Temporary directories such as /tmp, /var/tmp, and /dev/shm offer a platform for hackers to run scripts and programs. These malicious executables are used to abuse or compromise your server. Ideally the /tmp directory should be mounted on its own partition with limited permissions.
This guide is for AKLWEB Host users whose server configuration does not include a mounted /tmp directory on its own partition, which leaves these directories insecure and vulnerable. Implementing this guide will make it extremely difficult for hackers to use these directories.
Note: Default CentOS installations do not mount the /tmp directory on its own partition.
Change to the home directory.
cd /home
Make a file in the home directory with any name. Here we are using ‘mntTmp’ and creating a 2GB file. You can adjust this to suit your needs.
dd if=/dev/zero of=mntTmp bs=1024 count=2000000
Make an extended filesystem for this file.
mkfs.ext4 /home/mntTmp
Back up your current /tmp directory.
cp -Rpf /tmp /tmp_backup1
Return to the base directory.
cd /
Create the /tmp mounting option to run at boot by using a text editor.
nano /etc/fstab
Add the following to the bottom of the fstab file on a separate line. Then press enter to ensure there is an empty line beneath it (the empty line is important to avoid running into problems when rebooting).
/home/mntTmp /tmp ext4 loop,nosuid,noexec,nodev,rw 0 0
Note: This mount may need to be temporarily removed when you compile or install software
Keep the file open as another line is going to be changed.
CentOS uses a temporary filesytem (tmpfs) in virtual memory called “shm”. It appears mounted despite the fact that it is not a physical file system. We can apply permissions to secure shm. Look for the line in the fstab file with tmpfs and /shm. Replace 'defaults' with 'defaults,nosuid,noexec,nodev'. Save the file.
You can now mount the /tmp file system.
mount -o loop,nosuid,noexec,nodev /home/mntTmp /tmp
Set read, write, execute permissions.
chmod 777 /tmp
Check for any mounting errors with the new boot settings.
mount -o remount /tmp
Move the /tmp backup which you created back to the mounted /tmp file system.
mv /tmp_backup1/* /tmp/
Remove the backup that you created.
rm -Rf /tmp_backup1
Backup up /var/tmp.
cp -Rpf var/tmp /tmp_backup2
Remove the /var/tmp directory.
rm -Rf /var/tmp
Create a symbolic link from /var/tmp to /tmp.
ln -s /tmp /var/tmp
Copy the /var/tmp backup to /tmp.
mv /tmp_backup2/* /tmp/
Remove the backup.
rm -Rf /tmp_backup2
Optional
Depending on the specific software you are using, you may have a “tmp” directory in the home directory. You can remove this directory and create a symbolic link to /tmp. Care should exercised when doing this as it may break the software, particularly web hosting software.
rm -Rf /home/tmp
ln -s /tmp /home/tmp