One of the first things we do here at ITsyndicate is to secure /tmp /var/tmp and /dev/shm to prevent common exploits and rootkits from having their way with a server. This method doesn’t prevent users from uploading content to those directories but it disables their direct execution and the suid buffer overflow exploit.
Securing /tmp directory
This directory is used by Apache, MySQL and PHP, among others, to store temporary data as well as lock files and sockets. You have probably seen a lot of session files and the mysql.sock file under it but sometimes attackers can upload and execute exploits with a PHP injection via apache.
Step 1: Backup /etc/fstab
cp -a /etc/fstab /etc/fstab.bak
Step 3: Make a 3GB file and format it with ext3:
* We will be placing this file under /var but you can choose whatever partition works best for you.
dd if=/dev/zero of=/var/tempFS bs=1024 count=3072000 /sbin/mkfs.ext3 /var/tempFS
Step 3: Create a backup copy of your current /tmp
rsync -av /tmp/ /tmpbackup/
Step 4: Mount our new tmp partition and change permissions
mount -o loop,noexec,nosuid,rw /var/tempFS /tmp chmod 1777 /tmp
Step 5: Copy the old data
rsync -av /tmpbackup/ /tmp/
Step 6: Update fstab
* And add this line or replace existing /tmp line:
/var/tempFS /tmp ext3 loop,nosuid,noexec,rw 0 0
Step 7: Test your fstab entry
mount -o remount /tmp
Step 8: Verify that your /tmp mount is working
Should look something like this:
/var/tempFS 962M 18M 896M 2% /tmp
Some data centers create a /tmp partition when they provision the server so you only have to add the options noexec and nosuid to /etc/fstab, remount the partition and restart everything that uses /tmp
Now this directory is pretty much the same that /tmp with the exception that /var/tmp will not be purged on every reboot which is something that we do want so we’ll be removing /var/tmp but making it available under /tmp with a symbolic link.
Step 1: Rename /var/tmp and create a symbolic link to /tmp
mv /var/tmp /var/vartmp ln -s /tmp /var/tmp
Step 2: Copy the old data back
rsync -av /var/vartmp/ /tmp/
Step 3: Remove /var/vartmp
rm -rf /var/vartmp
/dev/shm is nothing but the implementation of the traditional shared memory concept. It is an efficient way of passing data between programs but the problem is that everyone can create, read and execute files on it by default.
Step 1: Edit your /etc/fstab
none /dev/shm tmpfs defaults,rw 0 0
Change it to:
none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
Step 2: Remount /dev/shm:
mount -o remount /dev/shm
You are done! Your tmp is secured.