Securing Linux File Servers



  • Disclaimer: There may be some stupid questions here.

    I'm going to be building a Linux file server for my company. We are currently paying around $750 per month to a company. This company basically scans our medical documentation for us and shreds the physical copies once per year. They also give us an external hard drive. This is probably the most grossly overpriced 'service' I have seen in my career so far. They list removing paper clips and staples as a service (as an example). I see no reason why I can't purchase a small server for medical records and use the backups we already create. We are only using 180 GB of space so far after 4 years. Once we get passed 200 GB the costs become even crazier.

    In my experience, Linux file servers simply perform better than windows. I also know that Linux is inherently more secure. My question is: apart from fail2ban, SELinux, updates and permissions what is best practice in terms of securing this file server on the initial installation as well as over time? I dick around with Linux but I've never put one of my servers into a real production environment.



  • @wirestyle22 said in Securing Linux File Servers:

    Disclaimer: There may be some stupid questions here.

    I'm going to be building a Linux file server for my company. We are currently paying around $750 per month to a company. This company basically scans our medical documentation for us and shreds the physical copies once per year. They also give us an external hard drive. This is probably the most grossly overpriced 'service' I have seen in my career so far. They list removing paper clips and staples as a service (as an example). I see no reason why I can't purchase a small server for medical records and use the backups we already create. We are only using 180 GB of space so far after 4 years. Once we get passed 200 GB the costs become even crazier.

    In my experience, Linux file servers simply perform better than windows. I also know that Linux is inherently more secure. My question is: apart from fail2ban, SELinux, updates and permissions what is best practice in terms of securing this file server on the initial installation as well as over time? I dick around with Linux but I've never put one of my servers into a real production environment.

    You could start with SCAP. They have a good list of hardening steps.



  • @stacksofplates Great reference. Thanks!



  • Don't forget that you can join an AD environment with a Linux box, so user permissions remain easy to deal with. https://wiki.centos.org/TipsAndTricks/WinbindADS I think with most distributions, you can AD join them in the initial install as well.



  • For the most part, there is very little to do and in reality you can just do nothing. Fail2Ban is an excellent addition, but likely your SSH is not exposed externally anyway. We always add Fail2Ban, but a lot of places don't do that. SELinux and other basic security practices should be there for you on install, so nothing to do there. Linux, especially CentOS, has all the major security practices done for you out of the box.



  • DenyHosts is an alternative to Fail2Ban in regards to supplementing best practices of a properly configured ssh server. Fail2Ban allows you to configure jails for SSH and numerous other services, whereas DenyHosts is set to work only with SSH. If you're running on a resource-light VPS or VM, DenyHosts might be less of a tax on your system than a Fail2Ban implementation.



  • Make sure you take into consideration any risk that the company is mitigating by providing these services. What happens if data on the file server is somehow compromised? What will be the resulting fines/fees associated with the loss? Will you have to have your server audited by an external entity regularly? Who is going to perform the audits and how much will they cost?



  • @RamblingBiped said in Securing Linux File Servers:

    Will you have to have your server audited by an external entity regularly?

    This a lot. That's why I recommended SCAP. You have a set of NIST rules that you can check against.



  • I'm a bit lost on what they do for you for $750/month.

    They scan your charts? How many a month? They give you an external harddrive? how do you access the data before they give you the drive? what are you supposed to do with the drive?

    Removing staples sadly is not trivial and is rather time consuming when it comes to scanning in pages. I didn't used to think so until I spent a week doing it. It can slow you down by half your scanning speed.

    We hired two kids to sort through charts to determine what we could simply shred (patient hasn't been seen in a longer period than law requires us to keep charts). They worked around 5 hours a day each for 4 weeks, together they sent 400+ boxes of charts (anywhere from 30-60 charts) to be shred.



  • Sounds like something a decent dedicated scanner could take care of in a few minutes.



  • @travisdh1 that's my point. I want to remove this cost big time. It's a complete waste. Thanks guys



  • @travisdh1 said in Securing Linux File Servers:

    Sounds like something a decent dedicated scanner could take care of in a few minutes.

    How does a scanner take care of staples?

    Back to the OP - you haven't told us how many charts are being scanned per month, nor how you access that data once they do scan it.

    Considering the average person working that job is making $10/hr, after benefits/taxes, etc they cost the company $15/hr minimum, assuming that was the only cost and the company made zero money for the fact that he works, the employee is working 50 hours/month. But of course almost no company is out there making zero money.. so you have to assume that they are consuming at least 50% of the income in one way or other, so the employee is working 25 hours.

    So the question is, can you accomplish this task in under 25 hours a month and use the other half of the funds to pay your time, the hardware, the backups, scanner, etc? Maybe you can, maybe you can't.



  • @Dashrender said in Securing Linux File Servers:

    @travisdh1 said in Securing Linux File Servers:

    Sounds like something a decent dedicated scanner could take care of in a few minutes.

    How does a scanner take care of staples?

    If it's me, and I get permission, removing all staplers from the office.

    but..
    but..
    but..
    that's.... m.. mm... my
    swingline

    Don't care.



  • @Dashrender said in Securing Linux File Servers:

    Considering the average person working that job is making $10/hr, after benefits/taxes, etc they cost the company $15/hr minimum, assuming that was the only cost and the company made zero money for the fact that he works, the employee is working 50 hours/month. But of course almost no company is out there making zero money.. so you have to assume that they are consuming at least 50% of the income in one way or other, so the employee is working 25 hours.

    You can't include the profit from his work. If there is money to be made, either he's doing it in the remaining time or someone else will pick up the slack or someone else will be hired. Counting both the cost of the employee per hour and the profit that that employee can generate is double dipping unless the employee is irreplaceable and no one else can generate that revenue, which seems unlikely for a $10/hr position.

    It's only the $15/hr that you need to consider. Does the employee save money or waste money is all that needs to be considered. You could easily hire a stay at home mom parent to do this part time only a few hours a day while their kid is at school two or three days a week if you had any concerns about the productivity of the full time existing staff.



  • @Dashrender said in Securing Linux File Servers:

    @travisdh1 said in Securing Linux File Servers:

    Sounds like something a decent dedicated scanner could take care of in a few minutes.

    How does a scanner take care of staples?

    Back to the OP - you haven't told us how many charts are being scanned per month, nor how you access that data once they do scan it.

    Considering the average person working that job is making $10/hr, after benefits/taxes, etc they cost the company $15/hr minimum, assuming that was the only cost and the company made zero money for the fact that he works, the employee is working 50 hours/month. But of course almost no company is out there making zero money.. so you have to assume that they are consuming at least 50% of the income in one way or other, so the employee is working 25 hours.

    So the question is, can you accomplish this task in under 25 hours a month and use the other half of the funds to pay your time, the hardware, the backups, scanner, etc? Maybe you can, maybe you can't.

    It would amount to 5 scans a day once we scan everything we have for the current year in. We would obviously need to do that in-house, which is fine. It's one big initial project and then very easy to maintain.



  • @scottalanmiller said in Securing Linux File Servers:

    @Dashrender said in Securing Linux File Servers:

    Considering the average person working that job is making $10/hr, after benefits/taxes, etc they cost the company $15/hr minimum, assuming that was the only cost and the company made zero money for the fact that he works, the employee is working 50 hours/month. But of course almost no company is out there making zero money.. so you have to assume that they are consuming at least 50% of the income in one way or other, so the employee is working 25 hours.

    You can't include the profit from his work. If there is money to be made, either he's doing it in the remaining time or someone else will pick up the slack or someone else will be hired. Counting both the cost of the employee per hour and the profit that that employee can generate is double dipping unless the employee is irreplaceable and no one else can generate that revenue, which seems unlikely for a $10/hr position.

