How-To: Secure your temp directories
Every system needs temporary folders that any user is able to read and write
BUT these directories should not be able to execute programs or scripts. Though
this will only protect you from somebody running the script directly it will
help with a large portion of the automated rootkits and trojans that script
kiddies use. They will still be able to put the files on the system but they
will be unable to execute them and create the back door. One of the biggest
problems is php injection via apache in which people will have apache download
and then run an exploit. Securing the temp directories is probably the single
biggest thing you can do towards securing your server.
This guide will work fine with cPanel, ensim, plesk, and of course with no control panel. It is designed for Redhat but should work on any linux varient.
The first step is to check if /tmp is already secure. Some datacenters do
not create a /tmp partition while others do.
-----command-----
df -h |grep tmp
-----command-----
If that displays nothing then go below to create a tmp partition. If you do
have a tmp partition you need to see if it mounted with noexec.
-----command-----
cat /etc/fstab |grep tmp
-----command-----
If there is a line that includes /tmp and noexec then it is already mounted
as non-executable. If not follow the instructions below to create one without
having to physically format your disk. Idealy you would make a real partition
when the disk was originally formated, that being said I have not had any trouble
create a /tmp partition using the following method.
Create a ~800Mb partition
-----command-----
cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=800000
-----command-----
Format the partion
-----command-----
mkfs.ext2 /dev/tmpMnt
-----command-----
When it asks about not being a block special device press Y
Make a backup of the old data
-----command-----
cp -Rp /tmp /tmp_backup
-----command-----
Mount the temp filesystem
-----command-----
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
-----command-----
Set the permissions
-----command-----
chmod 0777 /tmp
-----command-----
Copy the old files back
-----command-----
cp -Rp /tmp_backup/* /tmp/
-----command-----
Once you do that go ahead and restart mysql and make sure it works ok. We
do this because mysql places the mysql.sock in /tmp which neeeds to be moved.
If not it migth have trouble starting. If it does you can add this line to
the bottom of the /etc/fstab to automatically have it mounted:
Open the file in pico:
-----command-----
pico -w /etc/fstab
-----command-----
Now add this single line at the bottom:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
While we are at it we are going to secure /dev/shm. Look for the mount line
for /dev/shm and change it to the following:
none /dev/shm tmpfs noexec,nosuid 0 0
Umount and remount /dev/shm for the changes to take effect.
-----command-----
umount /dev/shm
mount /dev/shm
-----command-----
Next delete the old /var/tmp and create a link to /tmp
-----command-----
rm -rf /var/tmp/
ln -s /tmp/ /var/
-----command-----
If everything still works fine you can go ahead and delete the /tmp_backup
directory.
-----command-----
rm -rf /tmp_backup
-----command-----
You /tmp, /var/tmp, and /dev/shm are now mounted in a way that no program can
be directly run from these directories. Like I have said in other articles
there are still ways in but this is one of the many layers of security you
should have on your system.
Comments
PHP & MySQL Issues
We noticed that PHP put its "session.save_path" in /tmp, so be sure to change that to something else. It can affect lots of web server programs.
In MySQL, I also had to add a variable to /etc/my.cnf:
tmpdir=/new/tmp/dir
Restart both services and you should be good.
-Tony
php
I have never had any trouble with the php sessions being removed, though I guess it is possible some clients may have had some php session issues.
The my.cnf should not have to be updated.
After I foolowed this
After I foolowed this instructions:
Create a ~800Mb partition
-----command-----
cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=800000
I got this message:
Drive Critical: /hda6 (/) is 100% full
So now I need help how to undo and delete this 800 Mb parttition
Now here is some info about problem when it was 83 % full.
Here is a snapshot of what is currently on the /hda6 partition:
root@zuniga [/]# du -ch --max-depth=1
16K ./lost+found
on the /hda6 I've got 490M in ./dev
13M ./etc
11M ./root
222M ./lib
5.9M ./bin
4.0K ./initrd
4.0K ./mnt
4.0K ./opt
12M ./sbin
4.0K ./misc
52K ./tftpboot
3.8M ./scripts
160K ./.cpan
3.3M ./eaccelerator
==========
(kf-10/24/2005 20:08:16):
It appears that most of the space is being consumed by the 'tmpMnt' file in your '/dev' directory. Did you previously have your '/tmp' directory mounted to this file?
