Results 1 to 25 of 25
  1. #1
    Join Date
    May 2004
    Location
    Blue Springs, Missouri
    Posts
    366

    questions about /tmp

    I've been having problems with script kiddies lately and have been finding random things in /tmp /var/tmp and have found something in /dev/shm

    my question is what can I do to not allow things to be executed from those locations. my problem is that when layeredtech set up the server they set everything up on one partition so I'm not able to pass options for /tmp in /etc/fstab

    this is what my /etc/fstab looks like.

    # This file is edited by fstab-sync - see 'man fstab-sync' for details
    LABEL=/ / ext3 defaults,usrquota,grpquota 1 1
    LABEL=/boot /boot ext3 defaults 1 2
    none /dev/pts devpts gid=5,mode=620 0 0
    none /proc proc defaults 0 0
    none /dev/shm tmpfs defaults 0 0
    /dev/hda2 swap swap defaults 0 0


    does anybody have any suggestions for me?

  2. #2
    Off the top of my head, you can try using virtual nodes to mount /tmp separately. The idea is that you use the dd command to create a big zero'd image, and use the virtual node support of your OS (FreeBSD uses vnconfig, Linux has something else, losetup and one other I believe). Then you can make a file system on the virtual node and mount it to /tmp with noexec, etc. There is a slight performance hit to using this but probably not noticeable.

    Now, even doing so isn't going to be all that helpful. A lot of script kiddies write Perl scripts and execute it with perl /tmp/whatever.pl and noexec is not going to help this.

    You would be better off making sure all the scripts on your server are up to date so they don't get in to begin with. You may be able to monitor your server and when you see it execute, try to trace it back to the account that's executing it. Usually it will be one account (CGI/PHP script) executing the program over and over and fixing it will really speed up your server.

  3. #3
    Join Date
    May 2003
    Location
    Florida
    Posts
    877
    I would suggest to contract with one of the more experienced admins to secure your tmp directory. Somebody like rack911.com should be able to secure this for you.

  4. #4
    Join Date
    Jun 2003
    Location
    Janesville, Wi
    Posts
    1,516
    When you create that big empty file and mount it as /tmp, you can do what I did in /etc/fstab

    First, make a big empty file, say /usr/tmpDSK and mount it as /tmp. Then symlink /var/tmp -> /tmp

    In /etc/fstab, append the following lines:

    Code:
    /usr/tmpDSK             /tmp                    ext3    defaults,noatime,noexec,nosuid,nodev,loop,rw 0 0
    /tmp                    /var/tmp                ext3    defaults,noatime,noexec,nosuid,nodev,bind,rw 0 0
    That will protect you from most problematic script kiddies, but as HE just said about: This does not stop Perl scripts from executing. Annoying, isn't it?

    I actually have a crontab which runs "rm -f /tmp/*.pl" every minute. There is no reason for Perl scripts to be in /tmp, so I may as well as delete them.
    Jakiao

  5. #5
    You make a good point, Jakiao... theres no use for Perl scripts in /tmp and, now that you mention it, any executable files at all? Since script kiddies probably default to setting 755 perms, you might do a find for all files that are executable and delete those. You could get creative and grep for /usr/bin/perl or #! or something. Use your imagination

  6. #6
    Join Date
    Jun 2003
    Location
    Janesville, Wi
    Posts
    1,516
    For Apache, there is zero use for executables of any kind in /tmp. But do not forget what /tmp is really for. You're logged in as root and you go to install a program. Many programs write all of their temporary executables to /tmp.

    A more advanced way to delete any and all executables from /tmp immediately would be to use "find" to find all files owned by httpd and check if they are executables or not. If so, delete them.
    Jakiao

  7. #7
    Join Date
    May 2004
    Location
    Blue Springs, Missouri
    Posts
    366
    heh. I always love when somebody chimes in with "talk to so and so and they can do it for you." That's not what I was asking for ...

    But to the rest of you, thanks for the ideas.

