Server Defender

If you are connected to the Internet you run the risk that one day someone will find a way into your server and do damage to your data.

Although you greatly reduce your risk by staying on top of your software updates the more protection the better. Here is a way to trap an attacker so that if they ever do get inside your server the amount of damage they can to is reduced. The plan is to make a server system with two partitions the system partition that is mounted read only so that none of your system programs can be changed and a data partition for files that can be changed but no programs can be run from. This will effectively lock you out of your own system also.

Begin by installing a fresh OS on your server. For this example I will use Mandrake but any quality Linux OS will do just fine.

Install all the software exactly the way you want it and make sure that every thing is working. Once you activate the Server Defender you will be locked out until you reboot the server. Remove any programs you don't need. Set your security to block any ports you will not be using.

Now that you have the server setup the way you like it do a df command to find the size of your server install. Remember this size.

Now you need to connect a second hard drive of about the same size or bigger and create four partitions

/	The main root partition, make it the same size as your install on the first hard drive. The partition will be mounted as a read only file system to ext3 is not needed and ext2 would be slightly faster.
/lockedout	Your locked out partition is where all the programs will go that you do not want an attacker to have access to, like the mount program. You should not need anymore then 100 MB for this.
/data	The partitions were data needs to be written and we will deny programs from running. This should be the rest of your drive unless you need a 20 MB boot partition. You should make this an ext3 partition.
/boot	If your OS needs a boot partition you can make this also but you will need to set it up just like the / root partition. This only needs to be about 20MB. Most systems only need about 6 or 8 MB but 20 will do.
swap	You need a swap partition. If you don't know how big it needs to be just make it 128 MB. Some people think it needs to be as big as your RAM but not is not ture. My server never uses more then 80 MB of swap space under the most load. I would never need 1 GB of swap space and neither do you.

After the partions are made and formated you need to copy your working server install over to the other drive. Just put everything in the main root partition for now. If you use a boot partition copy only your /boot directory in to there.

You will need to use chroot to switch over to the other drive and install your boot loader of LILO or GRUB. You will need to read up on that.

Reboot your system with the new hard drive as your main OS. You should remove the other drive just incase you trash this install you can try again without having to reinstall everything.

Once your system is up and running mout your other partions /data and /lockedout.

The LOCKEDOUT partition
Find your mount program by doing "whereis mount" it should be in /bin but you will need to know how to use the whereis command so it is good to practice. Make a copy of it "cp /bin/mount /bin/OOPS_mount" so that if you acidently lock your self out you will not need to reboot. We will delete this file later.

Populate your /lockedout with the file you want to lock out and include their full path. So for example I would begin by making these directories like so

mkdir -p /lockedout/bin/
mkdir -p /lockedout/sbin/
mkdir -p /lockedout/usr/bin/
mkdir -p /lockedout/usr/sbin/

And then moving over the files you want to lock out. If you don't find these file where I found them use your whereis to find them. As soon as you move them create a symbolic link to them. If you want to lock the ln program that create links you will need to run it differently then the others. Keep track of what files you move, we are going to create a wrapper for them.

mv /bin/ln /lockedout/bin/; /lockedout/bin/ln -s /lockedout/bin/ln /bin/ln
mv /bin/mount /lockedout/bin/; ln -s /lockedout/bin/mount /bin/mount
mv /bin/chmod /lockedout/bin/; ln -s /lockedout/bin/chmod /bin/chmod
mv /bin/chown /lockedout/bin/; ln -s /lockedout/bin/chown /bin/chown
mv /usr/sbin/chroot /lockedout/usr/sbin/; ln -s /lockedout/usr/sbin/chroot /usr/sbin/chroot
mv /usr/bin/ssh /lockedout/usr/bin/; ln -s /lockedout/usr/bin/ssh /usr/bin/ssh

The DATA partition
Now it is time to populate your data partition.

In much the same way you created your /lockedout and moved programs over to it you can now do the same with your data files and move them to the /data partition and create symlink for them.

mv /tmp /data/; ln -s /data/tmp /tmp
mv /var /data/; ln -s /data/var /var

The Server Defender scripts
Now create a script to send you an email if anyone is running a command that you locked out. Call it /bin/ServerDefender.bsh
#!/bin/bash
echo "Someone is trying to run $0 on the server"| mail you@youraddress -s "Server Defender email alert"

Then make it an executable script by doing chmod 755 /bin/ServerDefender.bsh

Unmount your /lockedout and recreate all the files that you had copied to there but make them the ServerDefender.bsh like so
cp /bin/ServerDefender.bsh /lockedout/bin/ln
cp /bin/ServerDefender.bsh /lockedout/bin/mount
cp /bin/ServerDefender.bsh /lockedout/bin/chmod
cp /bin/ServerDefender.bsh /lockedout/bin/chown

This makes it so that the links you created still point to programs on the readonly partition but instead of doing what the attacker thinks they do they actualy will send you an email when they try to run them.

Servers should only be run in run level 3. Look at your /etc/inttab file for this line "id:3:initdefault:"

Create a script to run at run level 3 to remount your root partition and lock out the lockedout partition. This script should go into /etc/init.d/ServerDefender
and create a link to it that runs the script at boot time like so ln -s /etc/init.d/ServerDefender /etc/rc3.d/S70ServerDefender

mount -o remount,ro /
umount /lockedout

Edit your /etc/fstab file and add the lines to mount your partions for /lockedout/ and /data. For the data partition add the noexec option.

Reboot your server and see if you are locked out. Of course your web pages and email should continue to work for you.

From now on if you need to change anything you will need to reboot your server in run level 2 so that ServerDefender does not get run.