Server Defender

ServerDefender
System Wide Fortification

In ServerDefender the hard drive is divided in to many partitions that generally serve one of two functions. Partitions are either read-only (ro) or cannot run programs (noexec). This causes the system to be locked down in that no new programs can be run and the programs that can be run cannot be modified. In the event that an attacker finds an exploit for a program running on your server they will not be able to effectively install and run any harmful programs such as root kits. What's more is that without the ability to install and run programs many attempts to elevate user status to root access by using specially crafted software will be ineffective and rendered harmless.

The program mount that is normally found in /bin/mount is moved to the partition that is mounted at /lockdown and a symlink is created that points to /lockdown/mount replaces it.

The normal operation of the server is Lockdown mode. In this mode the /lockdown partition is not mounted to hide access to the real mount program. Other programs exist in their place that do nothing about mount actions but rather send email notices to the server administrator. In Lockdown mode the mount program is not available, new mounts cannot be activated and existing mounts cannot be remounted.

When the legitimate system administrator wants to install new software or change features that are denied in Lockdown mode the system must be rebooted in Administration mode. In Administration mode all mount points are mounted as default, the Lockdown partition is mounted to make the real mount program ready for use, general web services are not started, firewall rules are set to deny access to from all IP addresses except SSH access for a select few of IP's defined as the administrators own static IP's. These IP's should be local to the network and not accessed from the Internet.

Device	Mount point	Options	Size	Details
/dev/sda1	/boot	ro	50MB	Needs to be at the beginning of the drive.
/dev/sda5	/etc	noexec	50MB	Writing new user accounts and configuration files is needed.
/dev/sda6	/etc/scripts	ro	50MB	Init scripts need to be run from here.
/dev/sda7	/dev	noexec	50MB	Copy of dev, mounts over top of dev. Needed to create new devices.
/dev/sda8	/root	noexec	50MB	Root needs to save files away from /home users.
/dev/sda9	/lockdown	ro,noauto	50MB	Keeps the real mount program locked away from attackers.
/dev/sda10	/tmp	noexec	500MB	Globally writable but do not allow any thing to run.
/dev/sda11	/var	noexec	5GB	Database files are written here including SQL, email and log files.
/dev/sda12	/	ro	5GB	Root partition should be read only.
/dev/sda13	/home	noexec	5GB	Users home files written here.
/dev/sda14	/server	noexec	remainder	Server files written here.
/dev/sda15	swap	swap	500MB - 1GB	At end of drive. You can repartition later if needed.

Special situations of ServerDefender:
The /etc/init.d directory contains scripts that must be run any time the system changes run level including booting and shutdown times. The contents of init.d are moved to the /etc/scripts mount point that is read-only and the init.d directory is replaced by a symlink to the scripts mount point. The /etc and /etc/scripts mount points must be mounted by an initrd image at boot time. In addition to those scripts you should also consider moving the /etc/cron.(daily, hourly, monthly) directories. Debian servers running MySQL will also need to move /etc/mysql/debian-start. Remember to create symlinks that point to their new locations.

ServerDefender's unique and complex mounting situation requires that all partitions be mounted inside the initrd image before the system continues to boot.

After initrd is done the init program will try to re-mount the root partition over top of the one setup by initrd. The initrd system must do a pivot_root and disable the mounting of root when the init program runs.

All file system checks should be run by initrd before the partitions are mounted. The root system should not make any attempt to check the drives when when it is booting.

The /boot partition cannot be written to in Lockdown mode so the lilo -r command to change to Administration mode remotely will not work and the system must be put into Administration mode by use of local keyboard interaction.