    It's only the $15/hr that you need to consider. Does the employee save money or waste money is all that needs to be considered. You could easily hire a stay at home mom parent to do this part time only a few hours a day while their kid is at school two or three days a week if you had any concerns about the productivity of the full time existing staff.

    Yes, the OP only needs to worry about the $15/hr part.. but the outsourced company has to consider it's profits - that's where I was going with that, I wasn't talking about the OP's company worrying about profits on an internal $15/hr employee.



  • @wirestyle22 said in Securing Linux File Servers:

    @Dashrender said in Securing Linux File Servers:

    @travisdh1 said in Securing Linux File Servers:

    Sounds like something a decent dedicated scanner could take care of in a few minutes.

    How does a scanner take care of staples?

    Back to the OP - you haven't told us how many charts are being scanned per month, nor how you access that data once they do scan it.

    Considering the average person working that job is making $10/hr, after benefits/taxes, etc they cost the company $15/hr minimum, assuming that was the only cost and the company made zero money for the fact that he works, the employee is working 50 hours/month. But of course almost no company is out there making zero money.. so you have to assume that they are consuming at least 50% of the income in one way or other, so the employee is working 25 hours.

    So the question is, can you accomplish this task in under 25 hours a month and use the other half of the funds to pay your time, the hardware, the backups, scanner, etc? Maybe you can, maybe you can't.

    It would amount to 5 scans a day once we scan everything we have for the current year in. We would obviously need to do that in-house, which is fine. It's one big initial project and then very easy to maintain.

    Sure, are you telling me that your company was planning on continuing to pay the outsource company $750/month when you are in maintenance mode?



  • We have an on staff employee who takes care of the new daily scans, etc. But that person isn't very efficient (they are old and not computer savvy at all). The summer hires we did this year were basically just project work. Sadly they weren't willing to put in closer to 40 hr work weeks, the project would have been completed, or at least much more so. But I guess that was less important to some.



  • @Dashrender said in Securing Linux File Servers:

    @scottalanmiller said in Securing Linux File Servers:

    @Dashrender said in Securing Linux File Servers:

    Considering the average person working that job is making $10/hr, after benefits/taxes, etc they cost the company $15/hr minimum, assuming that was the only cost and the company made zero money for the fact that he works, the employee is working 50 hours/month. But of course almost no company is out there making zero money.. so you have to assume that they are consuming at least 50% of the income in one way or other, so the employee is working 25 hours.

    You can't include the profit from his work. If there is money to be made, either he's doing it in the remaining time or someone else will pick up the slack or someone else will be hired. Counting both the cost of the employee per hour and the profit that that employee can generate is double dipping unless the employee is irreplaceable and no one else can generate that revenue, which seems unlikely for a $10/hr position.

    It's only the $15/hr that you need to consider. Does the employee save money or waste money is all that needs to be considered. You could easily hire a stay at home mom parent to do this part time only a few hours a day while their kid is at school two or three days a week if you had any concerns about the productivity of the full time existing staff.

    Yes, the OP only needs to worry about the $15/hr part.. but the outsourced company has to consider it's profits - that's where I was going with that, I wasn't talking about the OP's company worrying about profits on an internal $15/hr employee.

    The profits of the outsourced company don't matter to the decision making, though.



  • @Dashrender You're confusing me man. There is an employee in medical records already. Instead of the company being paid to scan the stuff, we would do the initial project and then it would be maintained over time by her. It equates to 5 scans a day. I don't understand where the complication is here?



  • @scottalanmiller said in Securing Linux File Servers:

    @Dashrender said in Securing Linux File Servers:

    @scottalanmiller said in Securing Linux File Servers:

    @Dashrender said in Securing Linux File Servers:

    Considering the average person working that job is making $10/hr, after benefits/taxes, etc they cost the company $15/hr minimum, assuming that was the only cost and the company made zero money for the fact that he works, the employee is working 50 hours/month. But of course almost no company is out there making zero money.. so you have to assume that they are consuming at least 50% of the income in one way or other, so the employee is working 25 hours.

