Torqzone

Introduction

Ever been concerned with physical server security? Basically all your data on the server and the server itself are always vulnerable to physical equipment theft or tampering independent of how secure you make your online business.

A basic scenario for concern could be easy to find:

You store your important data on server, which is located at the server room or data center. You don’t own the server room and thus you rely on the provider to protect the equipment physically, this might not be enough.

In this article I will explain how to create an encrypted partition and mount it for use. The encrypted partition will be a file, located on a file system, but in order to read the contents of that file or mount it you need a password.

The first part you need are the tools. I will be working with debian 4.0 in this example, but it will work with other linux distributions.

First, install kernel headers for your running kernel version

apt-get install kernel-headers-2.6.8-1-386

Then you need to install the tools for encryption:

apt-get install module-assistant loop-aes-source

This will install kernel modules on to your system. As you can see from the package name this is

module-assistant prepare
module-assistant build loop-aes
apt-get install loop-aes-utils
module-assistant install loop-aes

This will build and install the module. If all the above steps succeeded you are ready to go.

dd if=/dev/zero of=volume bs=4k count=1280
losetup -e AES128 /dev/loop1 volume
mkfs -t ext3 /dev/loop1
losetup -d /dev/loop1
mkdir /mnt/secure
mount volume -o loop=/dev/loop1,encryption=AES128 /mnt/secure/ -t ext3

What this will do is create a small (5MB) secure volume. To make the volume larger increase the 
count value in the first line where dd utility is used.
After you do this, you will need to fill in the password and the system will be mounted.
After the system reboot or if a HDD is stolen the thief will not be able to read the contents of
the file unless he knows the password (which you should remember).

This is exceptionally useful for storing sensitive information, for example you could point your database or web server to store data on the secured partition, or you could store important files.

Some times it happens, that the server time zone or time is set incorrectly. Normally this doesn’t affect web applications, however for certain types of servers, that deal with external data this is very important. An example is a mail server. If time zone data is set incorrectly it will be specifying invalid data in sent messages causing email clients to show emails from the future or way back from the past.

Changing time zones on a server is easy. First you need to check which zone is configured now. This is done through the date application. It should return something like this:

Mon Nov  3 12:02:24 EET 2008

The TZ data files are located in /usr/share/zoneinfo. To change the TZ on the server you need to create a link from the respective TZ and replace the /etc/localtime symlink.

For example you could use

ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime

This will set the TZ to Berlin/Europe. After this the time will probably be broken, so you need to synchronize the time with an external server to make sure it is configured properly.

This is done with the rdate utility. You could type something like this (rdate needs to be installed first):
rdate -s time-a.nist.gov

After this you need to sync the system clock with the HW (Hardware) clock. This is done as follows:

hwclock –systohc

And now you should be done. Use the date application to verify the time and TZ.