Tip

Partition to harden Unix servers

Unix servers have been around since the beginning, so every hacker is familiar with them. Every precaution should be taken to keep them secure. This tip, excerpted from InformIT, discusses partitioning

    Requires Free Membership to View

to help in hardening Unix servers. Joseph Dries is the author of The Concise Guide to Enterprise Internetworking and Security.

The process of building a Unix or GNU/Linux server for use as a firewall or DMZ server begins with installation. Eliminating points of attack, such as filling the filesystem, or removing unnecessary libraries and services, is equivalent to removing possible entry points for intruders.

Some common guidelines for configuring Unix servers with a more secure default stance are available from CERT's Web site at ftp://info.cert.org/pub/tech_tips/UNIX_configuration_guidelines.

Besides having separate partitions for the obvious, such as SWAP and /tmp, you should protect against out-of-disk-space denial-of-service attacks. Intruders might try to create excessive generation of logging data or fill your file system with large files through FTP or mail spool. The best way to protect against this is to segment the filesystem hierarchy into separate physical partitions.

The root partition / can be small because it generally contains just the kernel--the necessary files, libraries, and configuration for booting in /bin, /sbin, /etc, and /lib. Access to the attached devices is provided through the /dev and /devices directories. Many GNU/Linux distributions store kernels and symbol data in the /boot directory, whereas kernel libraries are stored under /lib.

The /usr partition is normally where user-accessible applications are stored. Normally, /usr does not contain data or configuration files that change; therefore, an added security measure can be mounted as read-only.

The /var partition stores system logs and data services such as mail, Web, databases, printing, running services, package management and so on. On a mail server, you might want to make /var/spool/mail, or /var/mail in Solaris, a separate partition, or -- even better -- a separate disk array. If you only create one separate partition from /, /var is the one you should separate.

The /usr/local directory structure, and in Solaris the /opt directory, often contains locally installed optional software, configuration files and data.

/usr/local is normally not affected by operating system upgrades. Depending on how you use those directories, they too can be mounted as read-only.

These are suggestions and guidelines only and are different from recommended settings for a system that contains user accounts, usually in /home.


To read this entire tip, click over to InformIT. You have to register there, but it's free.


This was first published in June 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.