Web Hosting Forum | Lunarpages
News: July 14, 2008 - New Contest! - Submit Your WordPress Theme Designs, Win BIG!
June 30, 2008 - Submit Your Site for the July 08 Site of the Month Award!
 
Home Help Search Calendar Login Register
*
Welcome, Guest. Please login or register.
Did you miss your activation email? 		July 24, 2008, 07:18:38 AM


Login with username, password and session length


Web Hosting Forum | Lunarpages > Lunarpages Web Hosting - Advanced Assistance > Lunarpages - Dedicated Web Hosting > Lunarpages - Security > Protect your /tmp Directory - Tutorial
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Protect your /tmp Directory - Tutorial  (Read 2157 times)
Adelante
Chief Systems Administrator
Pong! (the videogame) Master
*****
Offline Offline

Posts: 23


i see a kitty!!!!


WWW
« on: January 04, 2006, 07:55:18 AM »
lately there has been a lot of DOS (Denial of Services) Attacks happening, and one of the main causes of these attacks of because of insecure /tmp directories.

Your /tmp directory is very dangerious, since it allows every single user the ability to write to it, so should you have an upload script on your site that may be exploitable, or even if there is an vulnerability in a program which allows for remote code execution, it will allow the person to upload a file into your /tmp directory or even use remote code execution to take control of something like wget and download something into your /tmp directory (this is usually how DOS trojans and rootkits end up on your server)

But there something you can do to help protect your /tmp directory:
===============================================

Firstly you need to stop all processes that are using your /tmp so you can work with it.

Quote
# lsof | grep /tmp

you should see something like this:

Code:
# lsof | grep /tmp
mysqld    21592  mysql    6u      REG        7,0         0         13 /tmp/ibtSj50S (deleted)
mysqld    21592  mysql    7u      REG        7,0         0         14 /tmp/ibRxcWMR (deleted)
mysqld    21592  mysql   10u      REG        7,0         0         15 /tmp/ibsqk6gR (deleted)
apache2   21620   root   60u      REG        7,0         0         16 /tmp/ZCUDqD8qem (deleted)
apache2   21855 apache   60u      REG        7,0         0         16 /tmp/ZCUDqD8qem (deleted)
apache2   21961 apache   60u      REG        7,0         0         16 /tmp/ZCUDqD8qem (deleted)
apache2   22105 apache   60u      REG        7,0         0         16 /tmp/ZCUDqD8qem (deleted)
apache2   22372 apache   60u      REG        7,0         0         16 /tmp/ZCUDqD8qem (deleted)
apache2   22378 apache   60u      REG        7,0         0         16 /tmp/ZCUDqD8qem (deleted)
apache2   22437 apache   60u      REG        7,0         0         16 /tmp/ZCUDqD8qem (deleted)
apache2   22510 apache   60u      REG        7,0         0         16 /tmp/ZCUDqD8qem (deleted)
apache2   22511 apache   60u      REG        7,0         0         16 /tmp/ZCUDqD8qem (deleted)
apache2   22574 apache   60u      REG        7,0         0         16 /tmp/ZCUDqD8qem (deleted)
apache2   22710 apache   60u      REG        7,0         0         16 /tmp/ZCUDqD8qem (deleted)
#

stop those processes which are using your /tmp directory,
then copy and paste the following this into your terminal window:

Quote
cd /
dd if=/dev/zero of=/tmpdir bs=1024 count=200000
mkfs.ext3 -F /tmpdir
mv /tmp /tmp.backup
mkdir /tmp
mount -o loop,noexec,nosuid,rw /tmpdir /tmp
chmod 0777 /tmp
if ! grep -qai tmpdir /etc/fstab ; then
echo "/tmpdir /tmp ext3 loop,noexec,nosuid,rw 0 0" >> /etc/fstab
fi
mount -a
cp /bin/ls /tmp/
/tmp/ls

it should return something like this:

Code:
-bash: /tmp/ls: Permission denied

If you see that, then you know everything has gone according to plan.

What the above will do, is create a storage medium (so call it) on /tmpdir, and then mount /tmpdir to /tmp, but it will mount it with loop,noexec,nosuid,rw

Still won't stop the rootkits or DOS files from being uploaded or downloaded into ur /tmp directory, but I will sure as hell stop them from being executed.

Hope this helps

kthx
Dave Strydom
Logged
pimster
Spacescooter Operator
*****
Offline Offline

Posts: 30
« Reply #1 on: January 04, 2006, 08:25:46 PM »
Quote from: Adelante on January 04, 2006, 07:55:18 AM

But there something you can do to help protect your /tmp directory:
===============================================

Firstly you need to stop all processes that are using your /tmp so you can work with it.

Quote
# lsof | grep /tmp


I'm guessing you're at some sort of command line/mode when you entered this text. But, how do I get there? Can I do this from Control Panel?
Logged
Adelante
Chief Systems Administrator
Pong! (the videogame) Master
*****
Offline Offline

Posts: 23


i see a kitty!!!!


WWW
« Reply #2 on: January 04, 2006, 10:02:40 PM »
You would need to login via something like SSH to the server, and be the root user in order to do this, the tutorial is more aimed at sys-admin's who have root access to their servers.

kthx
Dave
Logged
pimster
Spacescooter Operator
*****
Offline Offline

Posts: 30
« Reply #3 on: January 05, 2006, 09:14:50 AM »
So there is no way someone on a shared host could take advantage of your tip and protect that directory?
Logged
GMTurner
Berserker Poster
*****
Offline Offline

Posts: 7553



WWW
« Reply #4 on: January 05, 2006, 09:23:52 AM »
On the shared hosting, I believe those measures are already in place. This is more for those with dedicated servers who would want/need to do the configuration themselves I think...
Logged
The above post was made at a time when I gave a dang and doesn't necessarily reflect my current views or opinions.

For those no longer with us ... Grr..!!

The Redheaded Penguin
Danielle
Resident Alien
Administrator
Berserker Poster
*****
Offline Offline

Posts: 8876


nihil sunt omnia


WWW
« Reply #5 on: January 23, 2006, 05:22:04 AM »
I also wanted to note that you should have /var/tmp symlinked to /tmp as some will instead upload to /var/tmp these malicious files via exploited accounts.  Since /var/tmp shouldn't have anything in it by default, you can run these commands to setup the symlink (although you might want to check if you do have something in /var/tmp first using ls -l /var/tmp):

Code:
cd /var
rm -rf tmp
ln -s /tmp /var/tmp

Note that the reason I do not put rm -rf /var/tmp is to ensure you are cd (changed directory) to /var first and rm -rf tmp only.  This avoids deleting something really important by a mistyping such as entering rm -rf /var and then accidentally hitting enter, which would be really really bad.
Logged
Danielle Wallace
- nihil sunt omnia -
Lunarpages Webhosting ~ Lunarpages Forums ~ Lunarpages Affiliates
Administrator Training Manager - System Administrator Team

Ruby Asylum - For those crazy about Ruby
A&E Writing Forum ~ Best Garden ~ Endar & Endar Gallery ~ RatingBar.com

Every living creature on this earth dies alone.
kavastudios
Space Explorer
***
Offline Offline

Posts: 8
« Reply #6 on: May 25, 2007, 12:24:08 AM »
thanks for the tutorial i made this because somebody was uploading xploits and another kind of scripts to my tmp directory, and when the scripts were executed my server becomes unresponsible, this happens many times and i didn't know how to stop it, but i think this will help a lot, thank you so much
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.3 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM