I am new to the world of server configuration and as part of my introduction I am challenging myself setting up several Linux servers within a virtual environment e.g. VirtualBox using a fictional scenario. The question I have in particular relates to the partitioning of Linux servers and the reason as to why they should be set up in that manner. I am looking at setting up the following environments mimicking a real world environment to a degree.
I run a small organization and have 3 staff. I require each of them to run Linux Desktops. The distribution I have elected is Ubuntu at this stage. Now what type of partitioning should I configure them so that they meet the criteria of being secure, prevent data loss corruption, avoid logging information from spilling over and allow for them to join some of centralized network should the need arise.
I also require to set up a web and mail server that my staff have access to. Now considering I may also have to host other websites and mail boxes of clients, what do I have to consider when partitioning the server e.g. logging, mailbox sizes, scalability, security, hardening and the like.
I would appreciate if someone could advise on the following
- Is the a reason as to why you are suggesting that particular partitioning?
- Does it allow for scalability?
- Is that the best way to secure and harden a server and desktop?
I am not looking for particular applications/software to harden or to secure but rather taking a step back and looking at holistically building an environment that meets the needs now and later. Also this relates to partitioning only and how it relates to security, scalability, etc.
The Unix System Administration Handbook is a great book (the earlier editions helped me a lot) - it has a section on disk partitioning.
"I also require to set up a web and mail server that my staff have access to. Now considering I may also have to host other websites and mail boxes of clients, what do I have to consider when partitioning the server e.g. logging, mailbox sizes, scalability, security, hardening and the like."
Internal (employee) and external (clients/customers) should not be serviced through the same system whenever possible. There is typically some control over the usage/mis-usage of employees and even less when it comes to the clients/customers.
Ideally, individualized partitioning at the system level per client/customer is even better. It minimizes the ill-actions of a client/customer from negatively impacting your other (good/paying) clients/customers.
It's not possible to answer the question without a lot more information - firstly, what do you mean by partitioning - this might mean how you split up the HDs (and possibly map the filesystem to the underlying logical disks), it might mean how you define the firewalls between devices or it might mean how you assign resources to virtual machines.
Even once this is defined, there's still a lot of unanswered questions about budgets, usage and availability which would just take far too much time to go into just now. (this is what a lot of people do for a living - and can spend days, weeks or months on a single project).
But top of the list for designing the architecture is the level of access users are to have over their own machines - and whether admin access is shared, functionally devolved or restricted - its difficult to design permissions models whereby developers can manipulate permissions within a secure scope but require access to change file ownership (e.g. all web developers need to be able to edit files on the webserver, but they should not be writeable by anyone other than these people).
The question is so sweeping and generic, it sounds like a badly thought out homework or interview question. Certainly you need to start thinking about usage scenarios and documenting assumptions you are making about the usage.
There's no requirement that a single machine cannot be both a user workstation and a server - but you need to think about how this affects the level of control the user has - you can disable access to shutting down the machine easily enough - but what about the power cable?
Certainly life will be a lot simpler if you use a centralised system for managing authentication and potentially other services - so an LDAP installation somewhere is a good idea. Do have a look at GoSA.