One of the first things we do here at ITsyndicate is to secure /tmp /var/tmp and /dev/shm to prevent common exploits and rootkits from having their way with a server. This method doesn’t prevent users from uploading content to those directories but it disables their direct execution and the suid buffer overflow exploit.

Securing /tmp directory

This directory is used by Apache, MySQL and PHP, among others, to store temporary data as well as lock files and sockets. You have probably seen a lot of session files and the mysql.sock file under it but sometimes attackers can upload and execute exploits with a PHP injection via apache.

Step 1: Backup /etc/fstab

cp -a /etc/fstab /etc/fstab.bak

Step 3: Make a 3GB file and format it with ext3:

* We will be placing this file under /var but you can choose whatever partition works best for you.

dd if=/dev/zero of=/var/tempFS bs=1024 count=3072000
/sbin/mkfs.ext3 /var/tempFS

Step 3: Create a backup copy of your current /tmp

rsync -av /tmp/ /tmpbackup/

Step 4: Mount our new tmp partition and change permissions

mount -o loop,noexec,nosuid,rw /var/tempFS /tmp
chmod 1777 /tmp

Step 5: Copy the old data

rsync -av /tmpbackup/ /tmp/

Step 6: Update fstab

vi /etc/fstab

* And add this line or replace existing /tmp line:

/var/tempFS /tmp ext3 loop,nosuid,noexec,rw 0 0

Step 7: Test your fstab entry

mount -o remount /tmp

Step 8: Verify that your /tmp mount is working

df -h

Should look something like this:

/var/tempFS           962M   18M  896M   2% /tmp

Some data centers create a /tmp partition when they provision the server so you only have to add the options noexec and nosuid to /etc/fstab, remount the partition and restart everything that uses /tmp

Securing /var/tmp

Now this directory is pretty much the same that /tmp with the exception that /var/tmp will not be purged on every reboot which is something that we do want so we’ll be removing /var/tmp but making it available under /tmp with a symbolic link.

Step 1: Rename /var/tmp and create a symbolic link to /tmp

mv /var/tmp /var/vartmp
ln -s /tmp /var/tmp

Step 2: Copy the old data back

rsync -av /var/vartmp/ /tmp/

Step 3: Remove /var/vartmp

rm -rf /var/vartmp

Securing /dev/shm

/dev/shm is nothing but the implementation of the traditional shared memory concept. It is an efficient way of passing data between programs but the problem is that everyone can create, read and execute files on it by default.

Step 1: Edit your /etc/fstab

vi /etc/fstab

Locate:

none /dev/shm tmpfs defaults,rw 0 0

Change it to:

none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0

Step 2: Remount /dev/shm:

mount -o remount /dev/shm

You are done! Your tmp is secured.

The Author