1

We have Ubuntu Server with Subversion installed on it. It makes automatic backups every week. And it doesn't connected to the Internet. Seems all OK with security. But one thing concern me — this server is in the room that accessed by a lot of people. Are there any solutions to protect valuable data from being physically stolen by someone? I mean something like some fast format device that could erase all data on server's HDDs if unauthorized person will try to extract these HDDs.

I know that ideal solution is to create standalone server room with restricted access, but it is too expensive yet.

Kirill V. Lyadvinsky
  • 129
  • 5

5 Answers5

12

I can't think of any reasonable solutions that will prevent theft of the media, so the best you can hope for is to render the data useless: Place the subversion repository on an encrypted partition. This way the filesystem is unreadable without the (lengthy) pass phrase.

Insyte
  • 9,314
  • 2
  • 27
  • 45
  • This is probably the best option, and should be done regardless of location of machine, if the data within subversion is important enough to be worried about it being stolen -- it most definitely should be encrypted. (as someone who's really smart & has time would DD the entire disk... That way he has a copy of all the data on the server, Without anyone noticing its missing.) – grufftech Jul 23 '09 at 18:09
  • Is there possibility to have several passphrases for limited number of employes? – Kirill V. Lyadvinsky Jul 23 '09 at 18:10
  • 1
    Yes, insyte's link has information on how to set this up. – grufftech Jul 23 '09 at 18:15
  • If you're really worried about security, be sure to connect to your subversion server over SSH as plaintext data could be intercepted in transmission if any network hardware were compromised – Andy Jul 23 '09 at 18:27
  • 4
    If you are that worried about the security of the code, don't stop at encrypting the servers drives. Require encrypted partitions for all computers that check out the code. If the developers use laptops, this is probably more at risk than the repo itself. – Kyle Brandt Jul 23 '09 at 18:59
  • I recommend this as well. Beyond physical security, encryption is the only other way to go. There is no perfect security, you can only delay or make theft more difficult. – Troggy Jul 23 '09 at 21:20
4

Put the computer in a locked box with only power & network cables running out of it. If need be, you can also drill holes in the box just big enough to fit keyboard/mouse/monitor cables. Monitor anytime this box is opened using a method suggested by other answers here.

I'd also take it as a serious breach of security anytime a layer 2 connection to this box is interrupted; you don't know if someone cut the network cable and plugged it into a hub.

Kevin M
  • 2,302
  • 1
  • 16
  • 21
3

Well, outside of invisible dog fences and making people wear the shock collars in the office, I would think the best option for you with current technology would be to securer the location as best as possible.

If you can, cage off the area that the server sits. Put a door in there, and no one can gain access.

You can also use the door chimes that stores use (the ones that got off when someone enters the store) to monitor when someone comes close to the servers, thereby alerting you or other IT staff. You could also attach an alarm that will go off when the server rack is opened, chiming in the IT department. You can use a simple door alarm like this if you have room in the rack.

Encrypting the drives is probably your best bet, though.

RascalKing
  • 1,138
  • 5
  • 7
2

Unfortunately I would suggest moving the server to a secure location.

There are several little tricks / hacks that can be done to "wipe" a drive if not booted up in X manner, ect. However most of them are reversible, and if any good hacker really wants your data & steals the entire machine, there is little you can do to prevent him from getting it.

grufftech
  • 6,620
  • 4
  • 35
  • 37
1

This sort of situation is where you start looking under "Physical security." Depending on the importance of the data, how much it's worth, and how much you want to pay, solutions range from "put it behind a locked door" to "guard it with a man with a gun".

Someone has already mentioned encrypting the data, which is a good backup in case the physical security fails somehow.

Ernie
  • 5,324
  • 6
  • 30
  • 37