    Jakio, how effective do you think that cron entry is? Security isn't my strong point, but from what I've seen to this point things that shouldn't be in /tmp are tucked deep within the directory, in places like /tmp/ /httpd/bin/script.pl or something similar to that

    Another question, do you guys chmod sendmail so nobody has access to it? It seems like not too many things use sendmail, so that is a viable option? I'm also looking for something that goes very in depth with exim logging, to see who's sending what where. It'd be nice if it was in pretty html/php as well.

    thanks for all the help guys.

  8. #8
    Join Date
    May 2003
    Location
    Florida
    Posts
    877
    Quote Originally Posted by omaha.stylee
    heh. I always love when somebody chimes in with "talk to so and so and they can do it for you." That's not what I was asking for ...

    But to the rest of you, thanks for the ideas.

    Jakio, how effective do you think that cron entry is? Security isn't my strong point, but from what I've seen to this point things that shouldn't be in /tmp are tucked deep within the directory, in places like /tmp/ /httpd/bin/script.pl or something similar to that

    Another question, do you guys chmod sendmail so nobody has access to it? It seems like not too many things use sendmail, so that is a viable option? I'm also looking for something that goes very in depth with exim logging, to see who's sending what where. It'd be nice if it was in pretty html/php as well.

    thanks for all the help guys.
    Sorry that I offered you any advice. I sure wasn't trying to insult you. My comments were based on your statements:
    I've been having problems with script kiddies lately and have been finding random things in /tmp /var/tmp and have found something in /dev/shm
    and
    does anybody have any suggestions for me?
    . Therefore it appears as you had a problem and didn't know how to resolve it. It was above my ability, so I suggested an alternative to solve the problem.

    Sorry.

  9. #9
    Join Date
    Jun 2003
    Location
    Janesville, Wi
    Posts
    1,516
    sendmail is needed if you ever want your users to be able to send email via their websites. Example: A forum sends a validation email to verify a signup. I wouldn't chmod sendmail.

    I've had problems in the past with exploits in programs used by our clients that have caused Perl scripts to appear in /tmp. The problem with these scripts is that typically they are used to attack other servers and/or act as someones personal bouncer into an IRC chat (or their personal war server to attack another IRC server). It is critical that you prevent these scripts from being executed on your server, or you may have your server taken offline by the datacenter. Not a fun thing to have happen to you!

    I would look into using "dd" to create a big and empty file and then your disk formatter to create a virtual partion of that empty file, mount it as I said, and have at it. A Google search should give you the instructions on how to do so.

    Good luck!
    Jakiao

  10. #10
    Yeah, I agree with Jakiao again... sendmail is generally something that is necessary if you're hosting a decent amount of customers. Keep in mind that the PHP mail() function uses sendmail.

    The cron he gave you was simplified, but it gives you the general idea. Also, while Dacsoft was trying to be helpful, he did have a point. Security is very important and message board posts definitely won't always be reliable.

    You can learn it, but it will take a lot of work. You should certainly consider a service that provides administration/security auditing or maybe a friend that has some spare time to help you out. You seem to be interested enough to learn, but I have to say it took quite a long time to get to the point where I am today, and I do not consider myself a security expert in any way.

  11. #11
    Join Date
    Jun 2003
    Location
    Janesville, Wi
    Posts
    1,516
    Yeah. If you hire a company, ask them to record their exact steps for what they did. Also be sure to look over the ~/.bash_history to see what they did. This way, you can hire them for one server, and learn how to do it yourself for the rest of your servers. Hiring someone doesn't mean you can't still learn from them.
    Jakiao

  12. #12
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    There are several things that can be used here.

    1.) posix acls to prevent perl from executing as use nobody

    2.) mod_security to help prevent exploits in php scripts leading to this


    Other things to look at are making it so the user nobody (or apache ond irectadmin and plesk) cannot connect to port 80 outgoing using iptables.. can break rss feeds (or anything legit that wants to connect to port 80 outgoing) so you have to whitelist them etc.


