LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-28-2007, 07:01 AM   #1
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 31
Mount Options: Best Practices


Hello,

I'm setiing up a server which will provide services to users over the internet. I'm kinda pranoid when it comes to security and the like so i was wondering what advice you could share regarding mount options for the different mount points of the system.

I've setup different partitions for:
/
/boot
/usr
/home
/var
/tmp

except for / i wanna mount everything else using:
rw
auto
nouser
async
noatime
nodev
noexec
nosuid

Would this be enough? Could it break things? Any advice and feedback is much appreciated.

Thanks
 
Old 01-28-2007, 07:49 AM   #2
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
What kind of services are you offering?

Simply using certain mount options is not enough.

Partitions that that are world writable like /tmp you definitely want to use options like noexec & nodev.
You might want to go to the www.tldp.org (The Linux Documentation Project ) web site and download the Linux Filesystem Hierarchy Standard.

It explains which directories can be mounted read-only. For a hardened server, less is better. Only include what you need. It will be easier to secure and offer fewer opportunities . With fewer files in the system files, it is easier to back up as well. Plus, you could perform an md5sum of all of the system files. Then if you think you may have been hacked, you can mount the drive offline (e.g. booting with a live disk) and compare the files against your md5sum list.

The LDP site also has a publication on Securing and Optimizing linux. There are also books like "Hardening Linux" and others.
 
Old 01-28-2007, 08:02 AM   #3
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Original Poster
Rep: Reputation: 31
Thanks for the info, will check out TLDP.

Actually it's a deb sarge install, so i started from the base system and am adding software piece by piece as i go (not in a hurry as it is a learning experience too). Eventually it will serve as a public blog site, with ftp access and email to registered users. Also, SSH for remote admin tasks.

Of course as you said, each service will have to be setup properly and hardened. But I was regarding the mount options as a last line of defence.

Great idea for md5sum'ing of sys files. Since i am using LVM2 perhaps i can snapshot and hash the backup offline.... hmmm...

Thanks againf or your help
 
Old 01-28-2007, 09:36 AM   #4
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
Even ssh needs to be hardened. One example: If only a few users will use ssh, use "AllowUsers" in sshd_config.
( man sshd_config ). If this will be a lamp server, the mysql installation includes a manual. Be sure to read the sections on security. Since outside users will run there own blog servers, you will want them to run in a jail. That will help protect the machine from mistakes made by the users.

There are many other things to learn as well, and I am not a security expert.

Security is more of a process than a state of being.
Besides installation, you also need to: monitor the logs regularly, perform regular backups, perform security updates, have a workable recovery plan in case of a security breach or a hardware failure.

I would recommend keeping a notebook where you record everything you do. This may come in handy in the future.

Also, there are web sites dedicated to Linux Security. Some will have useful articles.

Good Luck!
 
Old 01-28-2007, 01:11 PM   #5
Lotharster
Member
 
Registered: Nov 2005
Posts: 144

Rep: Reputation: 18
I don'rt think it would be a good idea to mount /usr with the noexec option, since most binaries reside there.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Modifying mount options (ro/rw etc.) during automount via udev kamal.n2 Linux - Laptop and Netbook 8 12-14-2006 03:19 PM
fstab - mount options merchtemeagle Linux - General 3 03-09-2006 07:00 PM
insert options to usb hotplug mount Yuan Linux - Laptop and Netbook 0 10-20-2005 01:41 AM
mount options? nagromo Linux - Software 3 02-28-2005 12:59 AM
what are other mount options for vcd for /mnt/cdrom? sirpelidor Linux - General 4 12-04-2003 04:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration