Hack Prevention And Cleanup

From 5dollarwhitebox.org Media Wiki

Mount /tmp With noexec flag

The big defense again Apache level hacks is to mount '/tmp' with the 'noexec' flag. This will prevent any uploaded scripts/binaries from being executed. If you do not have the additional partition/hard disk space to create a separate '/tmp' partition, then you can work around this by creating a tmpfs filesystem:

linuxbox #] mkdir /opt/loopfs

linuxbox #] dd if=/dev/zero of=/opt/loopfs/tmpfs.img bs=1M count=1024

linuxbox #] mke2fs -j /opt/loopfs/tmpfs.img

linuxbox #] mv /tmp /tmp.old 

linuxbox #] mkdir /tmp 

linuxbox #] mount -o loop,rw,noexec,nosuid,nodev /opt/loopfs/tmpfs.img /tmp

linuxbox #] chmod 1777 /tmp

It is important to restart any services that may use /tmp such as: MySQL, Spamd, PostGreSQL, etc.

Then add the following to '/etc/fstab':

/opt/loopfs/tmpfs.img    /tmp                   ext3    loop,rw,noexec,nosuid,nodev  1 2

Retrieved from "http://www.5dollarwhitebox.org/wiki/index.php/Hack_Prevention_And_Cleanup"

Hack Prevention And Cleanup

From 5dollarwhitebox.org Media Wiki

Mount /tmp With noexec flag

Views

Personal tools

Navigation

Search

Toolbox