How to secure colocated server?

Discussion in 'privacy technology' started by hook, Feb 20, 2011.

Thread Status:
Not open for further replies.
  1. hook

    hook Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    2
    Is there a software solution to protect OS against someone who has physical access to a server?
    After installation there will be just remote access. I understand that physical access equals total access but I need to have something atleast against simple attacks.
     
  2. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Not really. You can use disk encryption, but physical access trumps software security.
     
  3. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    You'd need physically secure hardware, designed such that all potentially effective attacks trigger total and irreversible destruction of all sensitive data. Nontrivial, AFAIK. Not even our TLA friends have perfect track records -- e.g., that US spy plane that landed on Hainan Island in 2001 after hitting a Chinese fighter.
     
  4. nightrace

    nightrace Registered Member

    Joined:
    Jun 2, 2010
    Posts:
    159
    Tahoe-LAFS

    http://tahoe-lafs.org/trac/tahoe-lafs
     
  5. hook

    hook Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    2
    Thanks for replays.

    I plan this server for personal use only. So, hardware security and distributed systems are unreasonably expensive/complicated.

    What I see feasible, after some research, is linux OS (Ubuntu) with full disk encription. For unattended boot - http://wiki.fukt.bsnet.se/wiki/Mandos

    It won't cover from stoned boot, cooled ram or similar attacks but at least data won't be in a plain view.

    Am I on a right track?
     
  6. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    I don't think whole disk will work for you, especially if you are rebooting and don't have a DRAC or KVM. Ubuntu will do userland encryption so the OS isn't safe, but your data is.

    The bottom line is it will keep out the honest, but not the evil. And this was the situation you are in without physical protections, so it meets the highest standard available to you (which is why i suggested it. :D )
     
  7. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    That's very interesting. Thanks for the link.

    It appears that Mandos is intended for LANs. Even assuming that it'll work over the net, it's problematic that the Mandos client knows the Mandos server's IP address. I suppose that the Mandos server could be hidden somehow -- e.g., as a Tor hidden service. For reliability, there could be multiple Mandos servers.

    Also, perhaps one could build on that using tripwire to verify the integrity of the remote root filesystem, and rsync to get updates.

    Edit: This may be of interest.
     
    Last edited: Feb 21, 2011
Loading...
Thread Status:
Not open for further replies.