Basic cPanel Server Hardening - Part 4

So far this series of articles has covered protecting your server with a firewall and defending against brute force attacks, this article will cover securing the /tmp directory. The /tmp directory is used by applications for temporary storage while they are running. By default any user can create and execute files in /tmp, making it an easy stepping stone for exploits. The following changes will prevent these files from being executed, helping to limit what a hacker can do.

Execute these commands to create and mount a secured /tmp filesystem:

dd if=/dev/zero of=/dev/tmpDSK bs=1024 count=500000 # create file to hold new /tmp directory
/sbin/mke2fs /dev/tmpDSK # make file system for new /tmp
cp -R /tmp /tmp_backup # make back up of existing /tmp directory
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp #mount new /tmp with noexec
chmod 1777 /tmp # set permissions for new /tmp
cp -R /tmp_backup/* /tmp/ # copy backup of /tmp into new /tmp
rm -rf /tmp_backup   # remove backup of /tmp

Next you need to edit the file /etc/fstab and add this line to the end so that the new /tmp will be mounted when the server reboots.

/dev/tmpDSK    /tmp    ext2    loop,noexec,nosuid,rw  0 

The server I set up actually had most of this work already done, but the noexec parameter had not been added to /etc/fstab for /tmp. To correct this all I had to do was edit /etc/fstab to add noexec to the parameter list and then execute the command:

/bin/mount -o remount /tmp

You now have a /tmp directory that does not allow files to be executed. This step reduces the options available for hackers attempting to attack and exploit your system. In the next part I will go over disabling root login to tighten security even more.