Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We have a development server in our office whose database will soon contain sensitive data. Our main concern is what would happen in the case of a physical break-in and theft.
Right now there are two layers of security:
1. The login for the OS
2. The login for the database
But I'm not sure that's the best we can do. Is there anything more we can do to protect this machine in case it's stolen?
My idea is to make the hard drive so big that it wouldn't fit through the door.
We have a development server in our office whose database will soon contain sensitive data. Our main concern is what would happen in the case of a physical break-in and theft.
Right now there are two layers of security:
1. The login for the OS
2. The login for the database
But I'm not sure that's the best we can do. Is there anything more we can do to protect this machine in case it's stolen?
My idea is to make the hard drive so big that it wouldn't fit through the door.
How, exactly are you going to make the "hard drive" physically bigger?? Or do you mean the CPU case itself, which is fairly pointless, since if someone wanted the data, they'd just open the box up, and slip the hard drive out of the case.
Best suggestion would be to encrypt the partition where the data is, and have it prompt for a password at boot time. That way, no password=no data. Yes, you can MAYBE decrypt it, but it'll take a very long time. Don't know about your physical environment, but if you're that worried, strip the screw heads that hold the hard drive(s) in place, and bolt the CPU cabinet to a large table, and strip the screws out on the case, too. That way, someone couldn't just open the case up, without a SIGNIFICANT effort....and that includes YOU, so be careful.
How, exactly are you going to make the "hard drive" physically bigger??
I don't know the mechanics of it but basically we'd manufacture a special hard drive that's about 10 feet in diameter.
It sounds like encryption is the way to go. For someone with no background in encryption (my background is in web development with no special emphasis on security), could someone give me some pointers on what I should do next?
It would probably be annoying to turn it off each night but we can live with it if there are no easier options.
We will actually have two machines: a local development server and a local production server. I don't imagine either will need to be used outside of work hours.
I don't know the mechanics of it but basically we'd manufacture a special hard drive that's about 10 feet in diameter.
It sounds like encryption is the way to go. For someone with no background in encryption (my background is in web development with no special emphasis on security), could someone give me some pointers on what I should do next?
Thanks!
Nothing to it. Pick a distro of Linux (the current openSUSE works well, as do others), and load it. At build time, you'll have the option of encrypting partitions..select it, follow the prompts.
Whenever the system boots from then on, you'll get prompted for a password. Three strikes, you're out, no partition mounted.
And really, a 10 foot diameter disk? Not sure how you'd expect to get it to work, or manufacture it, since platters that large would be insanely heavy, and under tremendous stress from the force of spinning, let along designing heads and servos to make it work. And if you're talking about putting a smaller drive into an enclosure might be ok, but a waste of effort, since you could just lock/secure the computer enclosure with bolts/etc., for about $10.
If I've already installed the OS and everything, is it too late? If so, is there a relatively painless way to copy everything on my machine somewhere else, reinstall Linux (I'm on Ubuntu) and put everything back on the original machine (assuming that's the right way to go)?
If I've already installed the OS and everything, is it too late? If so, is there a relatively painless way to copy everything on my machine somewhere else, reinstall Linux (I'm on Ubuntu) and put everything back on the original machine (assuming that's the right way to go)?
No matter WHAT you do, MAKE BACKUPS. Easiest way is to get a cheap, external USB hard drive, plug it in, and copy everything over. If the DB isn't in production now, shut it down, do a dump of the DB, and copy the dump file(s) and the entire directory structure to the USB device, before proceeding with anything...and that's at a minimum.
You don't say WHAT database, how it's layed out, how big, etc., so there are lots of variables. If you're uncomfortable with doing it, I'd strongly suggest hiring a consultant, if the data is important/sensitive, to come in and do it for you.
So maybe the priority should be backups first, encryption second.
Luckily we don't have any important data on this machine yet. All we have is one small app and a few other nicknacks, so it's probably not a huge deal to move those, blow this machine away, then move it all back.
So maybe the priority should be backups first, encryption second.
Luckily we don't have any important data on this machine yet. All we have is one small app and a few other nicknacks, so it's probably not a huge deal to move those, blow this machine away, then move it all back.
Backups should ALWAYS be a priority. If you're not backing your data up, you're inviting trouble. If you've only got a small amount of data, then you could even back it up to a USB flash drive, then wipe the machine and start over. But for long-term backups, think of something more robust...external USB hard drives give you lots of space for very little $$$, and you can easily script existing utilities to make backups of your important data each day, and copy it to the drive. Even that's not ideal, but it will give you SOMETHING.
Closely related question: if we're looking to host this data on our production server as well, what should I look for in a hosting company as far as security features?
Closely related question: if we're looking to host this data on our production server as well, what should I look for in a hosting company as far as security features?
This is totally against what you originally posted.
If you've really got sensitive data, you definitely do NOT want a hosted server. Yes, they're 'secure'...but you don't KNOW what goes on there, and don't have control over things (sometimes). Build your own production server, and host it yourself, if you want security. You'll not only be secure, you'll actually wind up saving money.
If you do proceed with hosting, read some online reviews of service/security, since that's where you'll get the best information.
Never host proprietary or controlled data with a hosting service. If you want to use a data center you have to rent a rack where you can place your own hardware and just get network pipe.
This is why I was pushing physical security from the start. Encrypting a disk on a server is a waste of time in my opinion because network penetration is your biggest threat. An encrypte4d disk only protects you from the machine being taken while powered off.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.