Hey,
For a guarnateed.... (err almost guaranteed).. protection do this:
1. Make a different /tmp partition.
2. via fstab, ensure that you have nosuid,nodev for /tmp.
3. chmod 000 /usr/bin/*cc*
This simple 3 steps will protect your server from that fault as well as almost 95% of server hacks.
This is how hacks work:
1. You run a faulty system, in your case mod_ssl running via user apache.
2. Our Mr. Nice guy knows that you are running a faulty mod_ssl.
3. via numerous warez sites, he gets hold of explot.c, which he compiles in his "*nix" system.
4. After compiling, all he has to do is
./exploit.exe your.system.ip
5. The explits connects to your system, does a buffer overflow or stack overflow, and writes the file in your /tmp.
6. In /tmp. more files are downloaded from certain nice sites and gets compiled via the gcc in your system.
7. The exploit created either a suid or a dev or both.
8. Congrats! he has access to your system, via a shell spawnned.
In /tmp, the owner.group of the files you see is via the daemon that was used to compromise your system.
Well. almost 95% of cracks and exploits work this way.
Use cc only for yourself, and only when you need it. If you have given access to bash in the system, then not allowing access to *CC* is a must.
Congratulations, you have stopped almost 95% of the hacks. Now you can sleep well if apache is faulty or sendmail, or some other daemon in future.
However, there are exploits via perl also, means a server/daemon can also be compromised via perl on the system, running via the cgi-bin given to users. But perl exploit, though it exists is rare and only found on rare warez sites.
Make /boot, /home, /logs and other partitions nosuid and nodev via fstab, so that any potential exploits cannot make use of those systems.
If you are serious running a server, you need a different /tmp.
If you secure your /tmp and your *cc*, you have almost secure your server.
Hope this helps.
LinkBack URL
About LinkBacks
preventing being hacked through /tmp
Reply With Quote
