Unix servers have been around since the beginning, so every hacker is familiar with them. Every precaution should be taken to keep them secure. This tip, excerpted from InformIT, discusses partitioning to help in hardening Unix servers. Joseph Dries is the author of The Concise Guide to Enterprise Internetworking and Security.
The process of building a Unix or GNU/Linux server for use as a firewall or DMZ server begins with installation. Eliminating points of attack, such as filling the filesystem, or removing unnecessary libraries and services, is equivalent to removing possible entry points for intruders.
Some common guidelines for configuring Unix servers with a more secure default stance are available from CERT's Web site at ftp://info.cert.org/pub/tech_tips/UNIX_configuration_guidelines.
Besides having separate partitions for the obvious, such as SWAP and /tmp, you should protect against out-of-disk-space denial-of-service attacks. Intruders might try to create excessive generation of logging data or fill your file system with large files through FTP or mail spool. The best way to protect against this is to segment the filesystem hierarchy into separate physical partitions.
The root partition / can be small because it generally contains just the kernel--the necessary files, libraries, and configuration for booting in /bin, /sbin, /etc, and /lib. Access to the attached devices is provided through the /dev and /devices directories. Many GNU/Linux distributions store kernels and symbol data in the /boot directory, whereas kernel libraries are stored under /lib.
The /usr partition is normally where user-accessible applications are stored. Normally, /usr does not contain data or configuration files that change; therefore, an added security measure can be mounted as read-only.
The /var partition stores system logs and data services such as mail, Web, databases, printing, running services, package management and so on. On a mail server, you might want to make /var/spool/mail, or /var/mail in Solaris, a separate partition, or -- even better -- a separate disk array. If you only create one separate partition from /, /var is the one you should separate.
The /usr/local directory structure, and in Solaris the /opt directory, often contains locally installed optional software, configuration files and data.
/usr/local is normally not affected by operating system upgrades. Depending on how you use those directories, they too can be mounted as read-only.
These are suggestions and guidelines only and are different from recommended settings for a system that contains user accounts, usually in /home.
To read this entire tip, click over to InformIT. You have to register there, but it's free.
