Results 1 to 6 of 6

Thread: secure linux partitioning?

  1. #1
    Senior Member
    Join Date
    Feb 2005
    Posts
    153

    Question secure linux partitioning?

    Question. What are some secure ways to partition the hard drives for both server and workstation boxes? I've always done seperate partitions for / /boot and swap, but know there must be more to it than that.

    What partition setups do you recommend for secure server usage, as well as secure workstation usage? I've tried google, but you get so many different answers with conflicting reasons that it's disgusting. Do me a favor? Don't just list me your recommended setups but also explain why they are secure, what makes them more secure being on a different partition, and what pros/cons I would have with the setup you list.

    Many thanks guys.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Have a look at this old thread. If there isn't enough info, I'll be glad to give you intimate details.

    http://www.antionline.com/showthread...hreadid=246887
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    /boot [small, 16 MB, for legacy reasons]
    / [root partition, about 300 MB]
    /var [spool files, mail etc]
    /usr [user executables, not neccasary for system administration]
    /home

    I keep /var on a separate partition so that any attacker or application that fills up logs does not fill up the rest of the system. (effectively resulting in Denial of Service)
    /usr should not need to change that much on a up and running system so that can be mouted read only (as well as /boot)
    I keep /home on a seperate partition for if the need arises that I should a) move it out to a bigger drive b) i need to reinstall

  4. #4
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Another thing I see (and fix) allot of is when people install everything to / and decide to
    turn on user quotas for their mail servers.

    Many POP services spawn a temp file on login in the users name. If a user is over quota due
    to a full mailbox, they won't be able to login to remove mail messages creating a per user
    DDOS of sorts.

    Just another reason to split the filesystems up...

    SGS

  5. #5
    Senior Member
    Join Date
    Jun 2003
    Posts
    723
    Doesn't liunux have the nosuid,noexec,nosymfollow,nodev options for partitions? With bsd you can apply these options in /etc/fstab to partitions/slices to disallow suid binaries, execution of programs, the following of symlinks or devices

    norah#cat /etc/fstab
    # Device Mountpoint FStype Options Dump Pass#
    /dev/ad0s1b none swap sw 0 0
    /dev/ad0s1a / ufs rw 1 1
    /dev/ad0s1g /home ufs rw,nosuid,nodev 2 2
    /dev/ad0s1e /tmp ufs rw,noexec,nosuid,nodev,nosymfollow 2 2
    /dev/ad0s1f /usr ufs rw 2 2
    /dev/ad0s1d /var ufs rw,nosuid,nodev 2 2
    Do unto others as you would have them do unto you.
    The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
    -- true colors revealed, a brown shirt and jackboots

  6. #6
    Senior Member
    Join Date
    Dec 2004
    Posts
    137
    Hi. A quick thing I do sometimes, I have it auto create partitions, then I just go in and delete /usr, /var and /tmp for systems that act as security systems. I hope that helps any.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •