Introduction
Often web servers (or hosting subscriptions) are writing in tmp folder. Therefore, it's good to keep the tmp folder clean and safe. A good way to secure your tmp folder on a linux machine is to disallow script execution in the tmp folder. I will show you how to check and secure your tmp folder.
Please be aware that sometimes server control panels need execution within the tmp folder.
Step 1 - Login to your web server
First, login to your server via SSH. Be sure you have root permissions.
Step 2 - Check if a tmp folder already exists!
With the following command you can see if there's already a tmp folder:
root@server:~# mount | egrep --color -w '^(tmpfs|/tmp)|/tmp'
Please copy the whole command except the #
sign.
The output can be something like this if a dedicated partition is used for tmp: "/filesystems/tmp_fs on /tmp type ext3 (rw,nosuid,noexec,relatime,data=ordered)"
If not, the output probably looks like: "tmpfs on /tmp type tmpfs (rw,nosuid,nodev)"
If there is no such output, please continue.
Step 3 - Create a 4GB partition
Run the three commands one after the other.
root@server:~# mkdir /filesystems # create a new folder
root@server:~# dd if=/dev/zero of=/filesystems/tmp_fs seek=2048 count=2048 bs=1M # create a 2GB file called tmp_fs
root@server:~# mkfs.ext3 /filesystems/tmp_fs # create an ext3 filesystem on the newly created file
Step 4 - Make sure your partition will start with a reboot
We will add the following code into /etc/fstab
.
Open fstab:
root@server:~# nano /etc/fstab
Insert the following at the end of the file:
/filesystems/tmp_fs /tmp ext3 noexec,nosuid,loop 0 0
Important: in the fstab file, always keep an empty row after the whole content, otherwise fstab won't work after a reboot.
Save the file and continue.
Step 5 - Backup the current tmp folder
root@server:~# cd /
root@server:~# cp -R /tmp /tmp_backup
Step 6 - Mount the new tmp folder
This will be done with the noexec, nosuid, and rw options.
root@server:~# mount -o loop,noexec,nosuid,rw /filesystems/tmp_fs /tmp
Set the correct permissions:
root@server:~# chmod 1777 /tmp
Step 7 - Copy old files to the new location
root@server:~# cp -R /tmp_backup/* /tmp/
root@server:~# rm -rf /tmp_backup
Step 8 - Check tmp folder and try execution (Optional)
Check if new partition exists:
root@server:~# df -h
root@server:~# mount
Check if you can execute any script:
root@server:~# cp /bin/ls /tmp
root@server:~# chmod 755 /tmp/ls
Run ls:
root@server:~# /tmp/ls
If everything worked, you should now get the following output "Permission denied".
You can clean up with following command:
root@server:~# rm /tmp/ls
Conclusion
Your web server is now secured against bad scripts and attacks on the tmp folder. If you have any questions or feedback, please feel free to contact me.