LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 04-26-2011, 12:07 PM   #1
dbmits
LQ Newbie
 
Registered: Apr 2011
Posts: 8

Rep: Reputation: 2
Secure Linux server for application deployment


Hi all,
please, I would like some help to the following :
I have implemented a web application on Linux that I want to deploy and sell to customers. I want to sell ready systems including the hardware. The application is written in PHP/MySQL.
What I am searching to achieve is :
1) Find a way so that filesystem and partitions to be encrypted but without the need to insert some code when rebooting. So that if someone gets out the hard disks and attach to another system, cannot have any access to my files or settings.
And of course when rebooting (e.g. after a power failure) encryption to be applied automatically.
2) I know that there are ways to bypass root password on a Linux system. Can all these ways be unassigned ? I want the only way to have access to system, to be by using the root password and nothing else.

I have thought of using a virtual server instead of a physical one (like deploying a virtualbox server) but still would like this to be the most secure possible including not only remote but also local access to system.

Please send your feedback and of course any additional ideas you might have.
Thank you very much.
 
Old 04-26-2011, 12:28 PM   #2
sibe
Member
 
Registered: Apr 2011
Location: Jakarta, Indonesia
Distribution: Fedora, CentOS
Posts: 122

Rep: Reputation: 21
Hi,

1. You might want to try cryptsetup. You can put the passphrase in /etc/crypttab to be loaded automatically when the system boot up.

2. Passwording GRUB?
 
Old 04-26-2011, 02:43 PM   #3
dbmits
LQ Newbie
 
Registered: Apr 2011
Posts: 8

Original Poster
Rep: Reputation: 2
Hi sibe, thanks for replying.
1) I will try cryptsetup
2) But this means that on every restart a password must be given by hand, right ? If yes, this is not what is needed.
 
Old 04-26-2011, 04:32 PM   #4
sibe
Member
 
Registered: Apr 2011
Location: Jakarta, Indonesia
Distribution: Fedora, CentOS
Posts: 122

Rep: Reputation: 21
Hi dbmits,

2. No. That means preventing anyone to get into single user mode without supplying the password.

Basically, there are 4 ways to bypass system authentication and get the root prompt for free:

1. Boot to runlevel 1 (single user mode).
How to; interrupt the boot splash screen and add an S, 1 or single to the end of the kernel line.
How to prevent; add the following line to /etc/inittab, below si::sysinit:/etc/rc.d/rc.sysinit,

ss:S:respawn:/sbin/sulogin

Now if someone is trying to boot to runlevel 1, the system will ask for the root password before giving a shell prompt.

2. Boot directly to a shell, bypassing the init process.
How to; interrupt the boot splash screen and add init=/bin/bash parameter to the end of the kernel line.
How to prevent; add a password to GRUB. From the command prompt, type this :

# grub-md5-crypt
Password: <password here>
Retype password: <password here>
$1$YzuO40$68zlZ18su5hCqm0Ifo.Nk.


then add the hash characters to the grub.conf file :

--cut--
default=0
timeout=5
password --md5 $1$YzuO40$68zlZ18su5hCqm0Ifo.Nk.
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
--cut--


Now someone trying to interrupt the boot splash will be asked for the GRUB password.

3. Boot to rescue mode using CD/DVD.
How to; change the boot order at the BIOS to boot from a CD/DVD, load the CD/DVD, reboot, and type linux rescue at the boot: prompt
How to prevent; disable boot option to load other media than the disk, and set a BIOS password to prevent anyone changing BIOS setting without supplying the BIOS password.

4. Clear/flush CMOS to reset BIOS setting.
How to; open the case and remove the CMOS battery, wait for awhile to get CMOS setting cleared out, put it back to the mainboard, load the BIOS menu and set to boot from CD/DVD, repeat step 3.
How to prevent; seal your appliance before ship it to your customers, get it welded, put some booby trap inside the case and set it to explode when someone try to open the case.

Whatever you do, don't forget the password.

Good luck.
 
Old 04-26-2011, 07:47 PM   #5
dbmits
LQ Newbie
 
Registered: Apr 2011
Posts: 8

Original Poster
Rep: Reputation: 2
Hi sibe, thank you.
Your help is very much appreciated.
 
Old 05-11-2011, 04:35 PM   #6
dbmits
LQ Newbie
 
Registered: Apr 2011
Posts: 8

Original Poster
Rep: Reputation: 2
Hi again, I have just installed a debian 6 and cannot find anywhere grub-md5-crypt.
How can I install that on system ?
Thank you.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Deployment Seam 2.0.2 Application against Oracle 10gR2 database to Jboss 4.2.3 LXer Syndicated Linux News 0 08-21-2008 06:40 PM
LXer: Deployment Seam Application against MySQL 5 database to Jboss 4.0.5 utilizing Seam Plugin for NetBeans 5.5.1 LXer Syndicated Linux News 0 06-30-2007 02:16 AM
LXer: Deployment Seam Application against Oracle 10g database to Jboss 4.0.5 LXer Syndicated Linux News 0 06-23-2007 09:32 PM
LXer: ActiveGrid Brings Web 2.0 Application Development and Deployment to Enterprise LXer Syndicated Linux News 0 06-26-2006 08:21 PM
deployment application for Java randomx Programming 1 08-31-2004 02:32 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 05:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration