In this post we will create an encrypted volume, which is useful if you work with a laptop and want to ensure your data against theft.
You can do interesting things, as we ask the key to start or hold the key for example in a USB. It seems to me very good choice of a USB device with the key to start.
Let the matter, the steps are:
1- make sure we have the kernel module loaded with dm_crypt :
[root@test ~]# lsmod | grep dm_crypt
dm_crypt 10848 2
dm_mod 63859 11 dm_crypt
When we operate a web server, it should apply basic protection to avoid any possibility that a “good” person (with all the sarcasm), is dedicated to run JMeter (excellent software designed for load tests) with the idea of saturate our server.
These are things that really happens, it is nothing paranoid.
One way to avoid these attacks is through iptables (I have a broader input on iptables), a configuration example would be:
IPTABLES is the firewall kernel-level included in Linux distributions, it’s very powerful (once understood its operation), very useful and flexible. This post has been made on a CentOS 6 (clone of RedHat), almost all should be able to apply to any distribution.
The basic operation of iptables is the following:
- Exist chains of rules. Basically 3: INPUT, OUTPUT and FORWARD.
- The rules within a chain are evaluated in order. This is where there is a multitude of filtering options.
- When a rule is evaluated positively, it is directed at a TARGET. It can be accepted, rejected, deleted, written in a log or other much more (see man TARGET EXTENSIONS iptables).
We can list the current rules:
Working with ACL (Access Control List), it is useful when you want to allow or remove a user or group on directories and objects. I personally do not like too much, is all too “hidden” and whimsical for my taste. Though admittedly that in certain situations it may be the best solution.
A requirement to work with ACL is to have the volume mounted with the appropriate option. This is possible without dismounting or restart with the command:
In linux you can assign attributes to files, this allows to increase the security level. It is possible for example, to protect a file so that can not be removed.
To view the attributes of a file:
[root@tester1 prueba]# lsattr
I will show how to create, expand and reduce LVM volumes, all these actions have been performed with RedHat 6 LVM directly from the console. I think it goes without saying, but it is advisable to make a backup of the original disks.
The first thing is to understand the structure that follows LVM works with 3 types of elements:
- Volume groups, all related commands that begin with vg*, a volume group can contain one or more logical volumes. And it is composed of physical volumes.
- Logical volumes, all related commands begin with lv*, a logical volume resides within a volume group.
- Physical volumes, in this case all commands start with pv*, a volume group are composed of one or more physical volumes.
There are a number of commands to manage LVM volumes: