securing /tmp &
Hi there,
I have been hit hard by scripts running rampant in /tmp.
I did 2x things to help get my server back under my control so that I could spend the time to find the real hole and patch accordingly.
1)edit /etc/php.ini
change:
allow_url_fopen = On
allow_url_fopen = Off
run: apachectl graceful
reason: if allow_url_fopen is enabled, this system can be exploited by simply changing the value of the variable in a PHP querystring. This happend to me time and time again with sites running JOOMLA.
2) Secure the /tmp directory
you can also go here:
http://kb.swsoft.com/article_38_1410_en.html
Securing /tmp
The /tmp partition is one the common places for script kiddies and crackers alike to place trojans or scripts. Because of that you should have the /tmp partition mounted noexec. First we need to check if your /tmp is secure.
shell: df -h |grep tmp
If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
shell: cat /etc/fstab |grep tmp
If there is a line that includes /tmp and noexec then it is already mounted as non-executable. You will also want to check if /var/tmp is linked to /tmp.
shell: ls -alh /var/ |grep tmp
If it shows something to the effect of "tmp -> /tmp/" then you are ok. If not go ahead an remove the old /var/tmp and replace it with a sym link to /tmp.
shell: rm -rf /var/tmp/
shell: ln -s /tmp/ /var/
If you do not have any /tmp partition you will need to follow the directions below to create and mount a partition.
Create a 190Mb partition
shell: cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=200000
Format the partition
shell: mke2fs /dev/tmpMnt
Make a backup of the old data
shell: cp -Rp /tmp /tmp_backup
Mount the temp filesystem
shell: mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
Set the permissions
shell: chmod 1777 /tmp
Copy the old files back
shell: cp -Rp /tmp_backup/* /tmp/
Once you do that go ahead and start mysql and make sure it works ok.
If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:
none /dev/shm tmpfs noexec,nosuid 0 0
Umount and remount /dev/shm for the changes to take effect.
shell: umount /dev/shm
shell: mount /dev/shm
If everything still works fine you can go ahead and delete the /tmp_backup directory.
shell: rm -rf /tmp_backup
Hope that helps, i know i have not had further issues since then.