Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How can I secure my system, like, physically, too?
For example, I don't want people to be able to go on my computer, use a system recovery disk and create a partiton, then get my files from my other partition.
Also, I don't want them to be able to pull the harddrive out and use it as a slave drive on another computer and gleen my files.
- password protect bios.
See: Manual that came with your motherboard.
- boot sequence should boot HD first, then floppy and/or cd/dvd.
See: Manual that came with your motherboard.
- protecting your HD could be done by encrypting it.
Feed your searchengine with:
linux encrypted filesystem <distro>
- password protect lilo.
man lilo
- use strong passwords for root and users (use md5 instead of des for encryption).
- check for package updates which are security related and install them.
Of the excellent suggestions druuna makes, encrypting your filesystem is really the main one to achieve what you want to. You can encrypt the entire hard disk (there are tutorials around and it should be easier with the 2.6 kernel).
An alterntive from SuSE or Mandrake, for example, allows you to create encrypted partitions very easily. This is simpler than doing the whole hard disk and can protect your data.
If you are really serious about protecting your data from even a motivated and well financed attacker, you would also need to think about clearing out temporary files written in the root partition and wiping swap space using some disk wipe utility; but I suspect for most of us that is beyond what is really sensible to bother with*.
* Because firstly most of use don't have anything that a motivated and well financed attacker would really care about and secondly if someone did need to get the information that badly there are probably easier ways that retrieving it forensically from your hard drive, such as just threatening or blackmailing you to supply the password.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
I'll third the motion for encrypted partitions. If you *really need that much security* then nothing else will substitute for encrypting the partitions, because any of the other methods can be bypassed. If someone has physical access to your box you have to conceed that they will be able to break in. After that, all you have left is encrypting the data so even when they haul it away it will be useless to them (although still a Denial of Service to you).
I question whether you really need that much security? I don't think you'd be asking questions like this if it was for your work, and I think a business would hire someone more knowledgeable to security critical systems, so I'm assuming this is for personal use. Unless of course, you're afraid your computer will be seized and used as evidence against you... in which case, we're back to encryption because I assure you the government will be able to bypass all those other controls in a few minutes.
I question whether you really need that much security? I don't think you'd be asking questions like this if it was for your work, and I think a business would hire someone more knowledgeable to security critical systems, so I'm assuming this is for personal use. Unless of course, you're afraid your computer will be seized and used as evidence against you... in which case, we're back to encryption because I assure you the government will be able to bypass all those other controls in a few minutes. [/B]
To offer another view point, I think this is a valid question for those of us that work on laptops and I think MORE people should be asking this same question. I know that when I am on-site at a client, I lock up my laptop with a cable lock which is fine and dandy if a thief cares about stealing the machine, however, the HD, RAM, Battery etc. are readily available to anyone with a screw driver and 30 seconds - less if the perp is under 22 years old and from the tech-generation. Of those removable components, the HD is valuable because it holds business data which should be protected as much or more strongly than the machine as a whole - contracts, HR info, passwords, the Cadbury secret, it's all on there. You can't physically lock it to a desk, so what then?
Encryption, of course, is the answer. But I would be willing to bet that >95% of people out there do not have any HD protection on their machines. I don't.
Now you have me thinking, maybe I should encrypt my laptop disk to learn how... What are the performance implications?
Originally posted by JordanH I know that when I am on-site at a client, I lock up my laptop with a cable lock which is fine and dandy if a thief cares about stealing the machine, however, the HD, RAM, Battery etc. are readily available to anyone with a screw driver
I've been thinking the same thing about disk encryption (though I don't think I would go further than encrypting my data right now).
However, the key point is whether the thief can benefit from your data. If the kid steals your hard drive, you've still lost it whether or not its encrypted. If he could then use it to ruin your business, steal money from your bank account etc. then encryption is a good thing. If he just gets a bunch of files that do him no good at all, there's still not much point.
I hear what you are saying and I understand that if it is just a 'snatch&run' crime then the data isn't as valuable as the machine. However, I'm sure many of us here do carry valuable information. In my case, I have a great deal of confidential data that travels with me. I'm sure it's not valuable to most people, but it would probably benefit others. My non-encryption is a risk to my clients and in-turn is a risk to me.
For instance, I am usually given administrator access to my client's systems - usually in the form of an ID file which is susceptible to automated password cracking. As part of my job function, I perform security audits on some systems - I am always surprised at how many systems rely on security through obscurity... after it's in my audit, the holes are no longer obscure and hence valuable to a would-be attacker.
*shrug* I'm at the low end of the scale but how 'bout those execs that wander around with their laptops in tow; contain information about mergers, HR, financial performance etc. Shouldn't they be concerned about data protection as well? I wonder when data encryption will become the norm.
As an aside, someone I know works for a big bank and had their laptop stolen (from a secure locked storeroom) at a conference. The whole thing was encrypted (running Win2K). The thief actually phoned him up, pretending to be a police officer who had found the laptop and asked for the password so the police could verify it was his.
Naturally he declined this kind offer, but encryption worked well for him, protecting the banks data.
I've heard some pretty crazy tales too. I did some work for our police department a while back and I joked about not needing to lock up my laptop... they quite seriously told me that they have had several laptops go missing and to make sure it was locked at all times. Can you imagine having the guts to walk into a police headquarters, pick up a police laptop and walk back out of the building?! Some people astound me.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.