Comprehensive Guide to Linux Physical Security

November 20, 2024
Linux SecurityServerHardeningPhysical Security

πŸ”’ Linux Physical Security: Best Practices and Defenses

Physical access to a system often leads to full compromise. In Linux environments, maintaining strong physical security is critical. This post explores detailed practices and technical defenses for protecting your systems from physical access threats.

πŸ›‘οΈ Why Physical Security Matters

If an attacker gains physical access to your Linux machine, they could

  • Boot into single user mode to gain root access.
  • Reset the system or modify boot parameters.
  • Mount unencrypted drives and read sensitive data.

Hence, physical access should be treated as root access unless mitigations are in place.

🧰 Physical Security Guidelines

  • Keep data centers and server rooms locked at all times.
  • Enforce access control: Limit room access to authorized personnel only.
  • Log and escort visitors at all times.
  • Ensure photo IDs, surveillance, and guards are in place for sensitive areas.

πŸ” Security isn’t just digital it begins with who can touch your hardware.

🏒 Servers in Colocation and Cloud

Data Centers

  • Use security guards, gates, video surveillance, and alarm systems.
  • Implement multifactor authentication and access logs.
  • Revoke access when employees leave or roles change.

Cloud Considerations

  • Your data resides on physical disks managed by providers.
  • Use disk encryption and secure virtual access policies to protect data.
  • Always assume cloud hardware is shared and exposed.

🧩 Defending Against Physical Attacks

Single User Mode

By default, bootloaders allow booting into single user mode. Disable or protect this with bootloader passwords or encrypted boot partitions.

Power Reset Attacks

Attackers can reset the system to gain entry during boot. Restrict physical access and consider tamper proof hardware.

πŸ” Disk Encryption

Plaintext vs Ciphertext

Unencrypted data like

1letmein123

becomes encrypted

1$1$0vcWGUqX$bbo7e/Zohvj7.v94Mp0lV0

dm crypt and LUKS

dm crypt

  • Linux kernel subsystem for transparent disk encryption.
  • Creates virtual devices under /dev/mapper/.

LUKS (Linux Unified Key Setup)

  • Frontend to dm crypt.
  • Supports multiple passphrases.
  • Stores metadata in the partition header (ideal for portable media).

Encryption Layout Example

1/dev/sda2      -> Encrypted Physical Partition
2/dev/mapper/home -> Virtual Block Device
3/home           -> Mount Point

πŸ› οΈ Setting Up LUKS Encryption

Encrypting a New Device

Warning: This erases all data!

1cryptsetup luksFormat /dev/sdX
2cryptsetup luksOpen /dev/sdX secure
3mkfs.ext4 /dev/mapper/secure
4mount /dev/mapper/secure /mnt/secure

Converting Existing Device

1# Backup existing data
2shred /dev/sda3  # Wipe it
3cryptsetup luksFormat /dev/sda3
4cryptsetup luksOpen /dev/sda3 home
5mkfs.ext4 /dev/mapper/home
6mount /dev/mapper/home
7# Restore data

βš™οΈ Kernel Parameter Protections

Disable Ctrl+Alt+Del reboot combo with systemd:

1systemctl mask ctrl-alt-del.target
2systemctl daemon-reload

This prevents local keyboard reboots.

βœ… Summary

  • Physical access bypasses most logical controls prevent it.
  • Implement facility access controls and visitor policies.
  • Protect single user mode and disable unnecessary reboot shortcuts.
  • Use disk encryption with LUKS and secure bootloaders.
  • Understand your cloud provider’s physical infrastructure.

← Previous: File System Security

Next: β†’ Linux Iptables