View previous topic :: View next topic |
Author |
Message |
Enigmatic n00b
Joined: 22 Nov 2002 Posts: 6
|
Posted: Thu Mar 20, 2003 4:45 am Post subject: Best secure partitioning method |
|
|
I'm setting up a server for a class at my school. The goal is to have a fully operational server that will withstand several types of hacking attempts. I choose gentoo since I fell in love with it at home, and I'm now looking for some advise.
We're going to partition and start the install tomorrow, and I'm trying to figure out the partitioning scheme currently. I want to head off any drive filling and script kiddie style stuff. I have a 40 gig hard drive to play with.
Here's the partiting I'm thinking of
/boot--------------------100 megs
swap--------------------400 megs
/-------------------------50 megs
/usr----------------------2 Gigs
/opt->/usr/local---------4 Gigs
/tmp----------------------100 megs
/var----------------------300 megs
|--/tmp - portage use---2 Gigs
/etc-----------------------300 megs
/root----------------------100 megs
/backup------------------2 Gigs (not usually mounted)
/home--------------------excess |
|
Back to top |
|
|
kashani Advocate
Joined: 02 Sep 2002 Posts: 2032 Location: San Francisco
|
Posted: Thu Mar 20, 2003 5:32 am Post subject: partitions |
|
|
That looks a little odd to me, but with out a little more info it's hard to say if it work or not.
swap and /tmp are the same thing
The rule of thumb is 1.5-2.0x the amount of ram, I'd expect this to at least a 1GB with a server.
/ toss 500MB at it just in case
/ root at 100MB looked okay
/var is much too small. If you going to be running a server of any sorts this will fill up fast. 6GB or larger. I'd also blow off the /tmp-portage stuff and give the space to /var
/boot looked okay at 100MB
/opt... are you going to put anything special in it? 1GB
/usr at 2GB looks pretty good
/etc/ at 300MB looked okay
What's the purpose of the backup partition?
Personally I just give / 1GB and skip the /etc /opt/ and /root stuff.
kashani _________________ Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
Back to top |
|
|
Enigmatic n00b
Joined: 22 Nov 2002 Posts: 6
|
Posted: Thu Mar 20, 2003 5:37 am Post subject: |
|
|
I didn't know swap and /tmp were the same. Thanks for the info...
the backup partition is to toss all our config stuff and have it stored on a local space. We'll also be holding backups offline, but this is just for our own ease.
as far as opt, I don't think there's anything magic going in there. I was just trying to plan for anything that might show up.
I want a seperate /root partition to keep anyone from sending a e-mail bomb or something and filling up the / |
|
Back to top |
|
|
puddpunk l33t
Joined: 20 Jul 2002 Posts: 681 Location: New Zealand
|
Posted: Thu Mar 20, 2003 9:26 am Post subject: |
|
|
You can make temp as big as you want. Just try and enable Quotas, and keep it seperate from "working" partitions (i.e. usr, var etc...) and you shouldn't have any trouble.
Check the Gentoo Security Guide, it's in the Docs section of the main website. IIRC, it had something about partitioning. |
|
Back to top |
|
|
Allaa-Z n00b
Joined: 28 Feb 2003 Posts: 2
|
Posted: Thu Mar 20, 2003 10:24 am Post subject: |
|
|
What do you mean by 'swap and /tmp is the same thing'? of course they are not!
I suggest to have a swap partition of 4x your ram size. The current VM is doing very well swapping and it can (depending on your application) use 4x memory swapping with acceptable performance. |
|
Back to top |
|
|
tukem Tux's lil' helper
Joined: 25 Jun 2002 Posts: 114 Location: Tampere, Finland
|
Posted: Thu Mar 20, 2003 12:46 pm Post subject: |
|
|
And when setting /usr size don't forget that /usr/portage can get quite big unless you're actively emptying /usr/portage/distfiles. In gentoo there are also a lot of library files that take up space.
On my P120 48MB "server" machine which have X installed (no KDE or Gnome though ) /usr takes 1.8GB. I recently emptied /usr/portage/distfiles so now it takes only 97MB. |
|
Back to top |
|
|
splooge l33t
Joined: 30 Aug 2002 Posts: 636
|
Posted: Thu Mar 20, 2003 2:07 pm Post subject: |
|
|
IIRC /etc has to be off the root partition so the kernel can read configuration files on bootup.
