LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 11-11-2009, 05:20 PM   #16
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,564
Blog Entries: 54

Rep: Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928Reputation: 2928

Quote:
Originally Posted by catkin View Post
Has this ever been reliably demonstrated to allow recovery of significant data?
I remember I did test different methods of deletion and recovery a year or so ago. I don't have the results at hand right now but I could run tests again and post them (in a way anyone could reproduce them with the right tools). Anyone interested is invited to create a separate thread and we'll take it from there.
 
Old 11-12-2009, 12:03 PM   #17
kschmitt
Member
 
Registered: Jul 2009
Location: Chicago Suburbs
Distribution: Crux, CentOS, RHEL, Ubuntu
Posts: 96

Rep: Reputation: 23
Quote:
Originally Posted by b10m3ch4 View Post
All good ideas I am looking forward to trying. Also, I am experimenting with replacing the /var/log with a sym link to a TrueCrypt partition. If this is successful, is there any other place data concerning IP connections could be stored that are not addressed in my scripts above?

Also, what little distro do you recommend, and how do you set the user and IP info of a such a distro?

Back in the day I would have gone with tomsrtbt, but I don't think it supports LVM... So either crux, DSL, or something like that. If your current system is using LVM (and most likely it is) you need something that has LVM support, and many of the classic util distros don't.

Crux is actually a full distro, but it's rather small, you can install it using tar, and configure it using vim. All pluses in this situation.

It's been awhile but I think the network is configured like..
[root@localhost ~]# vi /etc/init.d/network

Good luck, and we all expect to hear the war story about this later.
 
Old 11-12-2009, 03:27 PM   #18
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Servers: Debian Squeeze and Wheezy. Desktop: Slackware64 14.0. Netbook: Slackware 13.37
Posts: 8,557
Blog Entries: 28

Rep: Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178
Quote:
Originally Posted by unSpawn View Post
I remember I did test different methods of deletion and recovery a year or so ago. I don't have the results at hand right now but I could run tests again and post them (in a way anyone could reproduce them with the right tools). Anyone interested is invited to create a separate thread and we'll take it from there.
I'm interested so started this thread.
 
Old 11-12-2009, 04:30 PM   #19
b10m3ch4
LQ Newbie
 
Registered: Nov 2009
Posts: 17

Original Poster
Rep: Reputation: 0
I'm setting up a lab to test the installation of a second distro, followed by booting into that distroy, and dbanning the main drive. I am however concerned about, how to remove the logs from the new distro, to remove the IP used to login and wipe the primary drive...a bit of a catch 22.

meanwhile, if anyone is interested, here is my script I am running in cron leading up to the final conclusion of the project, which by time I hope to have mastered the remote dban procedures.

As an added security step, we are now using SS5 Proxy for all interconnections, so we only have one IP to track and shred, and of course that should only appear in the SS5 logs.

I am following the new thread as well

Code:
#!/bin/sh
shred -vzfu 8 /var/logs/ssl_request_log
shred -vzfu 8 /var/log/httpd/domains/domain.net.error.log
shred -vzfu 8 /var/log/httpd/access_log
shred -vzfu 8 /var/log/httpd/error_log
shred -vzfu 8 /var/log/httpd/homedir.log
shred -vzfu 9 /var/log/directadmin/da-popb4smtp.log
shred -vzfu 8 /var/log/messages
shred -vzfu 8 /var/log/maillog
shred -vzfu 8 /var/log/secure
shred -vzfu 8 /var/log/btmp
shred -vzfu 8 /var/log/wtmp
shred -vzfu 8 /var/log/xferlog
shred -vzfu 8 /var/log/lastlog
shred -vzfu 8 /var/log/ss5/ss5.log
shred -vzfu 8 /var/log/audit/audit.log
#
touch /var/logs/ssl_request_log
touch /var/log/httpd/domains/domain.net.error.log
touch /var/log/httpd/access_log
touch /var/log/httpd/error_log
touch /var/log/httpd/homedir.log
touch /var/log/directadmin/da-popb4smtp.log
touch /var/log/messages
touch /var/log/maillog
touch /var/log/secure
touch /var/log/btmp
touch /var/log/wtmp
touch /var/log/xferlog
touch /var/log/lastlog
touch /var/log/ss5/ss5.log
touch /var/log/audit/audit.log
#
 
Old 11-12-2009, 05:21 PM   #20
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
`dd if=/dev/zero of=/dev/hda` will fill your disk with zeros from start to finish. However, this may take a very long time, especially if the disk is very big.
 
Old 11-12-2009, 06:21 PM   #21
b10m3ch4
LQ Newbie
 
Registered: Nov 2009
Posts: 17

Original Poster
Rep: Reputation: 0
Well, I found a way to totally kill all the logs in one swoop, and I can store client files in the TrueCrypt virtual drive, so I may not need to do anything else...unless Linux some how logs SSH/FTP/WWW access somewhere other than in /var/log...does it?

Anyway, here's my final script, short, and sweet.

Code:
#!/bin/sh

for i in `find /var/log -type f`; do
shred -fxz -n 8 $i;
rm -f $i;
touch $i;
done
Question, does anyone know if I run this as a cron job, will writing log files to zero bytes cause problems for any standard processes?

Last edited by b10m3ch4; 11-12-2009 at 06:30 PM.
 
Old 11-12-2009, 08:14 PM   #22
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,311

Rep: Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040
Well, on a running system, /var/log is a busy area, there's nearly always something writing there. I'd mount it 'cold' from another 'system/rescue disk' to do that.
You may already be doing that.
 
Old 11-12-2009, 10:06 PM   #23
b10m3ch4
LQ Newbie
 
Registered: Nov 2009
Posts: 17

Original Poster
Rep: Reputation: 0
I'm using the -f for shred, seems to work. It does hang up on single files from time to time, but the next pass gets it, and the hanging up doesn't keep it from wiping the other files. So far so good...but is this everywhere IPs would be logged?
 
Old 11-12-2009, 11:00 PM   #24
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,311

Rep: Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040
Depends on the apps you are using. Most apps that come with Linux / from a repo log in there (I think?), but in this particular case I'd check each one.
Of course if you used a VM, you could blow away the entire env each time. Just have a created-but-not-used VM ready, so you can clone it quickly into a working VM.
 
Old 11-17-2009, 01:42 PM   #25
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Recovering useful data after an overwrite is a myth. This SANS blog post shows why.

http://blogs.sans.org/computer-foren...verwrite-data/
 
Old 11-18-2009, 08:52 AM   #26
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,916

Rep: Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777
Quote:
Originally Posted by OlRoy View Post
Recovering useful data after an overwrite is a myth. This SANS blog post shows why.

http://blogs.sans.org/computer-foren...verwrite-data/
Interesting; for those who haven't read the post, it describes (described when it was written, in Feb-09), a future way of recording more data on a disk than the currently used methods, describes what happens when you point an electron microscope at data on a disk (and there are several different electron microscope technologies that could be used and at no point does it say which one, so you can't comment on whether another one would be better...although the picture is quite pretty). They then mis-describe the technological approach which is putated to allow over-written data recovery, and show that this version of the technology would be not be feasible.

They then shoot off to describe a statistical approach to the recorded bits on disk and show that recovery of data from this statistical data would be very unreliable as the data from a pristine drive would be very similar to the data from that from a drive on which the data was previously a one and overwritten with a one.

There is then another mangled description of reading overwritten data.

There is then a section on RLL drives; it is said that these are easier to analyse than current drives. This is probably true, but nothing is done to quantify this.

Here is a critical quote:

Quote:
The values do not tell you what existed on the drive prior to the wipe; they just allow you to make a guess, bit by bit
In comparison:

Quote:
PRML (and ePRML)1 drives work by taking the most likely value of the data from an analogue value. If more regions of high flux density exist, the drive reads the bit cell as a “1”. In the event that the bit cell is composed of grains that mostly have a low flux value, the value is read as a “0”.
I could also describe this as 'taking a guess'; In the latter case, I know that the guess has a very high probability of being correct, in the former case, there is insufficient information to know, but the implication is that the probability is low.

Quote:
Each time you guess, you compound the error. As recovering a single bit value has little if any forensic value, you soon find that the cumulative errors render any recovered data worthless.
Here is one key to the disagreement; even if you randomly guessed the data, you'd get some of it right.

If you are a three letter agency, you will want no significant snippet of data to be recovered, other people may feel that if there is a high probability of one or more errors in a chunk of data, the data is worthless (if you were going to go to a court of law and you said 'well, I've guessed the data, but this genuinely is my best guess' and couldn't quote an impressive-sounding error rate, you probably wouldn't get very far). Those are very different standards.

For the OP, if you have an ISO9000/QS9000 procedure and are doing any less than is specified in your procedure, you are taking a silly risk. (And, if this is a normal part of you role and you don't have a procedure, there is something badly wrong with that, too.)

For anyone with non-critical data, there is clearly a chance that a single pass of overwrite will do all that you need, particularly if you have one of those disks that you can't buy yet and there is also a strong chance that no one will have the motivation to spend money on recovery services. And someone with your disk is only likely to be able to recover a series of disconnected fragments of data, which they won't be able to do anything useful with. But is that good enough to give you peace of mind?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Delete mail on server with Evolution suchos Linux - Newbie 4 08-21-2006 11:15 PM
How to delete wierd filename from my server? DaveNET Linux - General 3 06-27-2006 02:39 PM
Retrieve and delete from FTP server? obelxi Linux - Networking 5 03-07-2005 03:00 PM
Files delete from SAMBA server klmn1 Linux - General 2 04-17-2004 03:34 AM
Evolution won't delete mail from the server AceTech747 Linux - Software 1 12-16-2003 10:53 PM


All times are GMT -5. The time now is 08:54 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration