securing /tmp

MSafty · 01-05-2006, 04:11 AM

i'm looking for way to secure my /tmp directory
i have fedora core 2 work as web server with apache
sometimes crackers puts binary files in my /tmp directory
also i find some processes runs as http and when i restart the serveice i found that these prcesses are still working.
i want to find something to monitor my /tmp directory and to take action.

bigrigdriver · 01-05-2006, 06:58 AM

du -h /tmp to see how large your /tmp is.

Create a partition large enough to hold /tmp, then edit /etc/fstab to show the new partition. Mount it noexec to prevent executable files from running in /tmp.

mv the current /tmp into the new partition.

stickman · 01-05-2006, 02:28 PM

The problem is not with /tmp. You need to investigate what web content on your servers are allowing people to upload to your system. Secure your applications. Creating a larger /tmp without fixing the hole is only giving people more storage space on your system.

MSafty · 01-07-2006, 07:00 AM

sometimes i find that the load average is high then when i make #top -c to show what are the most processes that consumes more cpu cycles and memory,i find normal processes nobody with http and when i restart the httpd service i found that everything is cool and the load average reduced.
and sometimes when i stop the service httpd i find running http service and i don't know what is it?
i think that it is some of processes that crackers wants to execute from /tmp.

unSpawn · 01-07-2006, 12:31 PM

Like Stickman says, harden the box. If I understand correctly what you write then in your case you have to check your system, auth and daemon logs because it sounds like your box is/was a target. Did you run any auditing apps like Tiger, Chkrootkit / Rootkit Hunter?

MSafty · 01-08-2006, 10:54 AM

yes,Rootkit Hunter is running.

Vgui · 01-08-2006, 12:11 PM

That's an interesting point about mounting /tmp as noexec (and nosuid). I'll be doing that for my home system, thanks.

MSafty · 01-08-2006, 03:11 PM

yes,Rootkit Hunter is running.

MSafty · 01-09-2006, 05:41 PM

Thanks all the problem was solved.