Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to decide whether or not to use LUKS with LVM install for NAS Box, mysql, postfix, ddns, bind, NFS, sshd, Appletalk, maybe samba. I have decided to give LVMs a try but not sure how LUKS will affect access to services. LAN includes Standalone headless web server(not on LVM, no LUKS). Aren't permissions,iptables and firewalls sufficient? Not sure how services are supose to interract if everything is encrypted especially root? So far what I have read recommends vgOS /, swap, /var, /tmp encription and vgdata /home encryption but no one tells how they did it. The 2 servers I'm working on only have small /home for admin stuff and considering making NAS headless, except i read somewhere that some gui would make it easier to manage mysql which brings me to the question if I don't install X on NAS can I ssh in with my desktop using its gui? I am experimenting with minimal server tagfiles. LUKS and LVMs are new to me. Decided to use LVMs to seperate OS from data, different data types and resizing flexibility. I have read some material on LUKS just wonder if its more complicated than my needs require. Certainly i don't want to leave myself open to someone just distroying my setup for kicks. Thank you. Your time and experice is welcomed and appreciated.
Last edited by NightSky; 07-29-2010 at 02:56 PM.
Click here to see the post LQ members have rated as the most helpful post in this thread.
It sounds like you need to ask yourself a couple of questions:
1 - what are you trying to secure against? If it is a laptop that may get lost, encryption of your drive may be beneficial. If it is a desktop server, locked in your home, it probably won't buy you much. Are you concerned about running a public facing server and crackers? Keep your SSH secure (keys, rather than passwords, disable root access, use a program like fail2ban) and keep your stuff up to date. I also encrypted a home folder and had an inside job security breach where the password got changed on me. I was able to restore my data, but it was a real pain and afterwards I clamped down on the system access big time. Remember physical access == root access which can be as simple as booting into recovery mode or popping in a live cd.
2 - I had a poor experience with an LVM and based on that experience wouldn't recommend it. When it came time to mirror and upgrade the hardware to a new server, I found that I could not use a mirroring technique such as DD to copy the thing off. Everything was obfuscated behind the LVM. I have read opinions that say running different server processes in virtual systems has advantages in regards to upgrading.
3 - Yes, you can SSH into a system, such as a NAS that doesn't have a gui. Just use the terminal. With regards to accessing mysql, you can use a web interface such as phpmyadmin if you like. After learning a little bit of SQL, I personally find the command prompt to be easier to use than myadmin, though I think this applied in general. A gui is easier for a beginner to learn, but becomes a limitation for an advanced user.
Not familiar with Virtual Process, was googling it and thats another learning project. I would like to just test using LVMs. Can I create /boot and /root on plain ext4 partitions and then create mysqlvg, mailvg to start to see how it goes?
It sounds like you need to ask yourself a couple of questions:
1 - what are you trying to secure against?
FWIW I would like to chime in that this probably is the best approach to start answering a question like this. It is unfortunate that users do not understand the implications of not answering it.
Re-reading your original post, it sounds like what you want to do is the following (please correct me if I get this wrong): you want to run a home server that will host web pages, host your own mail server (postfix) possibly with virtual domains, both of these will services will tie to a back end of MySQL, use dynamic DNS for your local lan so that your machines are identifiable by name and address, have a samba share to work with your windows boxes, and host a network storage. And with all this, you are rightfully concerned about security.
Now, step back, relax and lets look at this. What are the threats that you need to secure against?
1 - attempts to gain remote access to your system via SSH. This is probably one of the biggest. Your best defense will be to disable password authentication, disable root access via SSH, and use a program that blocks connections when too many false attempts to connect are made which will dramatically slow down a deliberate attempt and will likely cause a bot to go elsewhere. Note, I did not say move your connection to a different port, which only works until they perform a port scan.
2 - If you run a web server with PHP based applications. Two that come to mind are phpmyadmin and postfixadmin, though I am sure there are others. If someone gains access to these, they could really cause you damage. So here is what I do: 1 - I only allow connection to these pages via LAN IP addresses, not public. If I want to access them remotely I tunnel into my LAN via SSH and access them that way. 2 - these pages are only accessible via an HTTPS page so that passwords are not transmitted in the clear. 3 - I use browser certificates as well as the password, or at least the password to the application. This makes it much harder to even get to a page that requests a password.
3 - For your MySQL. First, don't allow public access. Do not forward your ports for this application. Permit only devices on your LAN or localhost. Give applications ONLY the permissions they need. Don't give them global access to all your tables.
4 - PHP applications. If you write your own, be sure to sanitize any user input before you either display it or run a database query against it. Keep your applications that you do use up to date, including PHP.
5 - DNS - again, like your SQL server, do not allow public access unless you have to. If you do, for example you host your own domain and the DNS so that it is easier to provide an SPF record, make sure you don't allow recursive queries. Only allow queries to get the information for your public servers.
6 - Postfix (or any mail server) - The biggest is to not run an open relay. Require authentication, such as SASL and have all your connections over a TLS, not plain port 25. You do not want your passwords being transmitted in the clear. Same goes for your POP/IMAP client, or any web client such as roundcubemail or squirrelmail, make them over an HTTPS page.
Now overall, by default, your ports will be closed to the public until you run an application that listens on them. It sounds like you are doing this so you will need to take the steps above to be safe. Put yourself behind a router and forward only the ports required to your server. This will help block a lot of the bs traffic from your server and even reduce its load. Next, you can run IP tables to further block everything except established connections and traffic incoming on these ports.
I also recommend an intrusion detection system. I personally use SNORT and OSSEC. Consequently, I get emails any time something critical changes, or there are too many error logins, etc. It helps to keep an eye on what is happening with your system.
There is a lot here, but it is all manageable. Hopefully with some or all of the above, you won't be one of the ones posting "urgent help, I think I have been hacked".
Last, but not least, keep backups. I personally use Jungledisk, which for $5 a month gives me a daily back up of my system. Your NAS may work for this purpose too. Storage is kept for a few months, which can be beneficial if you ever want to go back to see when something happened, or grab an image before a disaster.
Noway2, thank you for sharing your knowledgeable experience it is a great guide for securing all the services I'v set up. Haven't gone online yet till i am comfortable with the security guidelines you explained.
Appreciate your time.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.