Results 1 to 9 of 9
  1. #1
    Join Date
    Jan 2006
    Posts
    264

    Having problems securing my VPS

    I've been trying to secure the /tmp folder and it isn't working.

    So far I've done this::

    dd if=/dev/zero of=tmpMnt bs=1024 count=1000000
    mk2fs /dev/tmpMnt

    mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
    -- This gives me an errors message: mount: could not find any device /dev/loop#

    so I tried:
    mount -o noexec,nosuid,rw /dev/tmpMnt /tmp
    -- This gives me an errors message: mount: unknown filesystem type 'ext2'

    so I tried:
    mount -t ext3 -o noexec,nosuid,rw /dev/tmpMnt /tmp
    -- Now I get this: mount: /dev/tmpMnt is not a block device (maybe try `-o loop'?)

    So I tried:
    mount -t ext3 -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
    -- Now I get this: mount: mount: could not find any device /dev/loop#

    Why is this not working??

  2. #2
    Join Date
    Jan 2006
    Posts
    264
    I found a thread in another forum (after hours of searching). Here is what it says:

    We have not tried this with OpenVZ. Also Swsoft has provided /tmp security option with the Linux Virtuozzo SP1 itself now. If you want, you can secure /tmp for individual VPS using following steps :

    * Login to VPS.

    * Edit /etc/fstab

    - Under the existing line (there should only be one line)
    - add >> none /tmp tmpfs nodev,nosuid,noexec 0 0
    - Reboot the VPS to make the changes take effect.
    - Log back in and enter "df -h" to see whether the changes have taken effect.

    IMPORTANT NOTE 1: You should see a separated /tmp partition now). Note that unlike with a dedicated server, this /tmp partition isn't a real partition. What it basically does is to create a ramdisk on the hardware node for the vps, of which the diskusage isn't accounted towards the quota of the rest of the vps. The usage is accounted against the "shmpages" of the vps, which can only be set from the hardware node. Usually this is set to either 32mb or 64mb. Also note that the /tmp ramdisk isn't the only thing that consumes the shmpages, there are also several other things that use up the space.

    NOTE 2: because it's a ramdisk, all data on the /tmp 'partition' will be lost after a reboot. That's not a problem because all data on the /tmp partition' is temporary data anyway. However, when you install eaccelerator for instance, it needs its own directory on the /tmp partition (it needs /tmp/eaccelerator and needs to be chmod to 777). So after a reboot, that directory would be lost and eaccelerator wouldn't function properly. So if you install eaccelerator (or anything else that requires something like this), then make sure that after a reboot the required directory and chmod are automatically created. You could do this with /etc/rc.local for instance (at the end of that file just add "mkdir /tmp/eaccelerator" "chmod 777 /tmp/eaccelerator").
    I did it and it seemed to work. I just got a little worried because of the NOTES at the bottom of the post. Is this how I have to do it? Or is there a better way?

    My specs:
    384MB - dedicated ram
    1GB - burst ram
    20GB HD
    300GB Bandwidth

    Running CentOS 5 on OpenVZ
    DirectAdmin
    Apache 2.2.6
    PHP 5
    Mysql 5
    APF
    BFD

    If this is a 'ram drive', will that effect the performance of the vps??
    Last edited by jthornton; 12-29-2007 at 10:00 PM.

  3. #3
    Join Date
    Jan 2006
    Posts
    264
    I spoke too soon!

    It rebooted and showed up when I typed 'df -h' but when I logged into my VPS control panel, the control panel wouldn't work properly. Every time I clicked on "Statistics" it kept going back to the main screen where I have to select the server.

    Can someone please help me secure my /tmp folder?

  4. #4
    Join Date
    May 2007
    Posts
    286
    You should probably get a management company to help you secure your entire server. I suggest contacting platinumservermanagement.com. They have secured all of our servers and they have been 100% safer now.

  5. #5
    Join Date
    Jan 2006
    Posts
    264
    Quote Originally Posted by stebaker View Post
    You should probably get a management company to help you secure your entire server. I suggest contacting platinumservermanagement.com. They have secured all of our servers and they have been 100% safer now.
    The problem is that if I hire someone to do it, I learn nothing. I would prefer to learn it myself.

    It seems as though I have figured it out. This is what I did:
    mount -t tmpfs -o noexec,nosuid,nodev,rw tmpfs /tmp
    when I run df -h, it shows that /tmp is mounted. I don't know how to test if it did it right.

  6. #6
    Join Date
    Aug 2007
    Posts
    53
    If a customer asks me to log something, I wouldn't have a problem with that... Maybe you should ask them if they are ok with that. Then you can learn and have your problem resolved.

  7. #7
    Join Date
    Jan 2006
    Posts
    264
    I've got it working now. I have a system admin helping me in the background. It is just hard to always catch him because he is on the other side of the world (literally). And the timezones only give us a couple hours a day. He is either up until the wee hours of the morning, or I am. But I'm learning a tonne.

    I was just looking for some answers here because he wasn't available at that time.

  8. #8
    Join Date
    Jan 2006
    Posts
    264
    How do I get the following command so that it will run on reboot??

    mount -t tmpfs -o noexec,nosuid,nodev,rw tmpfs /tmp

    running centos5

  9. #9
    Join Date
    Nov 2005
    Location
    Michigan, USA
    Posts
    3,872
    I don't think OpenVZ runs off of fstab, try editing mtab instead.

    See if that helps you.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •