----------------------------------------
This article is provided free by
Stealth IT Solutions Limited
It is free for non-distribution only.
Due to the nature of this data it may
not be edited, no data may be removed
including this text.
With thanks to admin0
myshashi2010@yahoo.com
No responsibility is accepted or implied
Proceed at your own risk
------http://www.stealthhosts.com-------
Why should partitions be secured ?
Almost all of the exploits found freely in the internet accessible to general public, target /tmp as an ideal place to write/compile exploits, and recently some new exploits target /var/tmp. Thus, securing your /tmp and /var/tmp is recommended!
--------------------------------------------------------------------------------
redhat, fedora & debian
The security of partitions on your system is controlled via the file /etc/fstab.
To view the fstab of your file, login as root and please enter the following command
more /etc/fstab
If your /etc/fstab does not look exactly like the below, do not worry.
on debian, you might not see LABEL, but the procedure is same.
First, make a backup copy of your fstab.
so that if something goes wrong, you have a backup copy to start your system
Now, let's get started.
Assuming we already have a server with dedicated partitions, we will now provide /tmp and /var/tmp partition to our cpanel system without having the need to create partitions. We simply create a file, and mount it as a filesystem. In case you have a different hard disk, you can create physical partitions and dedicated it to /tmp and /var/tmp. In my servers, I have used a 500Mb size. In some busy servers that I look after, I had to increase the size from 500 MB => 1 GB depending on the need of the system. Below example is a 500MB size for /tmp and 100 MB for /var/tmp warning: some of the commands below are destructive. please understand what you are doing. you should not play with /etc/fstab or with the following commands unless you understand what you are doing.
This command will create /dev/Tmp and /dev/varTmp files, of 500Mb and 100Mb in size respectively, and the mkfs command will format those files in ext3 format, so that we are able to use it. If you need a bigger size than 500 MB, please pass that using count=xxx for example, for 1 GB, use "bs=1024 count=1024000"
run the command
which will show something like below at the last 2 lines of the output.
list all files
to ensure that all files are there. Try restarting apache and mysql just to check that they will work without problems.
- on cpanel systems, you do:
after all is confirmed OK,
Add the two lines in the fstab such that our /tmp and /var/tmp is mounted at every reboot.
Explanation of terms:
noatime:
Whenever a file in the system is accessed, the system keeps a record. It means, whenever you read, write, access, link,(or even think of a file), the system keeps a record of the access time. The noatime function will prevent the kernel from keeping the access time record, and thus saving system i/o.
nosuid:
This will ensure that you cannot run any suid file in the filesystem.
nodev:
This will ensure that you cannot have devices in the filesystem.
noexec:
This will ensure that you cannot run programme in the filesystem. You can use this for your backup or archive drives.
Note:
Setting noexec at /tmp will prevent the use of certain streaming solutions, as well as prevent installation for DigiChat and other similar programme which put their temporary installation files in /tmp. Also, your cpanel users might not be able to download their daily backup file, or you might not be able to transfer the domain to some other server using the WHM transfer account feature. Be sure that you will get some feedback once you enable noexec at /tmp. CPanel update WILL work despite noexec and nosuid at /tmp, since it uses it's own /tmp at the time of update.
--------------------------------------------------------------------------------
This article is provided free by
Stealth IT Solutions Limited
It is free for non-distribution only.
Due to the nature of this data it may
not be edited, no data may be removed
including this text.
With thanks to admin0
myshashi2010@yahoo.com
No responsibility is accepted or implied
Proceed at your own risk
------http://www.stealthhosts.com-------
Why should partitions be secured ?
Almost all of the exploits found freely in the internet accessible to general public, target /tmp as an ideal place to write/compile exploits, and recently some new exploits target /var/tmp. Thus, securing your /tmp and /var/tmp is recommended!
--------------------------------------------------------------------------------
redhat, fedora & debian
The security of partitions on your system is controlled via the file /etc/fstab.
To view the fstab of your file, login as root and please enter the following command
more /etc/fstab
If your /etc/fstab does not look exactly like the below, do not worry.
on debian, you might not see LABEL, but the procedure is same.
Code:
LABEL=/
/
ext3
defaults
1 1
LABEL=/boot
/boot
ext3
defaults
1 2
none
/dev/pts
devpts
gid=5,mode=620
0 0
none
/proc
proc
defaults
0 0
none
/dev/shm
tmpfs
defaults
0 0
LABEL=/home
/home
ext3
defaults
1 2
LABEL=/usr
/usr
ext3
defaults
1 2
LABEL=/var
/var
ext3
defaults
1 2
/dev/cdrom
/mnt/cdrom
iso9660
noauto,owner,kudzu,ro
0 0
/dev/fd0
/mnt/floppy
auto
noauto,owner,kudzu
0 0
/dev/hda3
swap
swap
defaults
0 0
/dev/hdb1
/backup
ext3
defaults
1 2
First, make a backup copy of your fstab.