    You can't include the profit from his work. If there is money to be made, either he's doing it in the remaining time or someone else will pick up the slack or someone else will be hired. Counting both the cost of the employee per hour and the profit that that employee can generate is double dipping unless the employee is irreplaceable and no one else can generate that revenue, which seems unlikely for a $10/hr position.

    It's only the $15/hr that you need to consider. Does the employee save money or waste money is all that needs to be considered. You could easily hire a stay at home mom parent to do this part time only a few hours a day while their kid is at school two or three days a week if you had any concerns about the productivity of the full time existing staff.

    Yes, the OP only needs to worry about the $15/hr part.. but the outsourced company has to consider it's profits - that's where I was going with that, I wasn't talking about the OP's company worrying about profits on an internal $15/hr employee.

    The profits of the outsourced company don't matter to the decision making, though.

    True, the only thing that matters is, can the OP hire a person and acquire the needed hardware, etc to get the job done for less?



  • @wirestyle22 said in Securing Linux File Servers:

    @Dashrender You're confusing me man. There is an employee in medical records already. Instead of the company being paid to scan the stuff, we would do the initial project and then it would be maintained over time by her. It equates to 5 scans a day. I don't understand where the complication is here?

    5 scans a day? since the beginning? or did it drop to this number recently?



  • @Dashrender said in Securing Linux File Servers:

    @wirestyle22 said in Securing Linux File Servers:

    @Dashrender You're confusing me man. There is an employee in medical records already. Instead of the company being paid to scan the stuff, we would do the initial project and then it would be maintained over time by her. It equates to 5 scans a day. I don't understand where the complication is here?

    5 scans a day? since the beginning? or did it drop to this number recently?

    It's been this the entire time. The issue is they are charging for one huge project a year, an external hard drive and some cloud storage. 9k+ a year.



  • Hi,

    Perhaps I'm missing something, or have not read the entire thread properly, but why would a NAS not work over here ? Unless, the server would be performing some other function, apart from acting as a File Server ... Most NAS boxes too use Linux-based operating systems...



  • @Veet said in Securing Linux File Servers:

    Hi,

    Perhaps I'm missing something, or have not read the entire thread properly, but why would a NAS not work over here ? Unless, the server would be performing some other function, apart from acting as a File Server ... Most NAS boxes too use Linux-based operating systems...

    My company had some bad experiences with NAS and as a result are very close minded about them. This is my way around that.



  • @wirestyle22 said in Securing Linux File Servers:

    @Veet said in Securing Linux File Servers:

    Hi,

    Perhaps I'm missing something, or have not read the entire thread properly, but why would a NAS not work over here ? Unless, the server would be performing some other function, apart from acting as a File Server ... Most NAS boxes too use Linux-based operating systems...

    My company had some bad experiences with NAS and as a result are very close minded about them. This is my way around that.

    Call it a file server. Problem solved.



  • @scottalanmiller said in Securing Linux File Servers:

    @wirestyle22 said in Securing Linux File Servers:

    @Veet said in Securing Linux File Servers:

    Hi,

    Perhaps I'm missing something, or have not read the entire thread properly, but why would a NAS not work over here ? Unless, the server would be performing some other function, apart from acting as a File Server ... Most NAS boxes too use Linux-based operating systems...

    My company had some bad experiences with NAS and as a result are very close minded about them. This is my way around that.

    Call it a file server. Problem solved.

    And just back it up to hard drives with a network card attached. (Don't call it a NAS, lol).



  • I guess I could do that but I have a server I can re-purpose for this. It would be really simple 😕



  • Any NAS recommendations? I'd say 4 HD Max w/ raid 10. Might as well do it right.



  • @wirestyle22 said in Securing Linux File Servers:

    Any NAS recommendations? I'd say 4 HD Max w/ raid 10. Might as well do it right.

    One without NAS in its name, like Synology or ioSafe.