Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-28-2007, 07:01 AM
|
#1
|
Member
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271
Rep:
|
Mount Options: Best Practices
Hello,
I'm setiing up a server which will provide services to users over the internet. I'm kinda pranoid when it comes to security and the like so i was wondering what advice you could share regarding mount options for the different mount points of the system.
I've setup different partitions for:
/
/boot
/usr
/home
/var
/tmp
except for / i wanna mount everything else using:
rw
auto
nouser
async
noatime
nodev
noexec
nosuid
Would this be enough? Could it break things? Any advice and feedback is much appreciated.
Thanks
|
|
|
01-28-2007, 07:49 AM
|
#2
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
What kind of services are you offering?
Simply using certain mount options is not enough.
Partitions that that are world writable like /tmp you definitely want to use options like noexec & nodev.
You might want to go to the www.tldp.org (The Linux Documentation Project ) web site and download the Linux Filesystem Hierarchy Standard.
It explains which directories can be mounted read-only. For a hardened server, less is better. Only include what you need. It will be easier to secure and offer fewer opportunities . With fewer files in the system files, it is easier to back up as well. Plus, you could perform an md5sum of all of the system files. Then if you think you may have been hacked, you can mount the drive offline (e.g. booting with a live disk) and compare the files against your md5sum list.
The LDP site also has a publication on Securing and Optimizing linux. There are also books like "Hardening Linux" and others.
|
|
|
01-28-2007, 08:02 AM
|
#3
|
Member
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271
Original Poster
Rep:
|
Thanks for the info, will check out TLDP.
Actually it's a deb sarge install, so i started from the base system and am adding software piece by piece as i go (not in a hurry as it is a learning experience too). Eventually it will serve as a public blog site, with ftp access and email to registered users. Also, SSH for remote admin tasks.
Of course as you said, each service will have to be setup properly and hardened. But I was regarding the mount options as a last line of defence.
Great idea for md5sum'ing of sys files. Since i am using LVM2 perhaps i can snapshot and hash the backup offline.... hmmm...
Thanks againf or your help
|
|
|
01-28-2007, 09:36 AM
|
#4
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
Even ssh needs to be hardened. One example: If only a few users will use ssh, use "AllowUsers" in sshd_config.
( man sshd_config ). If this will be a lamp server, the mysql installation includes a manual. Be sure to read the sections on security. Since outside users will run there own blog servers, you will want them to run in a jail. That will help protect the machine from mistakes made by the users.
There are many other things to learn as well, and I am not a security expert.
Security is more of a process than a state of being.
Besides installation, you also need to: monitor the logs regularly, perform regular backups, perform security updates, have a workable recovery plan in case of a security breach or a hardware failure.
I would recommend keeping a notebook where you record everything you do. This may come in handy in the future.
Also, there are web sites dedicated to Linux Security. Some will have useful articles.
Good Luck!
|
|
|
01-28-2007, 01:11 PM
|
#5
|
Member
Registered: Nov 2005
Posts: 144
Rep:
|
I don'rt think it would be a good idea to mount /usr with the noexec option, since most binaries reside there.
|
|
|
All times are GMT -5. The time now is 11:08 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|