securing Linux server

[itsme220]

I have an application server which hosts my application. I distribute all binaries and code. So if user simply copy the code and distribute anyone can run.

I have a database resides in different server(Most of the time) some time database resides in the same server.

I have the root password and I only have access.

My concern is I want to secure so that others don't copy or access the system.

Some of the concern,

1) Login as user and browse through the directory and copy the code.
2) Shut down server and use another Bootable Linux CD and access to database or application file and copy.
3) any other scenario.

How should I protect?

Thank you

 

[davidktw]

I have an application server which hosts my application. I distribute all binaries and code. So if user simply copy the code and distribute anyone can run.

I have a database resides in different server(Most of the time) some time database resides in the same server.

I have the root password and I only have access.

My concern is I want to secure so that others don't copy or access the system.

Some of the concern,

1) Login as user and browse through the directory and copy the code.
2) Shut down server and use another Bootable Linux CD and access to database or application file and copy.
3) any other scenario.

How should I protect?

Thank you

For systems without using hardware and software encryption, anyone whom has physical access to your system has total control of your system. They don't even need your login to access data on your hard disks. All they need to to attach to another box and mount the filesystem in it. Hence if your clients have physical access to your box, the first and foremost protection is the physical approach to undermine it.

First password protect the bios/firmware, do not allow bootup via other means except through the hard disk. This is to prevent the possibility of booting up using another OS on the same system, and also related to the next protection in line.

Next, get harddisks that support FDE together with the server bios. I also did a read on TPM, but not exactly sure what level of protection and which particular part of the system it can help protect against intruders. Physical security is a hard topic when your clients can have its hand freely over them.

Software approach is always via licensing protection or usage of physically issued dongles. But nowadays a lot of software do away.

Some less protected approach is never give shell access to your users. Always have them use via web interfaces. Hence your system is like a black box to them.

 

[itsme220]

For systems without using hardware and software encryption, anyone whom has physical access to your system has total control of your system. They don't even need your login to access data on your hard disks. All they need to to attach to another box and mount the filesystem in it. Hence if your clients have physical access to your box, the first and foremost protection is the physical approach to undermine it.

First password protect the bios/firmware, do not allow bootup via other means except through the hard disk. This is to prevent the possibility of booting up using another OS on the same system, and also related to the next protection in line.

Next, get harddisks that support FDE together with the server bios. I also did a read on TPM, but not exactly sure what level of protection and which particular part of the system it can help protect against intruders. Physical security is a hard topic when your clients can have its hand freely over them.

Software approach is always via licensing protection or usage of physically issued dongles. But nowadays a lot of software do away.

Some less protected approach is never give shell access to your users. Always have them use via web interfaces. Hence your system is like a black box to them.

Thank you David for your expert advise.

1. If I install boot password in Boot partition (GRUP), will it secure my system. Besides BIOS.

2.While Googlingg I found the following

HowTo: Linux Hard Disk Encryption With LUKS [ cryptsetup Command ]

https://www.eff.org/deeplinks/2012/11/privacy-ubuntu-1210-full-disk-encryption

Any inputs?

3. Will this encryption slow down system?

Thank you

 

[davidktw]

Thank you David for your expert advise.

1. If I install boot password in Boot partition (GRUP), will it secure my system. Besides BIOS.

2.While Googlingg I found the following

HowTo: Linux Hard Disk Encryption With LUKS [ cryptsetup Command ]

https://www.eff.org/deeplinks/2012/11/privacy-ubuntu-1210-full-disk-encryption

Any inputs?

3. Will this encryption slow down system?

Thank you

GRUB Password protection only protect the bootloader, it doesn't protect contents on the disk. But having it set is good, at least one more entry point is protected.

I have not used LUKS myself, don't think I can offer much insight into this. My knowledge on encryption and security is mostly inter-system and not so much on protecting on physical assets, so please also do some reading up yourself.

So far what I have read, usage of TPM together with FDE makes the most sense. Using TPM, you can ensure the hard disk content decryption can only happen on a particular dedicated system. Moving the harddisk elsewhere will not be able to decrypt unless the password or token is provided. FDE within the harddisk ensure no easy approach to retrieve the contents on the platters.

Using dm-crypt can ensure only upon credentials given that the drive block device can be accessed and also the filesystem on top of it.

But take note, such security measures will complicate operations. When system requires booting, password or smart card must be issued.

Perhaps you ought to think about what is so important to protect after all. Perhaps a SAAS model of your service makes more sense.

Last but not least, no encryption comes free. There is always cost at some level.

 

[exim22]

TrueCrypt is a better option for whole HDD or folders encryption. Mount the encrypted storage on network drive is a good idea.

 

[itsme220]

GRUB Password protection only protect the bootloader, it doesn't protect contents on the disk. But having it set is good, at least one more entry point is protected.

I have not used LUKS myself, don't think I can offer much insight into this. My knowledge on encryption and security is mostly inter-system and not so much on protecting on physical assets, so please also do some reading up yourself.

So far what I have read, usage of TPM together with FDE makes the most sense. Using TPM, you can ensure the hard disk content decryption can only happen on a particular dedicated system. Moving the harddisk elsewhere will not be able to decrypt unless the password or token is provided. FDE within the harddisk ensure no easy approach to retrieve the contents on the platters.

Using dm-crypt can ensure only upon credentials given that the drive block device can be accessed and also the filesystem on top of it.

But take note, such security measures will complicate operations. When system requires booting, password or smart card must be issued.

Perhaps you ought to think about what is so important to protect after all. Perhaps a SAAS model of your service makes more sense.

Last but not least, no encryption comes free. There is always cost at some level.

Thanks David for your expert opinion.

I PM you some info.