Secure Partitions

[stealthhosts]

----------------------------------------
This article is provided free by
Stealth IT Solutions Limited
It is free for non-distribution only.
Due to the nature of this data it may
not be edited, no data may be removed
including this text.
With thanks to admin0
myshashi2010@yahoo.com
No responsibility is accepted or implied
Proceed at your own risk
------http://www.stealthhosts.com-------

Why should partitions be secured ?

Almost all of the exploits found freely in the internet accessible to general public, target /tmp as an ideal place to write/compile exploits, and recently some new exploits target /var/tmp. Thus, securing your /tmp and /var/tmp is recommended!

--------------------------------------------------------------------------------
redhat, fedora & debian

The security of partitions on your system is controlled via the file /etc/fstab.
To view the fstab of your file, login as root and please enter the following command

more /etc/fstab

If your /etc/fstab does not look exactly like the below, do not worry.

on debian, you might not see LABEL, but the procedure is same.

LABEL=/
 /
 ext3
 defaults
 1 1
 
LABEL=/boot
 /boot
 ext3
 defaults
 1 2
 
none
 /dev/pts
 devpts
 gid=5,mode=620
 0 0
 
none
 /proc
 proc
 defaults
 0 0
 
none
 /dev/shm
 tmpfs
 defaults
 0 0
 
LABEL=/home
 /home
 ext3
 defaults
 1 2
 
LABEL=/usr
 /usr
 ext3
 defaults
 1 2
 
LABEL=/var
 /var
 ext3
 defaults
 1 2
 
/dev/cdrom
 /mnt/cdrom
 iso9660
 noauto,owner,kudzu,ro
 0 0
 
/dev/fd0
 /mnt/floppy
 auto
 noauto,owner,kudzu
 0 0
 
/dev/hda3
 swap
 swap
 defaults
 0 0
 
/dev/hdb1
 /backup
 ext3
 defaults
 1 2

First, make a backup copy of your fstab.

cp /etc/fstab /etc/fstab.original

so that if something goes wrong, you have a backup copy to start your system

Now, let's get started.

Assuming we already have a server with dedicated partitions, we will now provide /tmp and /var/tmp partition to our cpanel system without having the need to create partitions. We simply create a file, and mount it as a filesystem. In case you have a different hard disk, you can create physical partitions and dedicated it to /tmp and /var/tmp. In my servers, I have used a 500Mb size. In some busy servers that I look after, I had to increase the size from 500 MB => 1 GB depending on the need of the system. Below example is a 500MB size for /tmp and 100 MB for /var/tmp warning: some of the commands below are destructive. please understand what you are doing. you should not play with /etc/fstab or with the following commands unless you understand what you are doing.

cd /dev/
dd if=/dev/zero of=Tmp bs=1024 count=512000
dd if=/dev/zero of=varTmp bs=1024 count=102400

mkfs -t ext3 /dev/Tmp
mkfs -t ext3 /dev/varTmp 

confirm

This command will create /dev/Tmp and /dev/varTmp files, of 500Mb and 100Mb in size respectively, and the mkfs command will format those files in ext3 format, so that we are able to use it. If you need a bigger size than 500 MB, please pass that using count=xxx for example, for 1 GB, use "bs=1024 count=1024000"

cd /
cp -aR  /tmp  /tmp_backup
mount  -o  loop,noexec,nosuid,rw  /dev/Tmp  /tmp
cp -aR /tmp_backup/* /tmp/
chmod 0777 /tmp
chmod +t  /tmp

cd  /var/
cp  -aR  /var/tmp  /var/tmp_backup
mount  -o  loop,noexec,nosuid,rw  /dev/varTmp  /var/tmp
cp -aR /var/tmp_backup/* /var/tmp/
chmod 0777 /var/tmp
chmod +t /var/tmp

run the command

df -h

which will show something like below at the last 2 lines of the output.

/dev/Tmp            500M      50 M      450M      10%      /tmp
/dev/varTmp       100M      4.1M      95M         5%      /var/tmp

list all files

cd /tmp/ ; ls -al
cd /var/tmp/ ; ls -al

to ensure that all files are there. Try restarting apache and mysql just to check that they will work without problems.

- on cpanel systems, you do:

/scripts/restartsrv httpd
/scripts/restartsrv mysql

after all is confirmed OK,

Add the two lines in the fstab such that our /tmp and /var/tmp is mounted at every reboot.

LABEL=/
 /
 ext3
 defaults
 1 1
 
LABEL=/boot
 /boot
 ext3
 defaults
 1 2
 
none
 /dev/pts
 devpts
 gid=5,mode=620
 0 0
 
none
 /proc
 proc
 defaults
 0 0
 
none
 /dev/shm
 tmpfs
 defaults
 0 0
 
LABEL=/home
 /home
 ext3
 defaults
 1 2
 
LABEL=/usr
 /usr
 ext3
 defaults
 1 2
 
LABEL=/var
 /var
 ext3
 defaults
 1 2
 
/dev/cdrom
 /mnt/cdrom
 iso9660
 noauto,owner,kudzu,ro
 0 0
 
/dev/fd0
 /mnt/floppy
 auto
 noauto,owner,kudzu
 0 0
 
/dev/hda3
 swap
 swap
 defaults
 0 0
 
/dev/hdb1
 /backup
 ext3
 defaults
 1 2
 
/dev/Tmp /tmp ext3 loop,rw,nosuid,noexec 
 0 0  
/dev/varTmp /var/tmp ext3 loop,rw,nosuid,noexec 
 0 0

Explanation of terms:



noatime:
Whenever a file in the system is accessed, the system keeps a record. It means, whenever you read, write, access, link,(or even think of a file), the system keeps a record of the access time. The noatime function will prevent the kernel from keeping the access time record, and thus saving system i/o.



nosuid:
This will ensure that you cannot run any suid file in the filesystem.

nodev:
This will ensure that you cannot have devices in the filesystem.

noexec:
This will ensure that you cannot run programme in the filesystem. You can use this for your backup or archive drives.


Note:

Setting noexec at /tmp will prevent the use of certain streaming solutions, as well as prevent installation for DigiChat and other similar programme which put their temporary installation files in /tmp. Also, your cpanel users might not be able to download their daily backup file, or you might not be able to transfer the domain to some other server using the WHM transfer account feature. Be sure that you will get some feedback once you enable noexec at /tmp. CPanel update WILL work despite noexec and nosuid at /tmp, since it uses it's own /tmp at the time of update.

--------------------------------------------------------------------------------