2

I have to deploy a Ruby on Rails Applications on a client's server and I do not want them to be able to view or modify the source code. How would you protect the code technically?

I thought about building a linux-based virtual machine with an encrypted filesystem where the application code resides. The client has no root access, or direct access to the system at all. All services start automatically and the application is ready to use.

What would you suggest?

  • 3
    Assuming an encrypted file system, how do you plan to mount/decrypt it at boot time? – andol Jun 12 '10 at 06:51
  • Don't forget to keep a copy of it around and to offer to provide any source code that is licensed GPL (like the Linux kernel) for the next 3 years. Either that or provide it upfront. Or else you'll be doing a copyright violation. – jneves Jun 12 '10 at 06:55

2 Answers2

1

Sounds like you got it covered. Basically you're deploying an appliance to their site.

  • Encrypted FS so they can't boot to live cd -- check
  • No user access -- check
  • No direct access -- check

The only thing i would make sure of is you turn off any services you don't need so a crafty admin can't exploit a security hole to get in.

Couple of questions though, are you providing the hardware or are they?

Do they have a vmware infrastructure in place? If they do you could give them a Virtual Appliance instead of physical box.

Also make sure SNMP is enabled and configurable by them so they can monitor it with whatever solution they have.

Zypher
  • 37,405
  • 5
  • 53
  • 95
  • Yes, my plan is to to deliver the software as a virtal appliance. They plan to run it on their own hardware and have a virtual environment setup. Thanks for the snmp hint! –  Jun 12 '10 at 05:47
  • @Phil: No problem :) IMHO Virtual Appliances are the way to go these days. Yes, the SNMP thing, i remember a drag out fight with a vendor who would only support certain agents ... they didn't get that everyone worth their salt supports SNMP (we weren't using a system with a supported agent) – Zypher Jun 12 '10 at 06:01
  • Don't forget that security is all about many layers, like with this in place, you could actually add some obfuscation to the deployed code. It might sound silly but every little bit counts right? (except for MAC address blocking of WiFi networks, that doesn't count anymore ;) – Oskar Duveborn Jun 12 '10 at 07:21
1

You could also use Bestcrypt to encrypt a "container within a container". Have your app auto mount the hidden container and add a bash script so that any user login to the system other than a specific "stealth" user will write something to the top level container. This will destroy the inner container and take your protected application with it. (encryption auto destruct)

You could get as slick as you want with this, set up a script that uses port knocking to safely umount the container prior to login and so on.

There's even a way to have the hidden container be accessible only to the application and users connecting via the application. Even someone with root access on the server and a physical login can't view the hidden container. You'll have to work out how to do it for yourself though, I charge money to set it up for clients and consider it proprietary though it's something a decent linux geek can figure out with time and patience.

linux911
  • 99
  • 1
  • 8