just read a great group of article for securing your server above and beyond fire walls etc.

http://admin0.info/articles/security/


1) tmp on second drive
2) create tmp DIRECTORY
3) solution script to check the existing tmp dir and delete
4) locking down compilers w/000

a) so, what i am seeking is input. there have been issues with RedHat 9.0, dual xeon systems with dual scsi.

b) will locking down comiplers as listed in #4 have any effect with SiteStudio or other prgms.


so, read and lets see if we can get direct answers..



*******************************

1) On the 2nd scsi drive, make the /tmp
say /dev/sdbX

mke2fs on the /dev/sdbx ENTER
mount /dev/sdbx /mnt/backup ENTER
cp -a /tmp/* /mnt/backup/ ENTER

pico /etc/fstab
add
/dev/sdbx

mv /tmp /tmp-old
REBOOT

*************************************************

2)



First, make a backup copy of your fstab.

cp /etc/fstab /etc/fstab.original

so that if something goes wrong, you have a backup copy to start your system

Now, let's get started.

Almost 95% of the exploits found freely in the internet, that I got my hands on, target /tmp as an ideal place to write/compile exploits, and recently some new exploits target /var/tmp.

Assuming we already have a server with dedicated partitions, we will now provide /tmp and /var/tmp partition to our cpanel system without having the need to create partitions. We simply create a file, and mount it as a filesystem. In case you have a different hard disk, you can create physical partitions and dedicated it to /tmp and /var/tmp. In my servers, I have used a 100Mb size. In some busy servers that I look after, I had to increase the size from 100 MB => 500 MB depending on the need of the system. Below example is a 100MB size.

warning: some of the commands below are destructive. please understand what you are doing. you should not play with /etc/fstab or with the following commands unless you understand what you are doing.

cd /dev/
dd if=/dev/zero of=Tmp bs=1024 count=100000
dd if=/dev/zero of=varTmp bs=1024 count=100000

mkfs -t ext3 /dev/Tmp
mkfs -t ext3 /dev/varTmp


confirm

This command will create /dev/Tmp and /dev/varTmp files, each 100Mb in size, and the mkfs command will format those files in ext3 format, so that we are able to use it. If you need a bigger size than 100 MB, please pass that using count=xxx for example, for 500MB, use "bs=1024 count=500000"

cd /
cp -aR /tmp /tmp_backup
mount -o loop,noexec,nosuid,rw /dev/Tmp /tmp
cp -aR /tmp_backup/* /tmp/
chmod 0777 /tmp
chmod +t /tmp

cd /var/
cp -aR /var/tmp /var/tmp_backup

mount -o loop,noexec,nosuid,rw /dev/varTmp /var/tmp
cp -aR /var/tmp_backup/* /var/tmp/
chmod 0777 /var/tmp
chmod +t /var/tmp

run the command

df -h

which will show something like below at the last 2 lines of the output.

/dev/Tmp 95M 4.4M 86M 5% /tmp
/dev/varTmp 95M 4.1M 86M 5% /var/tmp

cd /tmp/ ; ls -al

and

cd /var/tmp/ ; ls -al

to ensure that all files are there. Try restarting apache and mysql just to check that they will work without problems.

/scripts/restartsrv httpd
/scripts/restartsrv mysql

****************************************************
3)

Since you are not able to make a secure /tmp partition now, for a crude solution, you can do

-------------
#!/bin/sh
while true
do
sleep 30s
cd /tmp
rm -f *.c
done
-----------

and run that script in the background as
./script > /dev/null 2>&1 ENTER

what that script does is, it will check your /tmp partition every 30 seconds and delete any *.c files that it finds, while sending all output and error messages to /dev/null


******************************
4)
cd /usr/bin/
chmod 000 perlcc byacc yacc bcc kgcc cc gcc i386*cc
chmod 000 *c++ *g++
chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
if exists,
chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1

That will disable compiler access for all users.

Before upgrading apache or php; or if you need to install a programme, enter the following command to enable compiler access for the root user.

chmod 700 /usr/bin/cc
chmod 700 /usr/bin/gcc

In a cPanel system, you need access to the compiler when upgrading apache or installing vps/jsp etc.

after upgrading apache via /scripts/easyapache, disable the compiler again.

chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gcc
4 4

Is this a How-To or a question?

I have a Dual Xeon, non-SCSI, and I've done everything in those articles, and locking down compilers only make a difference when I recompile Apache or PHP, or compile and install software like MMCache. To do that, just unlock compiling.

Greetings, good to see that you have replied....

BTW: your directions were perfect on the MANUAL UPDATE for the kernal problem, after we restoredm, we ran chkrootkit, then installed apf firewall, then went and updated apache and the kernal update went perfect...

OK..................i

I want to make a partition on second drive or a directory for tmp as stated,

but, i read on another post herein these forums, that there were problems with the temp as concerns duel xeon ...

i also do not know if the scsi disks make a difference.

also, the How To above, has the setting up of the second drive, but it does not go into the particulars:

do we run:

cd /dev/
dd if=/dev/zero of=Tmp bs=1024 count=100000
dd if=/dev/zero of=varTmp bs=1024 count=100000

mkfs -t ext3 /dev/Tmp
mkfs -t ext3 /dev/varTmp

et al

AFTER:


*****

On the 2nd scsi drive, make the /tmp
say /dev/sdbX

mke2fs on the /dev/sdbx ENTER
mount /dev/sdbx /mnt/somthing ENTER
cp -a /tmp/* /mnt/something/ ENTER

pico /etc/fstab
add
/dev/sdbx

mv /tmp /tmp-old

*****

also: mount /dev/sdbx /mnt/ " somthing "

is the SOMETHING the name of the mount, IE: /backup or tmp ?

******************************

so, what i am attempting to discover is the process

our fstab:

more /etc/fstab

/dev/sda3 / ext3 defaults,usrquota 1 1
/dev/sda1 /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/sda2 swap swap defaults 0 0
/dev/fd0 /mnt/floppy auto noauto,owner,kudzu 0 0
/dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0
/dev/sdb3 /backup ext3 defaults 0 0

-------------------------------



i agree about compilars...

i will perform that as soon as install the last software SiteStudio.

....will this effect java and the auto image generation ?

******************

one other item..

the SCIPT

ok, we created a script called delete with
---------------------
#!/bin/sh
while true
do
sleep 30s
cd /tmp
rm -f *.c
done
-------------


and saved, chmod 755


and typed ./delete > /dev/null 2>&1

ENTER


was this correct? hoew do i know it is running..

or

do i have to set up cron?

thanks

rock