Hello,
A friend and I were discussing possible ways to secure a
linux system from getting hacked. We came up with a couple of
methods that might stop most script kiddies, but an experienced
hacker would still be able to work around. I was wondering what
others thought of them.
The first thought I had was to create separate partitions
for most of the root level files (/, /usr, /etc, /var, /dev, etc).
Then mount the ones containing binaries (/, /usr, etc.) read-only
and just allow writing to /etc, /dev, /var and /home. This
adds some protection but not a lot.
Then we had another idea. Create a lockable boot media
(cdrom, jazz, orb, etc) with a minimal install (w/ strict fire
wall rules in place). Once it boots have
it set up a big RAM disk. Then it would run the appropriate
mknod commands to setup /dev and copy all the files to the appropriate
place and unmount/eject the removable media
If any changes are made to the existing memory based file
system, it doesn't corrupt the original. If a reboot is forced, any
changes are lost.
Drawing on the experience of the group, is this sort of approach
possible/feasible? I'm sure there are holes we haven't thought of.
With as cheap as RAM is these days, a gig with 512 MB set aside for a
RAM
disk doesn't sound too bad... If it doesn't sound like a reasonable
approach, I won't waste time looking into it.
Thanks.
--
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|| || ||
|| Todd Littlefield || SPECTRUM Apps Group ||
|| Aprisma Mgmt. Tech. || - Tactical Division ||
|| [EMAIL PROTECTED] || - C, C++, Perl ||
|| (603) 334-2593 || - HTML, CGI, Java ||
|| || ||
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************