--------------------------------------
Quoting you:"It appears that most of the space is being consumed by the 'tmpMnt' file in your '/dev' directory. "
No I did not mount /temp anywhere.
The question still remains :
How do we go about to remove this
temp file or unmount it ?
max zuniga
------------------------------------------
(kf-10/24/2005 20:49:07):
I have mounted this file to your '/mnt/tmp' directory with the following command.
mount -o loop /dev/tmpMnt /mnt/tmp
It appears that at once point your '/tmp' directory was mounted here. Did you ever secure your '/tmp' directory with the '/scripts/securetmp' script?
--------------------------------------
maxz-10/24/2005 ,
No Inever secured rhis file w/script.
Well,after this what should be done because warning light still shows 83 % full on this partition ?
------------------------------------------
(kf-10/24/2005 21:24:51):
That file has only been mounted to '/mnt/tmp' so you can view its contents. To clear up the space you will need to unmount that file with the umount command (umount /mnt/tmp) and then remove it. Is there anything else I can do for you?
--------------------------------------
"It appears that most of the space is being consumed by the 'tmpMnt' file in your '/dev' directory."
thnks,
------------------------------------------
(kf-10/25/2005 20:17:12):
The 'tmpMnt' file is still mounted to your '/mnt/tmp' directory. You can view the contents of that file by navigating to that directory.
Details:
root@zuniga [~]# ls /mnt/tmp
./ ../ jd_sockV4= lost+found/ mc-root/ mysql.sock@
root@zuniga [~]#
Please email me this is urgent:
max@maxzuniga.com
Thanks to eth0.us and anybody for helping out
Best Regards from
Ontario,Canada
(Hablo Castellano )
cannot remove dir Device or resource busy
Also when I try to remove directory,says:
rm -rf /var/tmp/
rm: cannot remove dir : Device or resource busy
Thanks to eth0.us and anybody for helping out
Best Regards from
Ontario,Canada
(Hablo Castellano )
/etc/fstab :
this is:
/etc/fstab
LABEL=/ / ext3 defaults,usrquota $
LABEL=/boot /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
LABEL=/home /home ext3 defaults,usrquota $
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
LABEL=/tmp /tmp ext3 defaults
LABEL=/usr /usr ext3 defaults,usrquota $
LABEL=/var /var ext3 defaults,usrquota $
/dev/hda8 swap swap defaults 0 0
Thanks to eth0.us and anybody for helping out
Best Regards from Max Zuniga
Ontario,Canada
(Hablo Castellano )
Fixing
You already had a /tmp partition, you did not have to follow this entire guide. All you had to do is edit the fstab to start off with, I believe I stated that in the guide.
1) Reboot
2) Delete /dev/tmpMnt
That should be it, since you did not add it to the fstab you should be fine.
Delete /dev/tmpMnt
Thanks eth00
This is true,after posting previously,
I realized my mistake
and deleted /dev/tmpMnt
eall ok now
Thanks to eth0.us and anybody for helping out
Best Regards from Max Zuniga
Ontario,Canada
(Hablo Castellano )
I have a problem with -o loop
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
yields the message below:
mount: Could not find any loop device, and, according to /proc/devices,
this kernel does not know about the loop device.
(If so, then recompile or `insmod loop.o'.)
And I don't know what to do... Please help me...
loop
Sounds like you are running a custom kernel -- maybe VZ VPS ? If so they won't let you do this unfortunatly.
Post your kernel version, redhat/cenots version (if you are using one of the two) if you want me to try and see why you get that error.
Problem
I too have similar problem as above.
After following the tutorial, / reports 100% full.
Filesystem Size Used Avail Use% Mounted on
/dev/hda6 1012M 1012M 0 100% /
/dev/hdc1 111G 50G 56G 48% /home2
/dev/hda1 99M 25M 69M 27% /boot
/dev/hda5 90G 23G 63G 27% /home
none 996M 0 996M 0% /dev/shm
/dev/hda2 9.9G 2.6G 6.8G 28% /usr
/dev/hda3 6.9G 3.5G 3.2G 53% /var
/dev/tmpMnt 610M 92K 579M 1% /tmp
I then did 'pico -w fstab' but upon exiting, my fstab was saved at 0 bytes. The fstab is now empty.
I'm afraid to reboot this server, I don't think it will come back up without an fstab.
Please help!
full/
Your datacenter has a horrible partition scheme. You will need to mount the tmpmnt file in a place with more space.
Can I Increase Size of /tmp partiotion
Hi
I create a 190 MB tmp partition before (by eth00 instruction).now I want to increase the tmp space it to 900 MB.
How can i do this ?
Regard
--------------------------
MahdiOnline
tmp
Look above at the guide, it is now setup for 800mb
-----
cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=800000
All you need to do is change the 800000 to 900000
Hi
Hi
for increase my tmp partition I run this command only :
cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=900000
and then restart the server ??
I think I did a mistake !! Mysql donot start !!!
I havnot access to /tmpMnt !!!
Please help !!
--------------------------
MahdiOnline
logrotate crash due noexec
If you change '/tmp' dir to noexec, you need to make some minor changes to '/etc/cron.daily/logrotate' due logrotate use '/tmp' dir to execute some temporal scripts.
Changes are easy to do, you only need to declare 'TMPDIR' var before the logrotate call in the cron script.
Original logrotate cron script
#!/bin/sh
/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0
Change to:
#!/bin/sh
export TMPDIR=/var/spool
/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
unset TMPDIR
exit 0
NOTE: I use '/var/spool' dir but you can use any other on you have 'rwx' permissions.
Bellow the sed command to auto edit (one line):
sed -i -e '/\/usr\/sbin\/logrotate/i # Added due '/tmp' dir is 'noexec'\nexport TMPDIR=/var/spool\n' -e '/exit 0/i \\nunset TMPDIR\n' /etc/cron.daily/logrotate
Regards.
logwatch
THat is really weird, I am not sure what problem you are having but I have literally done this on hundreds of servers and logwatch operates just fine. Are you using a stock version of logwatch? I don't see any reason for it to fail.
logwatch?
Sorry? logwatch?. I'Am talking about logrotate not logwatch. But if you would to test what I say, you only need to launch manually '/usr/sbin/logrotate -f /etc/logrotate.conf' (-f option to force the rotation now) and see what you get as result code.
Look what happens:
# /usr/sbin/logrotate -f /etc/logrotate.conf
error: error running shared postrotate script for /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron
Now test the same after 'export TMPDIR=/var/spool'.
But you don't need to believe me, search Google for: 'logrotate /tmp noexec'
Regards.
Need advise on my results
The results of my "cat /etc/fstab |grep tmp" is as below:
/dev/sda3 /tmp ext3 defaults,noexec 1 0
none /dev/shm tmpfs defaults 0 0
Is this considered secured or do I still need to follow step above?
Thank you
tmp
Change it to:
/dev/sda3 /tmp ext3 defaults,noexec,nosuid 1 0
none /dev/shm tmpfs defaults,noexec,nosuid 0 0
Then delete /var/tmp and link it to /tmp as shown above and you should be fine. You already have a /tmp partition which not all servers have.
Is this way to secure tmp is ok?
Place below code to /etc/rc.local so they get set on a reboot.
/bin/mount --bind /tmp /tmp
/bin/mount -o remount,noexec,nosuid /tmp
/bin/mount --bind /var/tmp /var/tmp
/bin/mount -o remount,noexec,nosuid /var/tmp
after reboot the file /dev/tmpMnt gone
Hi,
I have a problem after rebooting my server. After i had done evrything writed above. I reboot de server and then i see in /var/log/boot.log the follow:
Oct 7 14:08:01 viking mount: /dev/tmpMnt: No such file or directory
And is treu when i check there is no tmpMnt in /dev. I can i fix this problem ?
I'm running Centos 4.2
Mount as Noexec
my server have /tmp directory, how can i mount it as noexec.
--------------------------
MahdiOnline
Cannot create /tmp
I try to create /tmpMnt but I get the follow error :
root@server3 [/dev]# cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=3000000
dd: writing `tmpMnt': No space left on device
How can I do ?
--------------------------
MahdiOnline
/tmp corrupt
We have been running the secure /tmp directory for about a year now on centos 3.8. Everything has been fine until the last few weeks. We are now getting the following errors:
EXT2-fs error (device loop(7,0)): ext2_new_block: Free blocks count corrupted for block group 3
Any ideas about how to fix this?
________________
Allen
Add new comment