Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I would like to protect a Linux system from cloning, I don't mind if the cloned hard drive works in the same computer, but I need to avoid it to work in other one, even if it uses exactly same mainboard model and rest of computer parts. I want the cloned system to get frozen or simply restart continously if it's used in another computer.
I found a thread in other forum that talks about a test of the NIC interface's MAC. It could be a good solution.
The issue is that I have no information at all about how to do it, nor the software to use. Of course, I would like it to be as "unbreakable" as possible.
And why would you want to do that in the first place?..
Many thanks for your answer, unSpawn, I really appreciate your time and interest.
TPM could be a great solution, but it means adding more hardware since it's not included on motherboard, so it's discard (I need a method that doesn't require special hardware)
The user must be able to use the computer, add new drives or even format hard drive using a tool in a usb drive if he needs. It's even desirable (althought not 100% needed) that user can make a backup of the system disk via cloning, and restoring it when needed. BUT I don't want the user to clone disk and use the operative system and all configurations and programs in a different machine, since it's intended to be used only on this computer (I hope that my explanation is ok, hehe)
I know that there is no infallible method for this, but I'm also sure there is some way. It's better having a security method that can be skipped to have no security method at all. If I add some kind of protection, at least the user will have to make some research.
I've been reading something about hostid, and if I can tie the operative system to something depending on hardware, it is an important "first step".
Many thanks again, I hope someone can lend me a hand.
As it was told, probably it is impossible. Linux itself can be easily cloned, reinstalled, copied or moved. And there is no any reason to protect it, because it is free. I think you want to protect an application or some settings. But would be nice to explain what is your real original goal.
(..) it's intended to be used only on this computer (I hope that my explanation is ok, hehe)
Unfortunately saying something akin to "just because" doesn't help me help you.
Quote:
Originally Posted by dynamicpointer
I know that there is no infallible method for this, but I'm also sure there is some way. It's better having a security method that can be skipped to have no security method at all. If I add some kind of protection, at least the user will have to make some research.
So not only are you aware that you stand less of a chance without specific hardware but you are also aware this "protection" will act more like a retardant than anything else... So, one more time: what is it specifically that are you protecting or guarding against? Also note Licensing, Intellectual Property or Copyright protection doesn't equal "security".
As it was told, probably it is impossible. Linux itself can be easily cloned, reinstalled, copied or moved. And there is no any reason to protect it, because it is free. I think you want to protect an application or some settings. But would be nice to explain what is your real original goal.
Hi pan64,
I want to protect an installation that have special work on configuration, installation and customization. I never have try full disk encryption but it seems to be the most appropiate, althought I've been reading and seems that I still can encrypt home folder, but I'm not sure if it is useful in my case.
Must be kept in mind that I can't make a complete reinstall of the system to do it. I mean... I have now my "master" cloning image that y deploy on all the machines (and update usually), so I need someway to prevent to clone again the install once deployed on every target machine. It's no problem if I have to use some time on everyone of those target machines, but installing operative system and configuring and installing everything in everyone of them is not an option.
Encrypting the HDD would be a good option. However, when the system is running the contents will be visible to users. You could probably change the permissions of some of the files that don't need to be seen by a user, however many of them need to be access by user programs and so are accessible to the user. Cloning the encrypted partition would be possible, but without the password would not work on another machine or even the same machine.
Overall, I don't think you can do exactly what you want, but can get close.
Encrypting the HDD would be a good option. However, when the system is running the contents will be visible to users. You could probably change the permissions of some of the files that don't need to be seen by a user, however many of them need to be access by user programs and so are accessible to the user. Cloning the encrypted partition would be possible, but without the password would not work on another machine or even the same machine.
Overall, I don't think you can do exactly what you want, but can get close.
Many thanks for the answer, metaschima,
I've been reading and any kind of drive encryption seems useless at all since the same clonezilla is capable of making a clone in raw mode. So my only option seems to be to tie the boot to the MAC of the NIC or the serial number of the hard drive.
Well... It depends on the motherboard. But usually the CPUID is available... and you can create a startup process that checks the CPUID, and if not matching a saved one, halts the system.
Of course, nothing prevents someone from going into single user mode or using a recovery system from changing the saved value.
You could even try using the CPUID information as an encryption key to the system disk, but the initrd would still have to be plaintxt to start with.
Of course, it becomes a disaster when you have to replace a CPU... or a motherboard.
But that is why it is nearly useless to make such a demand.
there can be some licensing method to configure which installation is known and "stolen" copies will not be able to function properly. But you also need to keep in mind any additional security tool can be removed (because your system works without them).
It's better having a security method that can be skipped to have no security method at all. If I add some kind of protection, at least the user will have to make some research.
the main reason i'm posting is to criticize you. what you said is "security theater" at it's best. I'd love to know more about for who, where, why you want to do this... but if it's for work then i understand keeping it anonymous.
if you put into place some b.s. process, that's all it is is b.s.
first and foremost is physical access of the drives or whatever media has your data on it you want to protect, if you are serious about protecting it then you have to not let people get physical access to your drives. when that happens it's usually game over, unless you have put whole disk encryption on the drive or the data you care about is in an encrypted folder.
you didn't mention what version or distribution of linux you are using, that will matter quite a bit. I'm only familiar with Novel SLES and opensuse, and those support disk encryption upon install however i've never used it (yet). regarding TPM don't look at it as adding hardware/software to accomplish your goal- look at it as the process which achieves your goal: you encrypt your entire linux drive so it will not boot nor be read if slaved on another computer without a password.
to my knowledge in my linux distro you are prompted by the OS when it boots for a password so an admin with the password needs to be there with it. if you want to bypass that and make the drive boot in a given system then you need to find out how to modify that script/program during boot which asks for that bootup encryption password you are using. then you write a script or software executable that will do a hardware id request to get some various system identifiers like cpuid, network id and mac address and have your encryption boot password based on it. easier said than done obviously, and wouldn't surprise me if you have to modify and recompile the kernel to accomplish this.
Sincerely many thanks to all for the interest and help.
Jpollard has told very accurately what I think it's the best option I have (not perfect, I know, but the best for my case and needs). My problem is that I don't know how to start, any guideline is very welcome.
Ron7000, system is Ubuntu.
Thanks again
I think you've missed the point of what jpollard told you, and what others are trying to tell you.
This is nothing but a bad idea, period. The ONLY thing you're going to actually accomplish, is to add complexity, bugs, and cost onto whatever system you have, and make it harder for the end-user to actually USE whatever it is you're selling. Think hard about what you're asking...would YOU be too happy if you could only plug your DVD player into an 'approved' outlet, or had to 'register' an outlet?? Nope....and this is hardly any different. Couple that with the fact that even *IF* you manage to get things going using the CPUID, or some other halfway method, IT IS POINTLESS if the user can boot it, and get into it, period.
Take this another step forward; you spend the time writing your code for CPUID checking. Great...now the system boots ONLY on that hardware. So, the user boots the system into single-user mode, and copies ALL of your software (and the COMPLETE OS), to another drive that's already bootable (since they can get and install Ubuntu easily). From there, your CPUID checking is pointless, since THEY own that system, and can happily go in and edit the CPUID tag to be whatever they want. So congratulations on wasting your time and making your system LESS attractive to potential users/buyers....I sure as hell wouldn't go anywhere NEAR a system like that if there were any choices. A 30 day demo version is easier to do, and would let people either buy it or not.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.