partition the hard drives for both server and workstation boxes? I've always done seperate partitions for / /boot and swap, but know there must be more to it than that.
What partition setups do you recommend for secure server usage, as well as secure workstation usage? I've tried google, but you get so many different answers with conflicting reasons that it's disgusting. Do me a favor? Don't just list me your recommended setups but also explain why they are secure, what makes them more secure being on a different partition, and what pros/cons I would have with the setup you list.
Many thanks guys.
March 14th, 2005, 08:29 AM
Have a look at this old thread. If there isn't enough info, I'll be glad to give you intimate details.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
March 14th, 2005, 04:11 PM
/boot [small, 16 MB, for legacy reasons]
/ [root partition, about 300 MB]
/var [spool files, mail etc]
/usr [user executables, not neccasary for system administration]
I keep /var on a separate partition so that any attacker or application that fills up logs does not fill up the rest of the system. (effectively resulting in Denial of Service)
/usr should not need to change that much on a up and running system so that can be mouted read only (as well as /boot)
I keep /home on a seperate partition for if the need arises that I should a) move it out to a bigger drive b) i need to reinstall
March 14th, 2005, 04:58 PM
Another thing I see (and fix) allot of is when people install everything to / and decide to
turn on user quotas for their mail servers.
Many POP services spawn a temp file on login in the users name. If a user is over quota due
to a full mailbox, they won't be able to login to remove mail messages creating a per user
DDOS of sorts.
Just another reason to split the filesystems up...
March 14th, 2005, 06:51 PM
Doesn't liunux have the nosuid,noexec,nosymfollow,nodev options for partitions? With bsd you can apply these options in /etc/fstab to partitions/slices to disallow suid binaries, execution of programs, the following of symlinks or devices
# Device Mountpoint FStype Options Dump Pass#
/dev/ad0s1b none swap sw 0 0
/dev/ad0s1a / ufs rw 1 1
/dev/ad0s1g /home ufs rw,nosuid,nodev 2 2
/dev/ad0s1e /tmp ufs rw,noexec,nosuid,nodev,nosymfollow 2 2
/dev/ad0s1f /usr ufs rw 2 2
/dev/ad0s1d /var ufs rw,nosuid,nodev 2 2
Do unto others as you would have them do unto you.
The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
-- true colors revealed, a brown shirt and jackboots
March 14th, 2005, 07:23 PM
Hi. A quick thing I do sometimes, I have it auto create partitions, then I just go in and delete /usr, /var and /tmp for systems that act as security systems. I hope that helps any.