How to secure colocated server?

Is there a software solution to protect OS against someone who has physical access to a server?
After installation there will be just remote access. I understand that physical access equals total access but I need to have something atleast against simple attacks.

 

Not really. You can use disk encryption, but physical access trumps software security.

 

You'd need physically secure hardware, designed such that all potentially effective attacks trigger total and irreversible destruction of all sensitive data. Nontrivial, AFAIK. Not even our TLA friends have perfect track records -- e.g., that US spy plane that landed on Hainan Island in 2001 after hitting a Chinese fighter.

 

Tahoe-LAFS

http://tahoe-lafs.org/trac/tahoe-lafs

 

Thanks for replays.

I plan this server for personal use only. So, hardware security and distributed systems are unreasonably expensive/complicated.

What I see feasible, after some research, is linux OS (Ubuntu) with full disk encription. For unattended boot - http://wiki.fukt.bsnet.se/wiki/Mandos

It won't cover from stoned boot, cooled ram or similar attacks but at least data won't be in a plain view.

Am I on a right track?

 

I don't think whole disk will work for you, especially if you are rebooting and don't have a DRAC or KVM. Ubuntu will do userland encryption so the OS isn't safe, but your data is.

The bottom line is it will keep out the honest, but not the evil. And this was the situation you are in without physical protections, so it meets the highest standard available to you (which is why i suggested it. )

 

That's very interesting. Thanks for the link.

It appears that Mandos is intended for LANs. Even assuming that it'll work over the net, it's problematic that the Mandos client knows the Mandos server's IP address. I suppose that the Mandos server could be hidden somehow -- e.g., as a Tor hidden service. For reliability, there could be multiple Mandos servers.

Also, perhaps one could build on that using tripwire to verify the integrity of the remote root filesystem, and rsync to get updates.

Edit: This may be of interest.