I already have my /tmp partition for FC3 set to - loop,noexec,nosuid,rw.
Even with that, attackers can still run perl script in /tmp directory.

I found a lot of them running udp.pl scripts to flood other servers. How is it possible they can run these scripts on /tmp if after I have set the partition as non-executable?. Is there a way to secure /tmp so it can't run perl scripts or anything for that matter?

Hope you guys can help me on this. Thanks!

-Joe :(

I would recommend securing your server first.

I've already installed arno's rc.iptables. Disabled all the unneccessary services. What else is there to secure? Can someone direct me on this?
How do i disable perl to be executed from tmp or from user 'apache'? Anyone could help me on this?

-Joe

How has Apache gained access to the /tmp directory?

As you know, all /tmp directories are world writeable or 777. That is how.

Ok- just thought the Apache daemon ran confined to www and below directories.

It's time to check for rootkits or other ways you may have been compromised.

I already have my /tmp partition for FC3 set to - loop,noexec,nosuid,rw.
Even with that, attackers can still run perl script in /tmp directory.
that is because they acctually run perl interpreter which resides in `which perl` not a executable residing in /tmp... restrict access to perl then :)

I found a lot of them running udp.pl scripts to flood other servers. How is it possible they can run these scripts on /tmp if after I have set the partition as non-executable?. Is there a way to secure /tmp so it can't run perl scripts or anything for that matter?
if you are using SELinux you can restrict what actions perl ran as user foo can do (f.e. making net connections)...

First things first, you need to understand just EXACTLY how they are getting access to your machine? a quick "ps -uax", a "who -l" will go a long way to showing you just what is going on.

You then need to find out WHICH account or daemon has been compromised and shut it down immediately!. If it's a program that you suspect has been hacked, the fix is nothing more difficult than downloading and installing the RPM for the affected file, and don't forget to check the MD5SUMS, and only download from reputable sources.

If it's a user-id, then just change their default shell to "/sbin/nologin".

Please post the output of "ps -uax", "who -al", the contents of "/etc/iptables", "/etc/hosts.allow" the last 50 or so lines of your "/var/log/messages" file, and the last 50 or so lines of your "/var/log/httpd/access_log".

That will give anybody else looking at this a lot of information about how your system is being compromised.

Securing /tmp partition cPanel/WHM

If you are renting a server then chances are everything is lumped in / and a small amount partitioned for /boot and some for swap. With this current setup, you have no room for making more partitions unless you have a second hard-drive. Learn how to create a secure /tmp partition even while your server is already up and running.
Recently, I found out it would be worthwhile to give /tmp it's own partition and mount it using noexec- This would protect your system from MANY local and remote exploits of rootkits being run from your /tmp folder.

What we are doing it creating a file that we will use to mount at /tmp. So log into SSH and SU to root so we may being!

code:
cd /dev

Create 100MB file for our /tmp partition. If you need more space, make count size larger.

code:
dd if=/dev/zero of=tmpMnt bs=1024 count=100000



Make an extended filesystem for our tmpMnt file

code:
/sbin/mke2fs /dev/tmpMnt

Backup your /tmp dir- I had mysql.sock file that I needed to recreate the symbolic link for. Other programs may use it to store cache files or whatever.

code:
cd /

code:
cp -R /tmp /tmp_backup

Mount the new /tmp filesystem with noexec

code:
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

code:
chmod 0777 /tmp

Copy everything back to new /tmp and remove backup

code:
cp -R /tmp_backup/* /tmp/

code:
rm -rf /tmp_backup

Now we need to add this to fstab so it mounts automatically on reboots.

code:
pico -w /etc/fstab

You should see something like this:
code:
/dev/hda3 / ext3 defaults,usrquota 1 1
/dev/hda1 /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/hda2 swap swap defaults 0 0

At the bottom add
code:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

(Each space is a tab)
Save it!
Ctrl + X and Y

Your done- /tmp is now mounted as noexec. You can sleep a little bit safer tonight. I created a hello world c++ and compiled it then moved it to /tmp. Upon trying to run it (even chmod +x'ed), it gives the following error:

code:
bash: ./a.out: Permission denied



http://www.crucialparadigm.com/resources/tutorials/dedicated-server/securing-tmp-partition-cpanel-whm.php

xathras, please read the thread first before giving out solutions. You're wasting forum space here by inserting a solution which everyone has been aware off.
I suggest you read the first few messages, before making any postings. Your solution is quite basic, and is for mere beginners.
What we would like to hear is, how do we secure apache, from executing any files in /tmp, or by executing any files at all which uses the perl commands. I've restricted the command 'perl' to a 700 temporarily for now, but i'm guessing there are other solutions.
Let me remind you again, /tmp is world-writable, and apache would always have access to it as it dumps temporary internet cache or files to it.
Please, can someone come up with a more constructive solutions like ones mentioned by Kosmosik & James in Denver?

-J

few things you can consider

1) Check your server for script which allow others to upload files to tmp. There so many php and other language base scripts poorly coded to allow writing files in the /tmp partition.
Find them and upgrade or remove them

2) You might need to setup mod_security to disable some url keywards which enable them to run and upload. for example you can block request which contains the word wget in the url

3) Consider disabling the wget for nobody, and disable php functions which allow them to upload or write.

4) you can install snort + snortsam and block the traffic, now snort support pattern and url parsing( but this solution is kind of shooting rat with gun )

5) consder running your script as cgi mode, so you will knwo which user has the exploited script


hope that helps

xathras, please read the thread first before giving out solutions. You're wasting forum space here by inserting a solution which everyone has been aware off.
Take a chill pill, pal. People are trying to help - at least that's better than you'd get from other places. And, contrary to your "holier than thou" pronouncement, not "everyone" has been aware of these things. They may be basic to you, but to someone completely new they could be extremely useful.

Take a chill pill, pal. People are trying to help - at least that's better than you'd get from other places. And, contrary to your "holier than thou" pronouncement, not "everyone" has been aware of these things. They may be basic to you, but to someone completely new they could be extremely useful.

Your post title was secure /tmp, I posted howto secure /tmp, by doing this users who are searching for secure /tmp will find the howto in a relevant thread.

You can secure your compilers as well.

For Red Hat 9 and Fedora :

For installations via rpm, and for up2date to work, you do not need the compilers to be available.

To disable compilers for users, login as root in the system and give the following command:

Code:

cd /usr/bin/
chmod 000 perlcc byacc yacc bcc kgcc cc gcc i386*cc
chmod 000 *c++ *g++
chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1

if exists,

Code:

chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1

That will disable compiler access for all users.

Before upgrading apache or php; or if you need to install a program, enter the following command to enable compiler access for the root user.


Code:

chmod 700 /usr/bin/cc
chmod 700 /usr/bin/gcc

On CPanel systems, You need access to the compiler when upgrading apache or installing vps/jsp, apache etc.

after upgrading apache via /scripts/easyapache, disable the compiler again.



Code:
chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gcc

It indeed is a matter of preference of individual admins regarding the chmod 700 or chmod 000 of the compilers. It is your system, your decision. The recommended is however to chmod 000.
__________________________________________________ _______________

For Debian and FreeBSD :


Code:

chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gcc
chmod 000 /usr/bin/c++


It indeed is a matter of preference of individual admins regarding the chmod 700 or chmod 000 of the compilers. It is your system, your decision. The recommended is however to chmod 000.

this is an abstract from www.admin0.info series.

install modsecurity for perl