LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 11-09-2009, 10:35 PM   #1
b10m3ch4
LQ Newbie
 
Registered: Nov 2009
Posts: 17

Rep: Reputation: 0
A Better Way to Delete a Server


Our company regularly uses dedicated servers for client projects. Recently we were presented with the possibility that data we deleted off a dedicated server before ending the lease was somehow recovered from hard drive of that machine. Our end is secure, and the client swears that data was not leaked from their firm. We have a script we execute that deletes all the log files, and data associated with client projects, but apparently itís not solid enough. We deal with middleware between financial institutions, so itís rather important that the IPs of the machines that previous connected to our discontinued server, remain private.

Now, hereís our silly script. Iíd appreciate any input on improving. I realize itís a long way from perfect, but up until recently we had no reason to distrust hosting companies. Moving forward, we just want to be as secure as possible. I have taken out some lines of code that represent the removal of specific applications, otherwise this is as-is. Whatís needed is the means to completely and securely erase all data from a remote machine once we have discontinued its use. I am sure other users may have similar needs.

Code:
#!/bin/sh

rm -fR /var/logs/ssl_request_log
rm -fR /home/admin/domains/TheDomain.net/logs/*.*
rm -fR /var/log/directadmin/*
rm -fR /var/log/exim/*
rm -fR /var/log/proftpd/*
rm -f /var/log/secure*
rm -f /var/log/maillog*
touch /var/log/maillog
rm -fR /var/log/httpd/domains/*
touch /var/log/httpd/domains/TheDomain.net.error.log
rm -fR /var/log/httpd/error_log
touch /var/log/httpd/error_log
rm -fR /var/log/messages*
touch /var/log/messages
 
Old 11-09-2009, 10:39 PM   #2
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,261

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
Strictly speaking, rm just removes inode entries, not actual data; see photorec amongst others for recovery.
What you need is shred http://linux.die.net/man/1/shred or dban http://www.dban.org/
 
Old 11-09-2009, 11:19 PM   #3
b10m3ch4
LQ Newbie
 
Registered: Nov 2009
Posts: 17

Original Poster
Rep: Reputation: 0
I tried shred, and I actually use it, the problem is it needs to be able to hit a file that actually exists, it's not as forgiving as rm. I can't shred * in certain directories as I'd need to. Here is an example of another "logic bomb" or sorts we have tried, but it just gets the log files, and depends on an updatedb being fresh.

Code:
#!/bin/sh
mkdir ~/shred
cd /var/log
mv *log* ~/shred
cd ~/shred
for i in `locate *log*`; do
shred -vzu 8 $i;
done
If I could modify this script to attack all files created or modified from X Date to Y Date, that would be perfect, but I am fairly new to shell scripting, so I have had no luck with getting the above script to do anything more than attack files with the .log extension.
 
Old 11-10-2009, 12:33 AM   #4
chiragrk
Member
 
Registered: Nov 2009
Location: India
Distribution: Xandros, Ubuntu
Posts: 74

Rep: Reputation: 16
There are two questions you need to ask yourself here:
- Am I worried that I missed deleting some files? Files which may still have some amount of client info?
- Am I worried that that the files I've deleted can be recovered by someone who has access to the server?

The concern #1 above can be solved - painfully though by auditing the system thoroughly for the applications/softwares used. For starts you seemed to have missed /var/log/btmp and /var/log/wtmp which hold information about who logged in remotely.
The concern #2 will definitely require some advanced techniques.
 
Old 11-10-2009, 07:18 AM   #5
pcunix
Member
 
Registered: Dec 2004
Location: MA
Distribution: Various
Posts: 149

Rep: Reputation: 23
How secure is secure?

The shred man page itself shows that you may well still be vulnerable and so does this page:

http://www.cs.auckland.ac.nz/~pgut00...ecure_del.html

If the machine is "inactive", why can't the drive be physically destroyed? Because it's a lease, obviously. And that's your answer: if the data is this important, you shouldn't be leasing machines - or at least should be putting your own disposable drives in.
 