I may be way wrong here though =) |
|
Back to top |
|
|
tgoodaire Tux's lil' helper
Joined: 31 Jan 2003 Posts: 145 Location: Dartmouth, Nova Scotia, Canada
|
Posted: Thu Mar 20, 2003 5:41 pm Post subject: |
|
|
First of all, /tmp and swap aren't the same. I don't know where that idea came from, but it's wrong.
The old rule for swap is that it should be twice the amount of RAM you have. Now that it's common to have 256 or 512 or more, the rule doesn't make sense. Think about it. If you have 512MB or RAM, you probably won't even use all of it, let alone the recommended 1GB for swap. I usually allow 150MB or so for swap in any machine with more than 128MB of RAM.
300MB for /var should be plenty. Even with servers installed. The only server-related stuff that will take up any space is mail spool files. Even then, 300MB of mail is a lot. I usually make my /var 100MB, but I'm only delivering local email. It really depends on what you're going to be using the server for. If you'll be handling email for a bunch of email accounts, adjust your /var partition accordingly.
Likewise, 300MB for /etc is pretty massive. (It's just text files in there after all). This should be part of the / partition, as it needs to be accessed at boot time. (/etc/init.d/ /etc/fstab /etc/inittab...)
100MB for /boot is pretty big too. I know that in the portage install docs it recommends that, but even with two kernels in mine (stable and testing), I'm only taking up 12MB. I usually make my /boot partition 30MB, which is way more than you'll need.
Having seperate partitions for /usr and /usr/local is a great idea. I do this on my servers too. After you've installed everything, you can have /usr mounted as read-only at boot-time for security reasons.
I also use a /var/tmp partition for portage to build in. Mine is 1GB.
Here's how I have my 40GB harddrive partitioned:
/ 1GB 117MB used
/var 100MB 26MB used
/tmp 100MB 18K used
/var/tmp 1GB 166MB used
/usr 2GB 906MB used
/usr/local 1GB Nothing there. Yet.
/home the rest
This is with apache, mysql, php, qmail, proftp installed. _________________ I bent my wookie. |
|
Back to top |
|
|
honold n00b
Joined: 29 Jan 2003 Posts: 22
|
Posted: Thu Mar 20, 2003 9:52 pm Post subject: |
|
|
if you're discussing partition/mount schemes for SECURITY purposes, look at mounting nosuid for openers.
use openbsd 3.3 for hints. |
|
Back to top |
|
|
Chris W l33t
Joined: 25 Jun 2002 Posts: 972 Location: Brisbane, Australia
|
Posted: Thu Mar 20, 2003 11:42 pm Post subject: |
|
|
The idea that /tmp and swap are the same thing come from the Solaris world where this is the case. On Solaris /tmp is truly temporary, and does not survive reboot. This is not the case with Gentoo or any other Linux I've dealt with. _________________ Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein |
|
Back to top |
|
|
antik Apprentice
Joined: 01 Oct 2002 Posts: 212
|
Posted: Fri Mar 21, 2003 12:59 am Post subject: |
|
|
Allaa-Z wrote: | What do you mean by 'swap and /tmp is the same thing'? of course they are not!
I suggest to have a swap partition of 4x your ram size. The current VM is doing very well swapping and it can (depending on your application) use 4x memory swapping with acceptable performance. |
I recommend /tmp 1-2GB and mount it for security reasons with noexec option. _________________ "Yes, I know Linux runs faster, but they can do that because they have thrown out the weight of the airbag, collision frame and safety belt." —Poul-Henning Kamp |
|
Back to top |
|
|
dweigert Guru
Joined: 04 Oct 2002 Posts: 369 Location: Somerset, NJ USA
|
Posted: Fri Mar 21, 2003 4:08 pm Post subject: |
|
|
You are correct that Solaris defaults to using tmpfs (which builds in swap), but experienced admins NEVER use it. What the heck happens if you fill up swap by using LARGE amounts of space in /tmp????
They were idiots for that.
Dan
(Unix admin since 1984) _________________ "Always remember to mount a scratch monkey..." |
|
Back to top |
|
|
wallace1819 Apprentice
Joined: 17 Aug 2002 Posts: 195 Location: VT
|
Posted: Fri Mar 21, 2003 5:37 pm Post subject: partitioning |
|
|
One really can not answer this question with out knowing what this server is going to be serving. Secure partitioning schemes usually differ based on the purpose of the machine and its expected load. There are some secure partitioning basics though.
