Why I disabled /dev/shm

**amal** · 01-10-2005 12:14 AM

The reason why I did that was even if the noexec can prevent scripts from running using ./ , it won't prevent scripts run using perl, for eg:-
perl udp.pl

**dezignguy** · 01-10-2005 02:14 AM

/dev/shm is the filesystem that supports POSIX shared memory. It supports calls like shm_open() and shm_unlink(). This provides a consistent filesystem interface to shared memory, as opposed to the System V IPC which relies on the communicating processes to agree on a common protocol to generate the same key so they all access the same piece of shared memory (eg: ftok()). POSIX shared mem does away with all that mess. Now you create and use shared memory objects as if they are file system entities.

I don't know exactly what breaks if you disable it... I know that's not POSIX compliant though... so you may not be able to run some POSIX programs after you remove it. But that may only affect some custom/commercial programs.

I just locked it down in a similar manner as /tmp itself... but left it there.

**RandyO** · 01-10-2005 03:09 AM

Originally Posted by benito

Hi!

Just a question, BFD automatically restart on every server reboot ?

BFD runs as a cron job, not a service

NOTE: on the root logon notification, I might suggest that you use a remote mail address. Using a mail account located on the same server is probably not the best idea....

**HH-Steven** · 01-10-2005 10:39 PM

Just a couple of corrections so that people are aware :

At command prompt type: cd apf-0.9.4-6

Current version is now apf-0.9.4-7

so you will need to use :

Code:

cd apf-0.9.4-7

:::::::::::::::::::::::

At command prompt type: cd bfd-0.4

Current version is now bfd-0.5

so you will need to use :

Code:

cd bfd-0.5

And thankyou for an excellent guide 000000000

**eth00** · 01-13-2005 11:17 AM

/dev/shm is part of how your system handles virtual memory. Though I am unsure of what can break using it I do not think it is the best idea to totaly disable it. Occasionaly crackers will try to upload and execute a script from /dev/shm. In the past few months it seems most of them have moved to using perl to execute the exploits though.

**juba** · 01-15-2005 02:11 AM

I did this of sending me an email when somebody logs in the server but I got this today:

ALERT - Root Shell Access on: Sat Jan 15 01:04:40 CST 2005

What does this mean? Because there is no ip address or any other info, I tried it yesterday and it worked well, thanks for the help,

**amal** · 01-15-2005 02:23 AM

Originally Posted by eth00

/dev/shm is part of how your system handles virtual memory. Though I am unsure of what can break using it I do not think it is the best idea to totaly disable it. Occasionaly crackers will try to upload and execute a script from /dev/shm. In the past few months it seems most of them have moved to using perl to execute the exploits though.

I have disabled it on about 200 servers and have never faced a problem with any of the users on any of those servers. And I have been doing it this way for about an year....

**SuperBaby** · 01-19-2005 10:22 AM

Also check for:

locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

You didn't explain what to observe for the above? I tested tha above and almost all of them showed me a long list of files. Is that good or bad? Are you supposed to get something?

**RandyO** · 01-19-2005 05:24 PM

Originally Posted by juba

I did this of sending me an email when somebody logs in the server but I got this today:

ALERT - Root Shell Access on: Sat Jan 15 01:04:40 CST 2005

What does this mean? Because there is no ip address or any other info, I tried it yesterday and it worked well, thanks for the help,

I get those without an IP when I use WINSCP and access via root. any shell logons I always get an IP back. Not sure why SFTP does not. If you are not using SFTP or something like it, it could indicate a logon from the console itself. As it would be a local logon, it might not log 127.0.0.1

**juba** · 01-19-2005 05:34 PM

Would that be any update going on? Because it happens every day but it keeps on moving like 3 to 4 hours later, lets say first time 12am , next day 3am, next day 7 am and so on, thanks,

**x-man** · 01-19-2005 07:32 PM

Originally Posted by 000000000

Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to

ServerSignature Off

Restart Apache

At command prompt type: /etc/rc.d/init.d/httpd restart

But when I ask here about that somebody tell to me that if I disable that cPanel can work on update like when that is ON, is that true?!

thanks

**gorilla** · 01-20-2005 12:14 AM

Originally Posted by SuperBaby

You didn't explain what to observe for the above? I tested tha above and almost all of them showed me a long list of files. Is that good or bad? Are you supposed to get something?

Have you disabled those in WHM / System Health / Background Process Killer yet ?

**SuperBaby** · 01-20-2005 10:54 AM

Have you disabled those in WHM / System Health / Background Process Killer yet ?

None of the checkboxes in the list is checked. There is no trusted user in the second box. Not even Root.

So is that correct? Am I supposed to get the file list when I use "locate"?

**gorilla** · 01-20-2005 10:58 AM

just check all of them which will block those irc bots !

**gorilla** · 02-18-2005 03:04 AM

BTW this is a great basic tutorial for all the newcomers, maybe the mods could make it a sticky !!!?

LinkBack

Thread Tools

Why I disabled /dev/shm

did this :)

A Beginner's Guide to Name Servers Part-2 (Custom Nameservers for Resellers)

Guide to securing a server?

A Beginner's Guide to Name Servers Part-1 (Setting up nameservers in WHM/Cpanel)