Old 11-10-2009, 03:52 PM   #6
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,894

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
Well, rm clearly won't work (data easily recoverable) at least without using rm in combination with something else. It is also vulnerable to the problem that you might get one box with different files than others and the files on that get overlooked. This could be unpleasant.

Shred only shreds files and that is probably not good enough (on its own) either because of the problem on the man page or because you might overlook files.

I didn't see anything on the dban site that suggested that it met any particular data destruction standards.

It seems to me that you have not only to remove the information that you had, but you need to overwrite and erase the whole disk several times. Only a single pass of overwriting is vulnerable to forensics experts and that seems like something you don't want if the data could have a value in excess of the recovery cost.

Maybe you should pass this problem on to professionals. Maybe you should take your disposable disk and just put it in your safe (that has other advantages, too, but the safe may not be safe enough). Maybe you should use a sledgehammer, which may be the most satisfying solution.

There is a brief description of data destruction standards here:
http://www.mcdpri.com/mcdpri/data-de...-standards.htm
 
Old 11-10-2009, 04:09 PM   #7
smeezekitty
Senior Member
 
Registered: Sep 2009
Location: Washington U.S.
Distribution: M$ Windows / Debian / Ubuntu / DSL / many others
Posts: 2,227

Rep: Reputation: 170Reputation: 170
since the lease is over why don't you dd it?
for example dd it with zeros then with random
then with zeros again. that would definitely destroy all data on the disk to the point where it would cost more to recover part of the data then the data is likly worth.
 
Old 11-10-2009, 04:18 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,113
Blog Entries: 54

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Quote:
Originally Posted by salasi View Post
It seems to me that you have not only to remove the information that you had, but you need to overwrite and erase the whole disk several times.
Using a 'rm' script is bad, especially where transactions between financial institutions are bound by strict data safety regulations. So I agree with complete disk erasure. But not only that: you also need to verify things afterwards. Only when you audit you can actually ensure medium sanitation.


Quote:
Originally Posted by salasi View Post
Maybe you should pass this problem on to professionals.
Excellent advice. Not only can you hand off the whole sanitation process but (certified) companies can also provide you with complete process reporting so you got everything covered in one fell swoop.
 
Old 11-10-2009, 11:07 PM   #9
b10m3ch4
LQ Newbie
 
Registered: Nov 2009
Posts: 17

Original Poster
Rep: Reputation: 0
How do I 'dd' anything when my only access is SSH? To answer the question about as to why we are leasing, it's frequently necessary to establish a point of presence between our development location and the client location. That, and the software itself is setup to be ran on any machine, so it's necessary from that angle to for proof-of-concept. So my question now is, what's the best I can do remotely, shred would work, but I need a script to find files to destroy apparently. I like the DBAN idea, but how do i do that remotely?

And actually, we are moving towards setting up a TrueCrypt virtual drive on each box, then just deleting that when we are done. That protects client data as good as we can on our/their budget. However, we still need to kill every possible log file of any communication with the box that would show an outside IP.

I have added this to the script, and it works well.

Code:
shred -vzfu 8 /var/log/btmp
touch /var/log/btmp
shred -vzfu 8 /var/log/wtmp
touch /var/log/wtmp

Last edited by b10m3ch4; 11-10-2009 at 11:32 PM.
 
Old 11-11-2009, 06:32 AM   #10
pcunix
Member
 
Registered: Dec 2004
Location: MA
Distribution: Various
Posts: 149

Rep: Reputation: 23
I like the encryption idea. That should do it.
 
Old 11-11-2009, 12:02 PM   #11
funkflex2004
LQ Newbie
 
Registered: Nov 2009
Location: London
Distribution: Debian, CentOS, Ubuntu
Posts: 5

Rep: Reputation: 0
I had to do something similar to wipe the hard drive as much as possible.

I used a LiveCD version of linux eg Ubuntu so that the hard drive i wanted to wipe was not in use. (Could rescue boot partition/CD be used?)

I looked for the hard drive I wanted to wipe and used "shred" with a minimum of 4 pass random wipe.
Code:
shred /dev/sdd -f -v -z --iterations=4
The more passes the more difficult and expensive it is to recover the data.

Question: is shred similar to dd?? or better still does shred use dd??
 
