Vulnerable files in /tmp : Secure /tmp

Some times web servers will show abnormal load or  we will get some abuse alert from our DC regarding packet flood from our server. Most of the cases some naughty “.pl”  files may be causing this issue.

I have added a new post  in security section, for more details about linux server security click here :Linux Server Security

Usually the following will help you to fix these type of hacks permanently .

Phase I  ( Find the cause )

check the currently running  process  using top command

$ nice top -c ( usually you can see some “ / b. pl ” files are running and eating most of the server resources )

Find the exact location of the vulnerable  process

$ lsof -p <process id >  | more

Null root the file location and move the files to backup for further investigation

for example its running from /tmp/abc
$ mv /tmp/abc /tmp/abc_bkp
$chmod -R 000  /tmp/abc_bkp
$ ps aux | grep .pl

$kill -9 < pid’s >

This will stop to execute the vulnerable file again

Phase II (Prevention is better than cure )

1) Secure /tmp

/tmp is a public place with lots of privileges and permissions for  the intruders.

If you are concerned about your webserver security then /tmp should be secured.

$dd if=/dev/zero of=/dev/tmpFS bs=1M count=1024

$/sbin/mkfs.ext3 /dev/tmpFS

Create a backup copy of your current /tmp drive:
$ cp -rpf /tmp /tmpbackup

$mount -o loop,noexec,nosuid,rw /dev/tmpFS /tmp
$chmod 1777 /tmp

Copy the old data:
$ cp -Rpf /tmpbackup/* /tmp/
$ rm -rf /tmpbackup

Permanent Mounting :-
Edit /etc/fstab and add this:
/dev/tmpFS  /tmp  ext3   loop,nosuid,noexec,rw 0 0
$  mount -o remount /tmp

Secure /var/tmp:

$ mv /var/tmp /var/tmp1
$  ln -s /tmp /var/tmp

Copy the old data back:
$ cp /var/tmp1/* /tmp/
$ rm -rf /var/tmp1

secure /dev/shm
Change the following in /etc/fstab
“none /dev/shm tmpfs defaults,rw 0 0” to
“none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0”

Remount /dev/shm:
$ mount -o remount /dev/shm

Note that you should restart the services which are using /tmp for their proper working ( eg:- mysql )

2) Compile php as cgi

3) Install apache mod_security

4) Remove shell access for all the users like apache,mysql,nagios,nobody

5)  Disable php functions from php.ini

I have added a detailed post in security section : Linux Server Security