Recently we had to abandon an external Linux system which was operated by a hosting provider. Although just about five years old and still fine for our requirements, the provider wanted to take the hardware out of service. Of course we wanted to make sure that the system, once given back, was clean and none of our data could be exposed to third parties.
Our team named this project the "Operation_Regenbogen" (operation rainbow) which originally in the last days of WWII was an order to all german U-boats to sink their vessels. In some ways our externally hosted Linux system was an U-boat. For years it has been doing its service far away from home, silently, realiable, with communications encrypted. And now it had to be made sure that its secrets are kept. But how to do this properly on a server you don't have a direct attached console to?
First, we unmounted all the unnecessary partitions and cleared them with "dd if=/dev/zero of=/dev/hdaX bs=4M". After switching off swap and clearing the swap partition the same way, all unneeded daemons were stopped and all TCP ports closed - except ssh of course. Then came the difficult part: Would a dd from zero device to hda device work?
We decided for the safe way. After cleaning up the remaining filesystems / and /boot, especially the /var subfolders, we first cleared the free space by filling a dummy file with zeros: dd if=/dev/zero of=/dummyfile bs=1M ; rm /dummyfile . Then we gave the order to sink the boat with a "dd if=/dev/zero of=/dev/hda bs=4M".
While pinging the server, we waited for things to happen. Then some time later, actually the prompt came back. So the boat was inoperable but still afloat. Via the last ssh terminal we could still run some simple commands like "ls" which of course resulted in an I/O error. All data on harddisk was zero, no secrets left to be compromised.
In the end we tried to shutdown the system but failed. "shutdown" and "halt" just produced an "I/O error" message, and so did an "init". When we tried to start a "kill" command, something dropped the ssh connection at last. Finally we were locked out and lost control of the system.
Our pings still have been answered for four days. On the fifth day, the hardware was retired and somebody had switched off the server. The boat had gone, now lying on the ground of the sea of oblivion.
Our team named this project the "Operation_Regenbogen" (operation rainbow) which originally in the last days of WWII was an order to all german U-boats to sink their vessels. In some ways our externally hosted Linux system was an U-boat. For years it has been doing its service far away from home, silently, realiable, with communications encrypted. And now it had to be made sure that its secrets are kept. But how to do this properly on a server you don't have a direct attached console to?
First, we unmounted all the unnecessary partitions and cleared them with "dd if=/dev/zero of=/dev/hdaX bs=4M". After switching off swap and clearing the swap partition the same way, all unneeded daemons were stopped and all TCP ports closed - except ssh of course. Then came the difficult part: Would a dd from zero device to hda device work?
We decided for the safe way. After cleaning up the remaining filesystems / and /boot, especially the /var subfolders, we first cleared the free space by filling a dummy file with zeros: dd if=/dev/zero of=/dummyfile bs=1M ; rm /dummyfile . Then we gave the order to sink the boat with a "dd if=/dev/zero of=/dev/hda bs=4M".
While pinging the server, we waited for things to happen. Then some time later, actually the prompt came back. So the boat was inoperable but still afloat. Via the last ssh terminal we could still run some simple commands like "ls" which of course resulted in an I/O error. All data on harddisk was zero, no secrets left to be compromised.
In the end we tried to shutdown the system but failed. "shutdown" and "halt" just produced an "I/O error" message, and so did an "init". When we tried to start a "kill" command, something dropped the ssh connection at last. Finally we were locked out and lost control of the system.
Our pings still have been answered for four days. On the fifth day, the hardware was retired and somebody had switched off the server. The boat had gone, now lying on the ground of the sea of oblivion.
Keine Kommentare:
Kommentar veröffentlichen