Old 11-11-2009, 12:09 PM   #12
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Servers: Debian Squeeze and Wheezy. Desktop: Slackware64 14.0. Netbook: Slackware 13.37
Posts: 8,533
Blog Entries: 28

Rep: Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176
Quote:
Originally Posted by salasi View Post
Only a single pass of overwriting is vulnerable to forensics experts ...
Has this ever been reliably demonstrated to allow recovery of significant data?
 
Old 11-11-2009, 12:11 PM   #13
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Servers: Debian Squeeze and Wheezy. Desktop: Slackware64 14.0. Netbook: Slackware 13.37
Posts: 8,533
Blog Entries: 28

Rep: Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176Reputation: 1176
Quote:
Originally Posted by funkflex2004 View Post
Question: is shred similar to dd?? or better still does shred use dd??
If it is effective it needs to do more than dd because recoverable data may exist in bad blocks that dd cannot reach.
 
Old 11-11-2009, 01:38 PM   #14
kschmitt
Member
 
Registered: Jul 2009
Location: Chicago Suburbs
Distribution: Crux, CentOS, RHEL, Ubuntu
Posts: 96

Rep: Reputation: 23
Umm.

Is this a dedicated physical or virtual server? If it's a dedicated virtual, your SOL. Nothing that _you_ can do will guarantee it's wiped.

If it's physical on the other hand, using rm won't remove the files to the point you want. If someone snagged your drive there are plenty of utilities that can be used to recover the removed files, or parts of them. Heck, if it's ext2/3 or fat you can use grep to get interesting bits of "removed" data off the drive! In case you were wondering, dding over a file isn't a sure fire way of removing it: you need to use it on whole partitions/volumes, if not whole drives. I'm not sure how shred works.

As to only have ssh access, you could do any one of the following really dangerous things:
1) Put an entry in lilo.conf/grub.conf that calls the program to wipe the drive. Set that as the default boot option
2) Create an initrd image that wipes the drive. Install it.
Or my favorite insane trick
3) Carve off a new volume in LVM, then install a tiny util-distro (with the same ip address & a username/password for yourself) on it, change grub.conf/lilo.conf to boot to that distro, then do the wipe from there.

Seriously, _very_ dangerous things, but consider #3 if you don't have physical access, as you will have some sort of working system to re-run a wipe, test if the data is really gone, etc.

Good luck. You're going to need it, but it sounds like fun anyway.
 
Old 11-11-2009, 02:58 PM   #15
b10m3ch4
LQ Newbie
 
Registered: Nov 2009
Posts: 17

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by kschmitt View Post

As to only have ssh access, you could do any one of the following really dangerous things:
1) Put an entry in lilo.conf/grub.conf that calls the program to wipe the drive. Set that as the default boot option
2) Create an initrd image that wipes the drive. Install it.
Or my favorite insane trick
3) Carve off a new volume in LVM, then install a tiny util-distro (with the same ip address & a username/password for yourself) on it, change grub.conf/lilo.conf to boot to that distro, then do the wipe from there.

Seriously, _very_ dangerous things, but consider #3 if you don't have physical access, as you will have some sort of working system to re-run a wipe, test if the data is really gone, etc.

Good luck. You're going to need it, but it sounds like fun anyway.
All good ideas I am looking forward to trying. Also, I am experimenting with replacing the /var/log with a sym link to a TrueCrypt partition. If this is successful, is there any other place data concerning IP connections could be stored that are not addressed in my scripts above?

Also, what little distro do you recommend, and how do you set the user and IP info of a such a distro?

Last edited by b10m3ch4; 11-11-2009 at 03:00 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Delete mail on server with Evolution suchos Linux - Newbie 4 08-21-2006 10:15 PM
How to delete wierd filename from my server? DaveNET Linux - General 3 06-27-2006 01:39 PM
Retrieve and delete from FTP server? obelxi Linux - Networking 5 03-07-2005 02:00 PM
Files delete from SAMBA server klmn1 Linux - General 2 04-17-2004 02:34 AM
Evolution won't delete mail from the server AceTech747 Linux - Software 1 12-16-2003 09:53 PM


All times are GMT -5. The time now is 04:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration