nV News Forums

 
 

nV News Forums (http://www.nvnews.net/vbulletin/index.php)
-   General Linux (http://www.nvnews.net/vbulletin/forumdisplay.php?f=27)
-   -   A more secure install (http://www.nvnews.net/vbulletin/showthread.php?t=154091)

grey_1 08-15-10 06:53 AM

A more secure install
 
Hi guys - just looking to verify some things I've been reading, maybe gain a tip or two. By "more secure" I'm referring to protection from loss of data through breakage rather than hardening an existing install.

It's my understanding that setting up separate partitions for /tmp and /var can protect a system if a process begins uncontrollable writes...

/home I'll have on it's own partition anyway, but for backup purposes /home and /etc are really the only *must haves*, but that backing up /etc alone doesn't preserve program updates.

Is this accurate? And would anyone mind sharing what type of partitioning scheme you use and why?

Thanks guys :)

Arup 08-16-10 03:51 AM

Re: A more secure install
 
In my case, all my sensitive stuff gets regularly backed up to a separate external drive. For partitioning, I use a separate partition named Data. This allows me to clean install Linux when new versions are released without loosing data. I also keep a up to date image of Ubuntu LTS via clonezilla so I can go back to it once I am done playing with other distros.

grey_1 08-16-10 07:30 AM

Re: A more secure install
 
Quote:

Originally Posted by Arup (Post 2302651)
In my case, all my sensitive stuff gets regularly backed up to a separate external drive. For partitioning, I use a separate partition named Data. This allows me to clean install Linux when new versions are released without loosing data. I also keep a up to date image of Ubuntu LTS via clonezilla so I can go back to it once I am done playing with other distros.

Thanks for that. :)

I keep my LTS install on a separate drive atm, where I'm looking to dual boot Fedora 13 and OS11.3 on another drive, but having that backup image will come in handy, I'm sure.

But this way I can mangle my "practice" installs and configs without damaging my primary.

Right now it's all about learning the Linux file structure and what are considered "best practices" by the community.

Thanks for sharing Arup.

wnd 08-19-10 08:47 AM

Re: A more secure install
 
Quote:

Originally Posted by grey_1 (Post 2302396)
protection from loss of data through breakage rather than hardening an existing install

It's my understanding that setting up separate partitions for /tmp and /var can protect a system if a process begins uncontrollable writes...

/home I'll have on it's own partition anyway, but for backup purposes /home and /etc are really the only *must haves*, but that backing up /etc alone doesn't preserve program updates.

It is indeed useful to have separate /home for number of reasons, but the rest mostly depends on your goals. Separate /home prevents you from rendering your system unusable by filling up /var, and makes it easier to make backups for data that really matters. Having a separate /tmp can also be a good idea, but from my experience it is extremely rare for size of /tmp to become a problem. If you worry about /tmp, you may also want to worry about /var/tmp, which is often used for boot-presistent temporary data.

/etc is probably the most interesting directory after /home. Backing up /etc does not automatically allow you to restore a lost system to its former self. Restoring /etc ofter requires deeper knowledge of the system. Information about (system wide) installed applications is often stored under /var/lib or such, but this is package manager and/or distribution dependant. On Debian-based systems, this information can be easily backed up, but having a copy of /var/lib is not the way. Preserving program updates is more harmful than it is useful. It is often easier and safer to restore a system with no applications than a system with broken or compromised applications.

Best practices depend on your distribution, but as for file system alone, File Hierarchy Standard is the way to go. Wikipedia links to number of webpages about distribution specific policies.

Finally, you obviously want to run backups on a separate disk, or remote host if possible. Having backups on local disk only protects from innocent accidents (e.g. rm), not from rogue applications (if mounted read-write), or kernel space and hardware failures.

My workstation basically has 32 GiB root (/) and 40 GiB home. The rest of disk is split between /wrk (~518 GiB), Windows (one 100 GiB partition), and an experimental 4 GiB partition to make it easy to play with file systems. /wrk contains non-critical data such as media and games. Only /home and /wrk/pics (i.e. user created data) are backed up. I used to separate /tmp and root filesystem, but I always ended up filling up the other. Then again, disk space is cheap.

My server, on the other hand, has the following partition layout.
Code:


/dev/mapper/vg00-root
                      2064208    215944  1743408  12% /
tmpfs                  496976        0    496976  0% /lib/init/rw
udev                    10240      724      9516  8% /dev
tmpfs                  496976        0    496976  0% /dev/shm
/dev/sda1              241116    24634    204034  11% /boot
/dev/mapper/vg00-home
                      8256952    363400  7809668  5% /home
/dev/mapper/vg00-tmp  2064208    68696  1890656  4% /tmp
/dev/mapper/vg00-usr  4128448    885184  3033552  23% /usr
/dev/mapper/vg00-var  4128448    773712  3145024  20% /var
/dev/mapper/vg00-log  2064208    128284  1831068  7% /var/log
/dev/mapper/vg00-spool
                      2064208    68772  1890580  4% /var/spool
/dev/mapper/vg00-www  82569904  5496468  75395716  7% /var/www
/dev/mapper/vg00-wrk 130852396 111108952  18414048  86% /wrk
/dev/md0            307663736 199341436  92693872  69% /raid

This layout separates critical system components (/bin, /lib, /etc, mounted under /) from security components (/var/log, also for remote workstation logging), http-server (/var/www, which also runs chrooted) and mail daemon (/var/spool) from the rest of the system. Separate /boot is mostly legacy, but it makes recovering a LVM system much easier. /raid contains RAID-1-mirrored space for workstation backups only. Running backups to such a system is dangerous, but considering current options that's the best I have. /wrk can be remotely mounted and is shared for intra. Technically this layout would allow me to run most of the filesystems read-only, but so far I've been lacking the motivation.

grey_1 08-19-10 10:15 AM

Re: A more secure install
 
Hi wnd - long time no see, hope you're doing well!

Thank you, thank you. You just answered my questions perfectly.

My goal as stated is simply to learn best practices while becoming more familiar with the file hierarchy standard. Right now I'm simply learning the basics e.g. structure, commands, repairing an install (which I create plenty of opportunity accidentally... :p)...

Soon I hope to have a server with 2 remote (just laptops) networked, which is where I'll begin to delve into the material you're touching on here.

Fantastic - thank you again!


All times are GMT -5. The time now is 09:58 PM.

Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright 1998 - 2014, nV News.