The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

preventing being hacked through /tmp

Discussion in 'General Discussion' started by jamesbond, Mar 9, 2003.

  1. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I just read the following thread on webhostingtalk.com and in particular the post by Shashi Dahal

    http://www.webhostingtalk.com/showthread.php?s=&threadid=120332&perpage=15&pagenumber=3


    Has anyone else taken measures like this to prevent hackers from writing to /tmp and executing programs from there?

    It sounds like a good strategy to me, the only thing I don't know is if this method has any disadvantages.


     
    #1 jamesbond, Mar 9, 2003
    Last edited: Mar 10, 2003
  2. tabernack

    tabernack Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    16
    Unfortunately Cpanel uses /tmp for too many things (upcp, cpmove's, etc.) at the moment to mount /tmp as noexec. Hopefully Nick will get around to making sure /tmp is locked down and use a different folder for Cpanel based functionality. We've seen too much abuse via the /tmp folder which should make this issue a priority.
     
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I agree, just look at the amount of servers that have been abused recently by 'script kiddies' with their automated exploit programs.
    If you can keep the majority of script kiddies out, then you only have to worry about real hackers, of which there are not so many :)

    I hope Nick can at least inform us what we can change without breaking cpanel functionality.
     
  4. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    BUMP

    I'm still interested in knowing how others secure their CPanel servers without breaking anything in CPanel.

    I would like to prevent 'hackers' from executing files that they have managed to write to /tmp by abusing security issues in scripts that customers have installed.

    For example, does setting /tmp to noexec still cause problems with CPanel?
    Is there a better solution?
     
    #4 jamesbond, Apr 8, 2003
    Last edited: Apr 8, 2003
  5. hotice007

    hotice007 Well-Known Member
    PartnerNOC

    Joined:
    Jun 20, 2002
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    This had just happened to me, a client was using myshell.php to gain access to the server. I added the following to php.ini:

    disable_functions = shell_exec, shell_exec, system
     
  6. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    It would be a good idea to disable "passthru" as well.

    Mike
     
  7. RisingHost

    RisingHost Member

    Joined:
    Feb 9, 2003
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    what is the location of the php.ini file you are editing?
     
  8. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    /usr/local/lib/php.ini

    Mike
     
  9. RisingHost

    RisingHost Member

    Joined:
    Feb 9, 2003
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
  10. RisingHost

    RisingHost Member

    Joined:
    Feb 9, 2003
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    why is shell_exec diabled twice?
     
  11. andyf

    andyf Well-Known Member

    Joined:
    Jan 7, 2002
    Messages:
    246
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK
    This breaks an awful lot of stuff - particularly things that make external calls to the like of imagemagick etc ('Gallery' springs to mind).
     
  12. trakwebster

    trakwebster Well-Known Member

    Joined:
    Jan 29, 2003
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    time of day?

    Hi, tabernack,

    I've been thinking about this approach -- it's posted in detail at http://www.admin0.com -- and tell me if this idea has any merit --
    unlock the compiler before the cpanel updates and lock it again afterward? This would at least narrow the window during which the compiler can be used. It seems that most cpanel updates are via rpm, but I've seen, I think, perl and apache updates use the compiler.

    The other question is: does cpanel require /tmp during normal daily operation, in some way that the noexec on /tmp would interfere?

    I could be wrong, but I thought admin0 used cpanel himself. I should ask him.

    Any info that you have on this, however, would be appreciated.
     
  13. pingo

    pingo Well-Known Member

    Joined:
    Nov 16, 2002
    Messages:
    430
    Likes Received:
    0
    Trophy Points:
    16
    Hopefully Nick will get around to making sure /tmp is locked down and use a different folder for Cpanel based functionality. We've seen too much abuse via the /tmp folder which should make this issue a priority.

    I agree. A server of mine were hacked via /tmp a few weeks ago.

    John
     
  14. hostedzone

    hostedzone Member

    Joined:
    Aug 8, 2003
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Maine, USA
    Many people are being hacked by these script kiddies, I think the best precaution is to keep in mind the old saying, "Keep your friends close, but keep your enemies closer!" i.e: Get yourself into irc and start hanging in the channels of these script kiddies, learn what they are doing and what the newest exploit of choice is.

    This of course is just an idea. :)
     
  15. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    Re: time of day?

    I would like to know this too because i just conifgured my cpanel server with a noexec /tmp .... is there any problems should aware of.
     
  16. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    cPanel stopped using /tmp for updates months ago. Check the dates before you post.
     
  17. Planet_Master

    Planet_Master Well-Known Member

    Joined:
    Apr 18, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Yorker
    Instead of going through all the trouble in the first post, you can do the following in Shell to protect /tmp (As posted at beachcomber by Mark)

    Ok, 90% of the time when a server is compromised it is because the /tmp folder on the server is executable and PHP can be use to upload as nobody files to other parts of your system... ...BUT

    Want to get even... ... (and sleep nights... ) or just want to secure your box even more. I would suggest doing the following to make your /tmp nonexecutable.

    Step1: Create a file that we will use to mount at /tmp.

    a) cd /dev

    b) Create a 200mb file in /dev
    dd if=/dev/zero of=tmpMnt bs=1024 count=200000

    c) Make an extended filesystem for our tmpMnt file
    mke2fs /dev/tmpMnt (hit y when prompted)

    d) Backup your /tmp dir
    cd /
    cp -R /tmp /tmp_backup

    e) Mount the new /tmp filesystem with noexec.
    mount -o loop,nosuid,noexec,rw /dev/tmpMnt /tmp
    chmod 1777 /tmp

    f) Copy everything back to new /tmp verify and remove backup
    cp -R /tmp_backup/* /tmp/
    cd /tmp
    ls -la (verify the files are there)
    rm -rf /tmp_backup

    g) Add to fstab so it mounts automatically on reboots.
    pico -w /etc/fstab

    You will see something like this:

    LABEL=/ / ext3 defaults 1 1
    none /dev/pts devpts gid=5,mode=620 0 0
    LABEL=/home /home ext3 defaults 1 2
    none /proc proc defaults 0 0
    none /dev/shm tmpfs defaults 0 0
    LABEL=/usr /usr ext3 defaults 1 2
    LABEL=/var /var ext3 defaults 1 2
    /dev/hda6 swap swap defaults 0 0


    At the bottom add:
    /dev/tmpMnt /tmp ext2 loop,nosuid,noexec,rw 0 0 (on one line)

    (Each space is a tab)

    Ctrl + X and Y to exit and save.

    Your done- /tmp is now mounted as noexec.

    then

    >>EDIT<<
    then

    cd /var
    rm rf tmp
    ln -s /tmp /var/tmp
    >> END EDIT<<<

    >>> Do not use <<< IF YOU DID and have MySql errors, see post below
    cd /var
    rm /tmp
    ln -s /tmp /var/tmp
    >>>DO NOT USE <<< IF YOU DID and have MySql errors, see post below


    and you are all set..
     
  18. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Wouldn't it make more sense to symlink /var/tmp/ to a subdirectory in /tmp, say /tmp/var_tmp/ ?

    This way you can still see which files belong to /tmp and which files belong to /var/tmp.
     
  19. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    you could also just run
    /scripts/securetmp

    It has been said that one advantage of this script over the manual way is that you could run into problems fscking if /tmp is mounted via fstab. I'm no expert and can't give an opinion.
     
  20. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
Loading...

Share This Page