    If you do not use zend optimizer.. Check out http://www.hardened-php.net/

    Also check out

    http://kyberdigi.cz/projects/execdir/english.html

    if you do not want to use safe mode and/or disable system functions
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  13. #13
    Wow, thanks for the hardened-php.net link, Steven! That's really too bad it doesn't work with Zend Optimizer though. Hopefully enough people are complaining that Zend can release alternate binaries... any idea how long its had that problem?

  14. #14
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Its not compatable with the zend api. it always had the problem.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  15. #15
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  16. #16
    Join Date
    Jul 2005
    Posts
    598
    Anybody could help me on this?I tried to dig out for executables file and remove it with a single line command.

    ls -Ral | grep -e "-rwxr-xr-x" | xargs rm -rf
    rm: invalid option -- w
    Try `rm --help' for more information.

  17. #17
    Join Date
    Mar 2004
    Posts
    295
    http://www.eth0.us/tmp - Mounting as noexec etc, while their is no partiton space.

  18. #18
    Join Date
    Jun 2003
    Location
    World Wide Web
    Posts
    581
    Until you find an easy method (there could be many), you could give this a shot:

    for i in `ls -ald $(ls -alR /tmp | grep "/tmp" | sed -e s/\://g) | awk {'print $9'}`;do for j in "rwx" "r\-x" "\-\-x" "\-wx";do rm -f ${i}/$(ls -alR $i | grep "${j}" | awk {'print $9'}| grep -v "\.\/"|grep -v mysql.sock);done;done 2> /dev/null

    more extensive testing may be needed. I tested it with two nested directories. May be you could let me know if it works.
    Last edited by supportexpertz; 11-28-2005 at 09:32 AM. Reason: to subscribe to the thread
    SupportExpertz.com - the name says it all!
    Managed Cloud Servers
    Server Management and Monitoring
    24x7 outsourced customer support

  19. #19
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    If there is no partition space i just add this to fstab:

    /tmp /tmp ext3 bind,rw,noexec,nosuid,nodev 0 0

    mount -a

    bingo
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  20. #20
    Join Date
    Sep 2005
    Posts
    86

    Question

    hm? How does this work? From the "man mount":

    "Note the filesystem mount options will remain the same as those on the original mount point, and can not be changed by passing the -o option along with --bind/--rbind."

    Can you change the exec option using 'bind'?


    Quote Originally Posted by Steven
    If there is no partition space i just add this to fstab:

    /tmp /tmp ext3 bind,rw,noexec,nosuid,nodev 0 0

    mount -a

    bingo

  21. #21
    Tomcatf14,

    Like with any shell problem, the best thing to do is test first. If you cut out the xargs rm -rf and replace it with less instead, it will show you what you're passing to xargs rm -rf, and you'll find that it's the whole line of each executable file in /tmp. Replace it with awk '{print $9}' (like visiondream3 did) and it should print the file.

    Of course, files with spaces or other shell special characters might cause problems, so it would be best to look in to using the find command instead. Find works with other programs if you pass special arguments (something like -0) so it null-terminates strings and xargs can read up to the null and, for example, remove the entire file.

  22. #22
    Join Date
    Mar 2005
    Posts
    150
    Securing your /tmp directory is recommended but it's not going to stop the script kiddies. You really should be looking into at least using mod_security

  23. #23
    Join Date
    May 2004
    Location
    Blue Springs, Missouri
    Posts
    366
    yes, but you can only make your mod_security rules so strict without breaking things

    I've learned that securing /tmp is a MUST the hard way.

  24. #24
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    yes, but you can only make your mod_security rules so strict without breaking things
    That is not true at all. If you have a concept of how the rules work it is very easy to make rules that will no tbreak everything.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  25. #25
    Join Date
    Mar 2005
    Posts
    150
    Quote Originally Posted by omaha.stylee
    yes, but you can only make your mod_security rules so strict without breaking things

    I've learned that securing /tmp is a MUST the hard way.
    The main idea with mod_security when it comes to /tmp exploits is to stop all methods which can be used to download files to a server as almost all exploits need to do so. A couple of rules will go a long way. Securing the /tmp folder does not stop scripts from being called directly with an interpreter.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •