Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-26-2011, 12:07 PM
|
#1
|
LQ Newbie
Registered: Apr 2011
Posts: 8
Rep:
|
Secure Linux server for application deployment
Hi all,
please, I would like some help to the following :
I have implemented a web application on Linux that I want to deploy and sell to customers. I want to sell ready systems including the hardware. The application is written in PHP/MySQL.
What I am searching to achieve is :
1) Find a way so that filesystem and partitions to be encrypted but without the need to insert some code when rebooting. So that if someone gets out the hard disks and attach to another system, cannot have any access to my files or settings.
And of course when rebooting (e.g. after a power failure) encryption to be applied automatically.
2) I know that there are ways to bypass root password on a Linux system. Can all these ways be unassigned ? I want the only way to have access to system, to be by using the root password and nothing else.
I have thought of using a virtual server instead of a physical one (like deploying a virtualbox server) but still would like this to be the most secure possible including not only remote but also local access to system.
Please send your feedback and of course any additional ideas you might have.
Thank you very much.
|
|
|
04-26-2011, 12:28 PM
|
#2
|
Member
Registered: Apr 2011
Location: Jakarta, Indonesia
Distribution: Fedora, CentOS
Posts: 122
Rep:
|
Hi,
1. You might want to try cryptsetup. You can put the passphrase in /etc/crypttab to be loaded automatically when the system boot up.
2. Passwording GRUB?
|
|
|
04-26-2011, 02:43 PM
|
#3
|
LQ Newbie
Registered: Apr 2011
Posts: 8
Original Poster
Rep:
|
Hi sibe, thanks for replying.
1) I will try cryptsetup
2) But this means that on every restart a password must be given by hand, right ? If yes, this is not what is needed.
|
|
|
04-26-2011, 04:32 PM
|
#4
|
Member
Registered: Apr 2011
Location: Jakarta, Indonesia
Distribution: Fedora, CentOS
Posts: 122
Rep:
|
Hi dbmits,
2. No. That means preventing anyone to get into single user mode without supplying the password.
Basically, there are 4 ways to bypass system authentication and get the root prompt for free:
1. Boot to runlevel 1 (single user mode).
How to; interrupt the boot splash screen and add an S, 1 or single to the end of the kernel line.
How to prevent; add the following line to /etc/inittab, below si::sysinit:/etc/rc.d/rc.sysinit,
ss:S:respawn:/sbin/sulogin
Now if someone is trying to boot to runlevel 1, the system will ask for the root password before giving a shell prompt.
2. Boot directly to a shell, bypassing the init process.
How to; interrupt the boot splash screen and add init=/bin/bash parameter to the end of the kernel line.
How to prevent; add a password to GRUB. From the command prompt, type this :
# grub-md5-crypt
Password: <password here>
Retype password: <password here>
$1$YzuO40$68zlZ18su5hCqm0Ifo.Nk.
then add the hash characters to the grub.conf file :
--cut--
default=0
timeout=5
password --md5 $1$YzuO40$68zlZ18su5hCqm0Ifo.Nk.
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
--cut--
Now someone trying to interrupt the boot splash will be asked for the GRUB password.
3. Boot to rescue mode using CD/DVD.
How to; change the boot order at the BIOS to boot from a CD/DVD, load the CD/DVD, reboot, and type linux rescue at the boot: prompt
How to prevent; disable boot option to load other media than the disk, and set a BIOS password to prevent anyone changing BIOS setting without supplying the BIOS password.
4. Clear/flush CMOS to reset BIOS setting.
How to; open the case and remove the CMOS battery, wait for awhile to get CMOS setting cleared out, put it back to the mainboard, load the BIOS menu and set to boot from CD/DVD, repeat step 3.
How to prevent; seal your appliance before ship it to your customers, get it welded, put some booby trap inside the case and set it to explode when someone try to open the case.
Whatever you do, don't forget the password.
Good luck.
|
|
|
04-26-2011, 07:47 PM
|
#5
|
LQ Newbie
Registered: Apr 2011
Posts: 8
Original Poster
Rep:
|
Hi sibe, thank you.
Your help is very much appreciated.
|
|
|
05-11-2011, 04:35 PM
|
#6
|
LQ Newbie
Registered: Apr 2011
Posts: 8
Original Poster
Rep:
|
Hi again, I have just installed a debian 6 and cannot find anywhere grub-md5-crypt.
How can I install that on system ?
Thank you.
|
|
|
All times are GMT -5. The time now is 05:21 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|