IMHO...
/boot = noauto (100MB is usually more than adiquite)
swap = twice the amout of RAM with a 256MB max
/tmp = noexec nosuid
/var/tmp = (the portage temp work directories should not be on the same partition as your logs!)
/var = noexec nosuid (the size of this depends on the load and how often the logs are backed up. A little family website obviously does not generate the same amount of logs as a major e-commerce site!)
/
Depending on what the machine will be used for...
/home (if lots of other users)
/<root dir of web server> (if a web server)
/<root dir of ftp> (if ftp server)
/<mail dir> (if mail server)
/opt or /usr/local (if many users or if the machine is acting as a workstation and would have OO or java etc...)
It also depends on how secure you need to be. Security is a balance between safety and accessability. Partitioning for security and partitioning for administration are very different. Some partitioning schemes are really secure but make backups and administration a major headache. For example, you could mount your binary dirs ro exec and only mount them rw when you need to update the system.
hope this helps,
wallace |
|
Back to top |
|
|
kashani Advocate
Joined: 02 Sep 2002 Posts: 2032 Location: San Francisco
|
Posted: Fri Mar 21, 2003 6:02 pm Post subject: |
|
|
Chris W wrote: | The idea that /tmp and swap are the same thing come from the Solaris world where this is the case. On Solaris /tmp is truly temporary, and does not survive reboot. This is not the case with Gentoo or any other Linux I've dealt with. |
Oh good. I kept trying to figure out where I got that idea and I hadn't had to do any real admin work on a Sun box is 2 years. Thanks for the correction.
kashani _________________ Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
Back to top |
|
|
kashani Advocate
Joined: 02 Sep 2002 Posts: 2032 Location: San Francisco
|
Posted: Fri Mar 21, 2003 6:42 pm Post subject: more on var |
|
|
tgoodaire wrote: |
300MB for /var should be plenty. Even with servers installed. The only server-related stuff that will take up any space is mail spool files. Even then, 300MB of mail is a lot. I usually make my /var 100MB, but I'm only delivering local email. It really depends on what you're going to be using the server for. If you'll be handling email for a bunch of email accounts, adjust your /var partition accordingly.
|
I'm still a proponent for a larger /var partition, maybe not 6GB for the average user, but still much bigger than 300MB.
1. MTA. The queue is usually in /var so large mails, if you accept them, could cause problems.
2. MySQL and Postgres both have db files in /var
3. Logs, logs, and more logs. With my small apache site, 2 months of logs is 90MB. Granted I just noticed some wacky things in those logs that I should fix in my scripts and server, but a moderate site could chew though through quite a bit of your /var
4. squid caches in /var
Not that anyone will likely see anything near this, but it's my morning tribluation today and it's sort of amusing... at least I didn't run out of inodes again.
[root@laxlxmx01 root]# du -sh /var/qmail/queue/
5.2G /var/qmail/queue
kashani _________________ Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
Back to top |
|
|
tgoodaire Tux's lil' helper
Joined: 31 Jan 2003 Posts: 145 Location: Dartmouth, Nova Scotia, Canada
|
Posted: Fri Mar 21, 2003 7:03 pm Post subject: |
|
|
You could always rotate your logs with logrotate. Then they wouldn't get to be that big. There's no need to have that much logging information hanging around. Rotate your logs regularly, and back them up somewhere if you really want them. _________________ I bent my wookie. |
|
Back to top |
|
|
kashani Advocate
Joined: 02 Sep 2002 Posts: 2032 Location: San Francisco
|
Posted: Fri Mar 21, 2003 7:58 pm Post subject: |
|
|
tgoodaire wrote: | You could always rotate your logs with logrotate. Then they wouldn't get to be that big. There's no need to have that much logging information hanging around. Rotate your logs regularly, and back them up somewhere if you really want them. |
Sure, sure. I think it's more design philosophy at this point. I take the approach that someone, some program, whatever is going to screw up. Will a 300 MB /var partition protect me from Murphy's Law as well as a 2GB partition? If I fill /home what's the worse that happens? The users might not be happy, email blocks, and some other not so great things. If /var fills up the server becomes very unhappy, load shoots to 200 depending on what's running, I might not be able to log onto the box, etc.
kashani _________________ Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
Back to top |
|
|
|