Protect your /tmp Directory - Tutorial

lately there has been a lot of DOS (Denial of Services) Attacks happening, and one of the main causes of these attacks of because of insecure /tmp directories.

Your /tmp directory is very dangerious, since it allows every single user the ability to write to it, so should you have an upload script on your site that may be exploitable, or even if there is an vulnerability in a program which allows for remote code execution, it will allow the person to upload a file into your /tmp directory or even use remote code execution to take control of something like wget and download something into your /tmp directory (this is usually how DOS trojans and rootkits end up on your server)

But there something you can do to help protect your /tmp directory:
===============================================

Firstly you need to stop all processes that are using your /tmp so you can work with it.

# lsof | grep /tmp

you should see something like this:

root@carine [/]# lsof | grep /tmp
screen     2599      root  cwd       DIR                8,8    2863104          2 /tmp
php        7577  greatpho    3u      REG                8,8          0       1194 /tmp/session_mm_cgi759.sem (deleted)
php        7577  greatpho    5u      REG                8,8          0         59 /tmp/sess_658bbc19e47f720c2210f3f0339ec6dd (deleted)
mysqld    22603     mysql    5u      REG                7,0          0         87 /tmp/ibQZkUsh (deleted)
mysqld    22603     mysql    6u      REG                7,0       1017         90 /tmp/ibE6blca (deleted)
mysqld    22603     mysql    7u      REG                7,0          0         91 /tmp/ibXQhMV2 (deleted)
mysqld    22603     mysql    8u      REG                7,0       8602         92 /tmp/ibbZcCFV (deleted)
mysqld    22603     mysql   12u      REG                7,0          0         93 /tmp/ibvUZEqO (deleted)
php       29509  greatpho    3u      REG                8,8          0         95 /tmp/session_mm_cgi759.sem (deleted)
php       29509  greatpho    5uW     REG                8,8          0         59 /tmp/sess_658bbc19e47f720c2210f3f0339ec6dd (deleted)
php       32685  aclubber    3u      REG                7,0          0      17861 /tmp/session_mm_cgi533.sem
php       32692  salesdna    3u      REG                7,0          0      17858 /tmp/session_mm_cgi3098.sem
php       32692  salesdna    5uW     REG                7,0          0      17918 /tmp/sess_dbc01a315bbdad2eba7d761b94fb3f04
stop those processes which are using your /tmp directory,
then copy and paste the following this into your terminal window:
cd /
dd if=/dev/zero of=/tmpdir bs=1024 count=200000
mkfs.ext3 -F /tmpdir
mv /tmp /tmp.backup
mkdir /tmp
mount -o loop,noexec,nosuid,rw /tmpdir /tmp
chmod 0777 /tmp
if ! grep -qai tmpdir /etc/fstab ; then
echo "/tmpdir /tmp ext3 loop,noexec,nosuid,rw 0 0" >> /etc/fstab
fi
mount -a
cp /bin/ls /tmp/
/tmp/ls
it should return something like this:
-bash: /tmp/ls: Permission denied
If you see that, then you know everything has gone according to plan.

What the above will do, is create a storage medium (so call it) on /tmpdir, and then mount /tmpdir to /tmp, but it will mount it with loop,noexec,nosuid,rw

Still won't stop the rootkits or DOS files from being uploaded or downloaded into ur /tmp directory, but I will sure as hell stop them from being executed.

Hope this helps