CentOS - Aug 2010 - securing a remotely hosted machine

Hi,

I'm looking to put together a doc for the wiki.c.o on howto secure a 
remotely hosted machine. Its a situation that many of us find ourselves 
in, wherein we either lease or colo a server ( or many ) and there is 
always the issue of remote hands, other facility users etc being able to 
get physical access of the machines. So what are the usual steps that 
people take in order to secure their remote-hosted-servers.

A short list of things that I tend to always do is :

- disable all getty's

- make grub boot imediately with no user interrupt possible

- put sensitive data on a locally encrypted disk

- plumb in a bios password

- have all console redirected to a iLo / drac / ipmi2 device; if there 
is one of those - if not then redirect the output to a non-existing 
ttySX port ( isnt ideal! )

- disable all telnet and http/https access to the ilo / drac interfaces, 
ensure impi is secured.

What other, reasonable, steps should one consider ?

the end result, ofcourse, is to still have the option of handing 
passwords etc to the DC ops should there be a need to actually work on 
the machine remotely. so removing the keyb and display interfaces might 
not be desirable.

- KB

> I'm looking to put together a doc for the wiki.c.o on howto 
> secure a remotely hosted machine. There is always the issue of remote 
> hands, other facility users etc being able to get physical 
> access of the machines. 
1: Rebuild kernel to remove local KVM (Keyboard Video Mouse), run
headless; the only access is via ssh.
2: Log-ins through firewall allowed only from approved IPs/MACs
regardless of possession of correct password.

3: When you first build the system, ghost/image the boot/root/usr (bru)
drive onto a spare backup, verify the backup boots the machine the same
as the main drive.
4: have the backup bru drive mailed to you, dupe it, and rsync the
remote bru to your local copy whenever you make a change to the remote
bru.  
5: In the event of fire, vandalism, or other urgent cause, your cluster
can appear on a new server rapidly.  Just FedEx ghosts of your locally
stored bru drive rsynced from what were your remote machines, and (on
similar hardware) they should turn-key boot and run.

6: Repeat 3-5 with any mission-critical applications  (think of the bru
drive as "flight critical", this is the "not flight critical but
mission
critical" stuff.
> the end result, ofcourse, is to still have the option of 
> handing passwords etc to the DC ops should there be a need to 
> actually work on the machine remotely. so removing the keyb 
> and display interfaces might not be desirable.
Linux install disks in 'rescue' mode have sufficient terminal handling
in their kernel that the running system doesn't need more than ssh.  You
have more worry about the competence and trustworthiness of the host
employees than you know.  So: The remote system doesn't need KVM
(Keyboard Video Mouse), just ssh.

Headless embedded systems work fine this way... ssh only until ssh
fails, then swap out the bru drive (rsync'd spare is on-site or with
remote support personnel we send out) and mail me the junker; it gets
installed as sdb on another system and operated on until 'why did it
die' is discovered and corrected.  Then it gets mailed back and become
the on-site hot-spare that gets rsync'd when the running system changes.
*******************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed. If you have received this email in error please
notify the system manager. This footnote also confirms that this
email message has been swept for the presence of computer viruses.
www.Hubbell.com - Hubbell Incorporated**

On Fri, Aug 20, 2010 at 10:18 AM, Karanbir Singh <mail-lists at karan.org>
wrote:
> A short list of things that I tend to always do is :
Decent list. I might also consider disabling vaious unused or
unnecessary hardware kernel modules like usb-storage or other things
that might lend themselves to snooping by remote hands.

-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell

From: Karanbir Singh <mail-lists at karan.org>
> What other, reasonable, steps should one consider ?
I think you can password protect the interactive editing in grub.
Did not see:
- Disable usb booting (and CD, if there is a CD/DVD drive).
- lock the server case (if there is a lock).
- enable case intrusion detection (if available).

JD