Code:
cp /etc/fstab /etc/fstab.original
so that if something goes wrong, you have a backup copy to start your system
Now, let's get started.
Assuming we already have a server with dedicated partitions, we will now provide /tmp and /var/tmp partition to our cpanel system without having the need to create partitions. We simply create a file, and mount it as a filesystem. In case you have a different hard disk, you can create physical partitions and dedicated it to /tmp and /var/tmp. In my servers, I have used a 500Mb size. In some busy servers that I look after, I had to increase the size from 500 MB => 1 GB depending on the need of the system. Below example is a 500MB size for /tmp and 100 MB for /var/tmp warning: some of the commands below are destructive. please understand what you are doing. you should not play with /etc/fstab or with the following commands unless you understand what you are doing.
Code:
cd /dev/
dd if=/dev/zero of=Tmp bs=1024 count=512000
dd if=/dev/zero of=varTmp bs=1024 count=102400
mkfs -t ext3 /dev/Tmp
mkfs -t ext3 /dev/varTmp
confirm
This command will create /dev/Tmp and /dev/varTmp files, of 500Mb and 100Mb in size respectively, and the mkfs command will format those files in ext3 format, so that we are able to use it. If you need a bigger size than 500 MB, please pass that using count=xxx for example, for 1 GB, use "bs=1024 count=1024000"
Code:
cd /
cp -aR /tmp /tmp_backup
mount -o loop,noexec,nosuid,rw /dev/Tmp /tmp
cp -aR /tmp_backup/* /tmp/
chmod 0777 /tmp
chmod +t /tmp
cd /var/
cp -aR /var/tmp /var/tmp_backup
mount -o loop,noexec,nosuid,rw /dev/varTmp /var/tmp
cp -aR /var/tmp_backup/* /var/tmp/
chmod 0777 /var/tmp
chmod +t /var/tmp
run the command
Code:
df -h
which will show something like below at the last 2 lines of the output.
Code:
/dev/Tmp 500M 50 M 450M 10% /tmp
/dev/varTmp 100M 4.1M 95M 5% /var/tmp
list all files
Code:
cd /tmp/ ; ls -al
cd /var/tmp/ ; ls -al
- on cpanel systems, you do:
Code:
/scripts/restartsrv httpd
/scripts/restartsrv mysql
after all is confirmed OK,
Add the two lines in the fstab such that our /tmp and /var/tmp is mounted at every reboot.
Code:
LABEL=/
/
ext3
defaults
1 1
LABEL=/boot
/boot
ext3
defaults
1 2
none
/dev/pts
devpts
gid=5,mode=620
0 0
none
/proc
proc
defaults
0 0
none
/dev/shm
tmpfs
defaults
0 0
LABEL=/home
/home
ext3
defaults
1 2
LABEL=/usr
/usr
ext3
defaults
1 2
LABEL=/var
/var
ext3
defaults
1 2
/dev/cdrom
/mnt/cdrom
iso9660
noauto,owner,kudzu,ro
0 0
/dev/fd0
/mnt/floppy
auto
noauto,owner,kudzu
0 0
/dev/hda3
swap
swap
defaults
0 0
/dev/hdb1
/backup
ext3
defaults
1 2
/dev/Tmp /tmp ext3 loop,rw,nosuid,noexec
0 0
/dev/varTmp /var/tmp ext3 loop,rw,nosuid,noexec
0 0
Explanation of terms:
noatime:
Whenever a file in the system is accessed, the system keeps a record. It means, whenever you read, write, access, link,(or even think of a file), the system keeps a record of the access time. The noatime function will prevent the kernel from keeping the access time record, and thus saving system i/o.
nosuid:
This will ensure that you cannot run any suid file in the filesystem.
nodev:
This will ensure that you cannot have devices in the filesystem.
noexec:
This will ensure that you cannot run programme in the filesystem. You can use this for your backup or archive drives.
Note:
Setting noexec at /tmp will prevent the use of certain streaming solutions, as well as prevent installation for DigiChat and other similar programme which put their temporary installation files in /tmp. Also, your cpanel users might not be able to download their daily backup file, or you might not be able to transfer the domain to some other server using the WHM transfer account feature. Be sure that you will get some feedback once you enable noexec at /tmp. CPanel update WILL work despite noexec and nosuid at /tmp, since it uses it's own /tmp at the time of update.
--------------------------------------------------------------------------------