How to secure tmp partitions on linux server

One downside to running your own server is that you are responsible for make sure it is secure against hackers and people trying to use it for un-authorized or illegal activities. I am responsible for a server that was being used to attack another server. I found that the hackers had uploaded a script to the /tmp folder and were running it from there.

Of course I stopped the script and removed it from the tmp folder. But I needed a way to keep this from happening again.

One problem. The whole reason behind the /tmp folder is a place is needed that any program on the system can write to and read from. I just needed to find out how to keep files in the /tmp folder from being run as scripts.

After some Googling around, I found step-by step how to do this.

This is the details of how I implemented the instructions at
http://sysadmingear.blogspot.com/2007/10/how-to-secure-tmp-and-devshm-partition.html
on how to secure tmp and shm folders so script kiddies can’t go running their IRC bots from there, but it has some small typos.

So, I am putting the commands I ran to do it here:

1. check that your /tmp folder is not already mounted separately:
mount | grep tmp

Results should NOT contain “/something on /tmp type ext3 (rw,noexec,nosuid)”
if they do, then you probably can’t do this.

2. create 1 GB file to mount /tmp on and create a ext3 file system on it:

dd if=/dev/zero of=/dev/tmpFS bs=1024 count=1000000
/sbin/mkfs.ext3 /dev/tmpFS

3. backup the current temp folder, mount the new filesystem, copy the backup back to it:

1005 cp -Rpf /tmp /tmpbackup; mount -o loop,noexec,nosuid,rw /dev/tmpFS /tmp; chmod 1777 /tmp; cp -Rpf /tmpbackup/* /tmp/

4. Check that your stuff is mounted as you wish it:

mount

you should see the following in the results:

/dev/tmpFS on /tmp type ext3 (rw,noexec,nosuid)

5. add it to your fstab so it will be remounted on reboot:


vim /etc/fstab
or
nano /etc/fstab

and add a line like:

/dev/tmpFS /tmp ext3 loop,nosuid,noexec,rw 0 0

While we are in there, find the line that looks like:

tmpfs /dev/shm tmpfs defaults 0 0

and change it to look like:

tmpfs /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0

To secure the tmpfs mounted on /dev/shm

6. test your fstab entry:

mount -o remount /tmp
mount -o remount /dev/shm

Now secure /var/tmp:


cd /var
mv tmp tmp1
ln -s /tmp /var/tmp

And now the server is a little more secure. (still not perfect – I need to find the webpage that the hackers used to put the scripts there.)

Warning! if this is all you have done, then your server is not secure! You need to at least do the following:
I have already done all the security stuff mentioned at
http://aymanh.com/tips-to-secure-linux-workstation

And the server is already locked down to only allow http,https and smtp using iptables firewall rules. See
http://pierre.linux.edu/2010/04/using-iptables-to-secure-your-webserver/ for instructions on iptables.

I hope this info helps someone! let me know either way in the comments.

Please follow and like me:

Leave a Reply