Temporary directories<\/strong>\u00a0such as\u00a0\/tmp<\/code>,\u00a0\/var\/tmp<\/code>, and\u00a0\/dev\/shm<\/code>\u00a0offer a\u00a0platform for hackers<\/strong>\u00a0to run scripts and programs. These\u00a0malicious executables<\/strong>\u00a0are used to abuse or compromise your server. Ideally the\u00a0\/tmp<\/code>\u00a0directory should be mounted on its own partition with limited permissions.<\/p>\n

This guide is for\u00a0AKLWEB Host users whose server configuration does not include a mounted<\/strong>\u00a0\/tmp<\/code>\u00a0directory on its own partition, which leaves these\u00a0directories insecure and vulnerable<\/strong>. Implementing this guide will make it extremely difficult for hackers to use these directories.<\/p>\n

Note: Default CentOS installations do not mount the\u00a0\/tmp<\/code>\u00a0directory on its own partition.<\/strong><\/p>\n

Change to the home directory.<\/strong><\/p>\n

 cd \/home\r\n<\/code><\/pre>\n
Make a file in the home directory with any name.<\/strong>\u00a0Here we are using ‘mntTmp’ and creating a\u00a02GB<\/strong>\u00a0file. You can adjust this to suit your needs.<\/p>\n
 dd if=\/dev\/zero of=mntTmp bs=1024 count=2000000\r\n<\/code><\/pre>\n
Make an extended filesystem for this file.<\/strong><\/p>\n
 mkfs.ext4  \/home\/mntTmp\r\n<\/code><\/pre>\n
Back up your current<\/strong>\u00a0\/tmp<\/code>\u00a0directory<\/strong>.<\/p>\n
 cp -Rpf \/tmp \/tmp_backup1\r\n<\/code><\/pre>\n
Return to the base directory.<\/strong><\/p>\n
 cd \/\r\n<\/code><\/pre>\n
Create the<\/strong>\u00a0\/tmp<\/code>\u00a0mounting option to run at boot by using a text editor.<\/strong><\/p>\n
 nano \/etc\/fstab\r\n<\/code><\/pre>\n
Add the following to the bottom of the fstab file on a separate line.<\/strong>\u00a0Then press enter to ensure there is an empty line beneath it (the empty line is important to avoid running into problems when rebooting).<\/p>\n
 \/home\/mntTmp   \/tmp    ext4    loop,nosuid,noexec,nodev,rw 0 0\r\n<\/code><\/pre>\n
Note: This mount may need to be temporarily removed when you compile or install software<\/strong><\/span><\/p>\n
Keep the file open as another line is going to be changed.<\/strong><\/p>\n
CentOS<\/strong>\u00a0uses a temporary filesytem\u00a0(tmpfs)<\/strong>\u00a0in virtual memory called\u00a0“shm”<\/strong>. It appears mounted despite the\u00a0fact that it is not a physical file system<\/strong>. We can apply permissions to secure shm. Look for the line in the fstab file with tmpfs and\u00a0\/shm<\/code>. Replace\u00a0'defaults'<\/code>\u00a0with\u00a0'defaults,nosuid,noexec,nodev'<\/code>. Save the file.<\/p>\n
You can now mount the\u00a0\/tmp<\/code>\u00a0file system.<\/strong><\/p>\n
 mount -o loop,nosuid,noexec,nodev \/home\/mntTmp \/tmp\r\n<\/code><\/pre>\n
Set read, write, execute permissions.<\/strong><\/p>\n
 chmod 777 \/tmp\r\n<\/code><\/pre>\n
Check for any mounting errors with the new boot settings.<\/strong><\/p>\n
 mount -o remount \/tmp\r\n<\/code><\/pre>\n
Move the<\/strong>\u00a0\/tmp<\/code>\u00a0backup which you created back to the mounted<\/strong>\u00a0\/tmp<\/code>\u00a0file system<\/strong>.<\/p>\n
 mv \/tmp_backup1\/* \/tmp\/\r\n<\/code><\/pre>\n
Remove the backup that you created.<\/strong><\/p>\n
 rm -Rf \/tmp_backup1\r\n<\/code><\/pre>\n
Backup up<\/strong>\u00a0\/var\/tmp<\/code>.<\/p>\n
 cp -Rpf var\/tmp \/tmp_backup2\r\n<\/code><\/pre>\n
Remove the<\/strong>\u00a0\/var\/tmp<\/code>\u00a0directory.<\/strong><\/p>\n
 rm -Rf \/var\/tmp\r\n<\/code><\/pre>\n
Create a symbolic link from<\/strong>\u00a0\/var\/tmp<\/code>\u00a0to<\/strong>\u00a0\/tmp<\/code>.<\/p>\n
 ln -s \/tmp \/var\/tmp\r\n<\/code><\/pre>\n
Copy the<\/strong>\u00a0\/var\/tmp<\/code>\u00a0backup to<\/strong>\u00a0\/tmp<\/code>.<\/p>\n
 mv \/tmp_backup2\/* \/tmp\/\r\n<\/code><\/pre>\n
Remove the backup.<\/strong><\/p>\n
 rm -Rf \/tmp_backup2\r\n<\/code><\/pre>\n
Optional<\/strong><\/h3>\n
Depending on the specific software you are using, you may have a\u00a0“tmp”<\/strong>\u00a0directory in the home directory.\u00a0You can remove this directory and create a symbolic link<\/strong>\u00a0to\u00a0\/tmp<\/code>. Care should exercised when doing this as it may break the software,\u00a0particularly web hosting software.<\/strong><\/p>\n
 rm -Rf \/home\/tmp\r\n ln -s \/tmp \/home\/tmp<\/code><\/pre>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","manualknowledgebasecat":[231,242],"manual_kb_tag":[352],"_links":{"self":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2565"}],"collection":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb"}],"about":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/types\/manual_kb"}],"author":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/comments?post=2565"}],"version-history":[{"count":1,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2565\/revisions"}],"predecessor-version":[{"id":2566,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2565\/revisions\/2566"}],"wp:attachment":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/media?parent=2565"}],"wp:term":[{"taxonomy":"manualknowledgebasecat","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manualknowledgebasecat?post=2565"},{"taxonomy":"manual_kb_tag","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb_tag?post=2565"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}