One area on a Linux dedicated server that is particularly vulnerable to attacks is the /tmp directory. It is designed to hold temporary files used by applications, but attackers may use an unprotected /tmp directory to launch scripts or bots. What follows are a few measures you can take to ensure your /tmp directory cannot be easily targeted.
1. /tmp as a separate partition. By default, the /tmp directory has read, write, and execute permissions, making it very vulnerable. By moving it to a separate partition from the root / partition, you can make it less likely that someone who gains access to /tmp will have access to your system files. For an example on CentOS, see this article.
2. Make /tmp non-executable. In /etc/fstab, make /tmp noexec. When finished it will look something like this: /tmp ext3 loop,noexec,nosuid,rw 0 0 Consult your distribution’s documentation for the best settings. [Note: before you make any changes to fstab, be sure to create a backup copy]
3. Install ModSecurity. This application firewall that we have previously highlighted will help prevent exploitation of web scripts, which is the main method hackers will use to gain access to /tmp
4. Avoid using /tmp for web scripts. If possible, use separate, more secure temporary directories for applications that are exposed to the web, and set the bare minimum permissions for that directory.
With any of these changes, you should make sure they will not adversely affect any applications you are running. Control panels like cPanel in particular, may not work well with some of these changes. Some dedicated hosts may even help you with your configuration. Consult the documentation and work carefully, backing up any files you change.
No comments:
Post a Comment