ShareWiz Ultra Secure Server Setup
Disk Security
Disk Security
Separate partitions
Have separate partitions for the /, /boot, /usr, /var, /tmp, /srv, /opt, /home and swap partitions. Place all partitions, besides the boot partition within a Logical Volume Manager (LVM).
Having separate partition in itself does not benefit the security of the Ubuntu server, but it does aid other hardening and security tools.
Additionally, on an Ubuntu system, you should create /var a little bit bigger than on other systems, because downloaded packages (the apt cache) are stored in /var/cache/apt/archives.
Traditionally, any directory tree which a user has write permissions to, such as e.g. /home, /tmp and /var/tmp/, would be on a separate partition, which reduced the risk of a user Denial-of-Service (DoS) by filling up the "/" mount point and rendering the system unusable. This is not true anymore, since there is always some space reserved for root which a normal user cannot fill.
From a security point of view, it makes sense to try to move static data to its own partition, and then mount that partition read-only.
The reason for using Logical Volume Manager (LVM) is that any partition within an LVM can be resized fairly easily if additional space is required. Additionally, LVM’s allows partitions to expand multiple physical volumes.
It is recommended to leave some partition space unused so that there is some free space left for growth.
Create seperate partitions where required (Optional)
As suggested above, having separate partition can aid hardening a server.
Repeat the following instructions for every directory you may want to have as it's own partition.
Decide on a name for the new partition.
For this example we are proposing to have a seperate partition named /test.
If that partition name already exists as a directory of an existing partition, then back them up by issueing the following command:
cd /
sudo cp -Rp /test /backup/test
Delete the existing /test directory is it exists, by issueing the following commands:
sudo rm -rf /test
Create the new partition, for example with 1GB, by issueing the following commands:
sudo dd if=/dev/zero of=/var/test bs=1024 count=1048576
sudo mkfs.ext4 -j /var/test
Notice that the new partition /var/test is created in /var. This could be created elsewhere.
Warning: This will erase anything in the output location, in this case /var/test, so be very careful.
Answer "y" if prompted: /var/test is not a block special device.
Mount the /test partition, by issueing the following commands:
Modify the permissions of the /test partition, by issueing the following commands:
sudo chmod 0777 /test
sudo chown root:root /test
Restore the previously backed-up files, by issueing the following commands:
sudo cp -Rp /backup/test/* /test/
sudo rm -rf /backup/test
Remove and re-link old /var/test file:
sudo rm -rf /var/test
sudo ln -s /test/ /var/test
Confirm that /test is mounted, by issueing the following commands:
mount
Allow the new /test partition to be mounted at boot, by issueing the following commands:
sudo cp /etc/fstab /etc/fstab-orig
sudo sh -c 'echo "/var/test /test ext4 loop,rw,noexec,nosuid,nodev 0 0" >> /etc/fstab'
Choose the appropriate File System
Use the ext4 file system.
It is recommended that you always use a journaling file system, such as ext4, reiserfs, jfs or xfs, to minimize the problems derived from a system crash.
Ubuntu defaults to ext4, which is the recommended file system to use. The reason for this is that it is backwards compatible with ext3 and ext2, so if there are any issues with the journaling you can disable it and still have a working file system. It also allows recovery of the system with a bootdisk (or CD-ROM) without requiring a custom kernel. The ext4 file system also has better data integrity since it does file-data journaling while others do only meta-data journaling.
Disk Mount Options
Mount /tmp with 'noexec' and 'nosuid' (Optional)
Edit the /etc/fstab file by issueing the command:
and change the line:
/dev/mapper/vg01-tmp /tmp ext4 defaults 0 2
to:
/dev/mapper/vg01-tmp /tmp ext4 defaults,noexec,nosuid 0 2
and save the file.
WARNING: Mounting filesystems with 'noexec' and 'nosuid' flags raises the bar a little, but it doesn't stop files from being executed. The Linux linker and loader will still permit binaries to be run, as will be demonstrated later. However, this is still recommended, as it does offer a slight security-enhancement.
Using nosuid will prevent the setuid and setgid bits from having effect. setuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group. This prevents SUID attacks on the /tmp filesystem.
The noexec option prevents executing binary files on the file-system. noexec might be useful for a partition that contains no binaries, like /var, or contains binaries you do not want to execute on your system, or that cannot even be executed on your system, such in the case of a Windows partition.
The nodev option can also be used and prevents use of device files on the file-system. Lock down a system preventing breaching by simply creating hda1 or sda1 devices that are not writable by all.
Modify the mount options any other file-systems as applicable. Recommended file-systems to mount with 'noexec' and 'nosuid' include /tmp and /var.
Sometimes apt-get fails to work with the above changes, as when it upgrades the system it will sometimes place scripts inside the /tmp directory which will now not be executable.
Another possible side effect of mounting /tmp noexec is that logrotate may fail when rotating apache2 and cupsd logs.
Solutions to these problems are shown next.
Fix apt-get issues with /tmp locked down with 'noexec' and 'nosuid'
Issue the following command:
and add the following to the file:
DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount /tmp";};
Sometimes apt-get fails to work with the above changes, as when it upgrades the system it will sometimes place scripts inside the /tmp directory which will now not be executable.
The fix for this is to temporarily make the /tmp directory executable before running apt-get and then remove the execution bits afterwards.
The first line runs before any packing installation and the second one runs after the install. They merely execute the commands required to add and remove the execute permissions on the /tmp partition.
By using the 50tmp file it should trigger the commands before the70debconf file runs.
Issue the command man apt.conf for further information on apt options.
Fix logrotate issues with /tmp locked down with 'noexec' and 'nosuid'
Issue the following command:
and add the following to the file before any tests:
TMPDIR=/var/tmp; export TMPDIR
There is a debian bug for this, but I'm not sure what its status is. The fix is not well documented. It should be added to a debian readme for the logrotate package.
Mount /tmp now with noexec and nosuid
Issue the following command:
Confirm that /tmp is mounted with noexec and nosuid
Issue the following command:
which should display:
/dev/mapper/vg01-tmp on /tmp type ext4 (rw,noexec,nosuid)
The output line should contain the two words 'noexec,nosuid' in it. If so then it's working.
An alternative command to use to check whether /tmp is mounted okay is:
which should display:
/dev/mapper/vg01-tmp /tmp ext4 rw,noexec,nosuid,relatime,user_xattr,barrier=1,data=ordered 0 0
Check that executables cannot run from /tmp
Copy an executable into it, by issueing the following command:
and then update the file permissions, by issueing the following command:
and then test it, by issueing the following command:
which should display:
But let try another way to run it, by issueing the following command:
sudo /lib64/ld-linux-x86-64.so.2 /tmp/ls
which should display a list of file.
Note that on some systems the command to run is: sudo /lib/ld-linux.so.2 /tmp/ls
Cleanup, by issueing the following command:
Mounting filesystems with 'noexec' and 'nosuid' flags raises the bar a little, but it doesn't stop files from being executed. The Linux linker and loader will permit binaries to be run.
It does help foil basic attacks that rely upon running scripts in /tmp.
Note that on some systems the command to run is sudo /lib/ld-linux.so.2 /tmp/ls