People always talk about the convenience of hosted servers or cloud server instances. But what do you do with them when they're no longer needed? Sure, you can tell the provider to destroy them, but that's hardly a guarantee the data on those boxes will actually be wiped securely. Without physical access to the servers, you can't yank the disks out, write zeros on all blocks, and beat them with a sledgehammer. How can you be reasonably sure that your hosted (or cloud) server is completely destroyed when you're done with it?
This question popped up in a discussion I had with Matt Prigge recently. Several Linux boxes at a hosting provider had uptimes north of three years and needed to be completely wiped without any type of physical access. In this case, rebooting the boxes was out of the question because there was no guarantee they'd reboot properly. That might leave them inoperable, but the data on those systems could still be pilfered by anyone with physical access. Though it's easy enough to wipe hard disks with tools like Darik's Boot and Nuke, that wasn't an option here.
[ Also on InfoWorld: Watch Paul Venezia and Matt Prigge chat about virtualization networking in this Shop Talk video. | Then take a minute to read Paul Venezia's classic: "When in doubt, reboot? Not Unix boxes." ]
You could run
rm -rf / as root and let it go. That might mess up the box, but it won't guarantee that everything has been deleted securely. In fact, you can't even guarantee it'll delete every file, much less render them unrecoverable -- and after a while, the server will become unresponsive, putting it into an unknown state that cannot be verified.
Luckily, there are other methods of securely erasing running Linux servers.
The goal in my case was to perform several zeroing passes on all local disks, making sure to destroy the MBR (master boot record), which is a reasonably thorough method of ensuring that all data on disk is gone forever. (Unfortunately, the sledgehammer would have to sit this one out.) Also, I wanted confirmation that the disks had been completely wiped -- and the box should shut down at the end of the zeroing passes.
How to accomplish this? It's fairly simple. The first order of business is to create a ramdisk and copy all relevant binaries and libraries. Next, stop all relevant system services that might write to the disks, such as syslog. With that completed, have a look at the mount table, take note of all block devices, and dynamically create a script to write zeros (or random, if you so desire) to every block on those devices at least once -- but preferably five or more times. Also ensure that you write zeros to the first 512 bytes of each disk to wipe out the MBR. Once that script has been created and placed on the ramdisk, turn off all swap, chroot to the ramdisk, and run it from there, ensuring you'll still have an accessible temporary environment to work with.
The end result of running this script is a completely and totally wiped remote system, with positive acknowledgement that all partitions were wiped. All of this is done via ssh with no console or physical access necessary. If you have hosted Linux servers, or even internal servers at remote sites that need to disappear for good, this type of system-nuking script will do the job handily. In fact, when it's time to blow away a Linux server in any location -- even if it's right next to you -- pulling this script down and running it as root will do the job quickly and easily.
The one thing this script doesn't do is securely delete any backups or snapshots the hosting provider might have hanging around. Since that's extremely provider-specific, you must do some digging on your own, but it definitely needs to be taken into account when dealing with cloud server instances or hosted VMs. Zeroing a running server does no good if there are a half-dozen snapshots waiting in the wings. Also, this won't work with paravirtualized VPS instances due to the fact that they don't permit low-level disk access.
If you're interested, have a look at a fully functional example. This script could obviously be a bit more robust, but it gets the job done. It's specific to RHEL and CentOS distributions, but could easily be adapted to any Unix-like OS with a few tweaks. Just be careful because this script is meant to be wholly destructive. If that's not what you're after or you don't know what you're doing, do not touch.
This story, "Nuking Linux servers, one script at a time," was originally published at InfoWorld.com. Read more of Paul Venezia's The Deep End blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.