PDA

View Full Version : How to make /tmp, /var/tmp, /dev/shm noexec,nosuid (even on OpenVZ)



Fli
09-10-2017, 10:14 PM
This article contains various ways to secure /tmp, the information here is years old, so it may be outdated, but can give some idea.

How to make /tmp, /var/tmp, /dev/shm noexec,nosuid (even on OpenVZ)
(aim is to reduce chances malicious scripts are executed on the server from these directories which are writable by all users, including hackers who exploit hosted php scripts)
I tested following steps and it worked for me. Though there are two more simple tutorials (but these do not include synchronization of the tmp contents):
https://www.************/clients/knowledgebase/144/How-to-secure-ortmp-orvarortmp-and-ordevorshm-with-OpenVZ.html
http://pingbin.com/2011/06/centos-secure-tmp/

1. Make sure each tmpfs mount point is set in /etc/fstab (i added following lines):
none /dev/shm tmpfs noexec,nosuid 0 0
tmpfs /tmp tmpfs noexec,nosuid 0 0
tmpfs /var/tmp tmpfs noexec,nosuid 0 0

2. Stop services that may work with tmp:
service httpd stop;service nginx stop;service mysql stop;service cpanel stop

3. Make backup of the directories:
mkdir -p /tmpbackup/{var,shm};rsync -a /tmp/ /tmpbackup/ && rsync -a /var/tmp/ /tmpbackup/var/ && rsync -a /dev/shm/ /tmpbackup/shm/

4. mount/remount tmpfs mount points:
mount /tmp && mount /var/tmp && mount /dev/shm && mount -o remount /tmp && mount -o remount /var/tmp && mount -o remount /dev/shm && echo "" && mount |grep -v virtfs

5. Restore backups (will not replace existing newer files on destination):
rsync -au /tmpbackup/ /tmp/ && rsync -au /tmpbackup/var/ /var/tmp/ && rsync -au /tmpbackup/shm/ /dev/shm/

6. start the services
ls -a /var/tmp /tmp /dev/shm|grep -v sess_;service httpd start;service nginx start;service mysql start;service cpanel start

you should have new noexec tmpfs (RAM) based tmp mount points. In my case:

# mount

none on /dev/shm type tmpfs (rw,nosuid,noexec,relatime)
tmpfs on /tmp type tmpfs (rw,nosuid,noexec,relatime)
tmpfs on /var/tmp type tmpfs (rw,nosuid,noexec,relatime)

# df -h|grep -v virtfs

Filesystem Size Used Avail Use% Mounted on
/dev/simfs 340G 104G 237G 31% /
none 9.0G 4.0K 9.0G 1% /dev
none 9.0G 4.0K 9.0G 1% /dev/shm
tmpfs 9.0G 1.8M 9.0G 1% /tmp
tmpfs 9.0G 4.0K 9.0G 1% /var/tmp

cPanel staff said this tmpfs setup is common and 9G in my case is not a problem as it is virtual size, 9G because my VPS has 18G RAM allocated.

---
Another notes regarding /tmp securing:

.htaccess in /tmp will work - You could just put one in / as well though, rather than /tmp - covering all bases.
/scripts/securetmp
http://pingbin.com/2011/06/centos-secure-tmp/
chmod 000 /usr/bin/*cc*
/scripts/compilers off
chmod your compilers, lynx, wget etc so nobody but you can use them.
Install open_basedir
Disable cgi in cpanel packages.
/usr/local/maldetect/conf.maldet (set quar hits to 1 and "exlude" kind of variable to exclude mysql user and group), then setup cron: crontab -e ; add: @reboot /usr/local/sbin/maldet -m /tmp,/var/tmp,/dev/shm
setup scan on non-busy hours of recent files? (maldet -r BUT disable quarantining for that scan? or no?)
https://www.configserver.com/cp/cpanel.html
Also having directories like /tmp locked and restricted access to binaries like wget can help a ton.
check and change file/fodler permissions to 644 755 no 777!

I have seen .pl script added into /tmp and abusing server, so one may delete all /tmp/*.pl on regular basis:

.pl files deleter:

# cat /root/remove_tmp_pl
while true;do
find /tmp -type f -iname "*.pl" -delete
find /var/tmp -type f -iname "*.pl" -delete
find /dev/shm -type f -iname "*.pl" -delete
sleep 1
done

* * * * * touch /tmp/test.pl;sleep 3;if [ -f /tmp/test.pl ];then /bin/sh /root/remove_tmp_pl &;fi
@reboot /bin/sh /root/remove_tmp_pl