Go Back   Singapore Web Hosting Talk > LEARNING CENTER > Server Administration

Server Administration General dedicated servers administration topics.

Reply
 
Thread Tools
Old 29-07-2004, 22:07   #1
shawnho
SGWHT Premium Member
 
Join Date: 24-07-2003
Location: Singapore
Posts: 1,541
shawnho is a jewel in the roughshawnho is a jewel in the roughshawnho is a jewel in the roughshawnho is a jewel in the rough
ARTICLES - Partitioning Scheme

Getting New Server

I will assume that your new server will be installed with Red Hat Linux. When you are going to place an order, kindly please request your new server provider to do custom partitioning if their default partitioning sheme is similiar to the following:
  • /boot
  • /
  • swap
One of my servers partitioning scheme as below:
  • /boot
  • /var
  • /usr
  • /home
  • swap
  • /tmp
The rest of the directories can be shared on ONE partition such as /, /etc, /sbin, /mnt etc...

I will list down part of my researches. Here we go... ...

/boot
Critical directory with kernel images, if an attacker replaces your kernel or deletes it you have a lot of problems.

/var
This is used for a lot of things, least of which includes system logging. This partition should be separate since attackers can attempt to fill it up by flooding the log files, and other user data is stored here, such as mail (/var/spool/mail usually). Software that stores data here includes: Mail servers (Sendmail, Postfix, etc.), INN (Usenet news), Proxy software like Squid (WWW/FTP proxy), and so on. There should be no binaries at all here, just log files and data. Setting it noexec may break programs, Red Hat 7.0 places various binaries used for anonymous ftp with WuFTPD and arpwatch binaries in /var/ for example. You can place those files on another partition and symlink the directories to within /var/.

/usr
This directory is where the majority of software will be installed, along with source code and other stuff typically, mounting it separately is a good idea since it tends to contain relatively important software (especially in /usr/bin and /usr/sbin). Mounting it read only will prevent an attacker from inserting trojan software, but will make upgrades significantly harder. I wouldn't bother mounting it read only unless you also mount /bin/ and /sbin/ read only.

/home
/home/ is the primary area where users keep their files and work with them (assuming they can log in), if you provide services like IMAP this is where their mail folders will be. You should make it a separate partition since users have a tendency of eating up space rapidly, as well it will prevent them from making hard links to files and then using setuid programs that dump core for example and wiping out system files. Mounting it noexec is probably a good idea, however depending on the type of work users do it may seriously hamper them, mounting it nosuid is a good idea and shouldn't really affect users.

/tmp
Temporary directory for use by users and system, mount read only will break things, make it separate because many exploits consist of making hard links in tmp to files, and then having a program misbehave and destroy/modify the target file maliciously. Binaries, especially setuid binaries should not be allowed in /tmp/ since any user can modify them usually.

More information can be found at http://www.seifried.org/lasg/installation/



Article courtesy of Choon
shawnho is offline   Reply With Quote

Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +8. The time now is 11:58.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright (C) 2002-2015 Brought to you by Singapore Web Hosting Talk (SGWHT). All Rights Reserved.