Linux and Unix like operating system can mount system partitions with additional options. These options can cane enhances the security of your server. These options are set in the file /etc/fstab. You can use the following option to control malicious behavior or make it difficult for attackers to exploit your server:
| Tutorial details | |
|---|---|
| Difficulty | Intermediate (rss) |
| Root privileges | Yes |
| Requirements | Linux |
- nodev - Do not interpret character or block special devices on the file system.
- noexec - Do not allow direct execution of any binaries on the mounted filesystem.
- nosuid - Do not allow set-user-identifier or set-group-identifier bits to take effect.
Commands
First, create a file called /root/images/tmpfile.bin as follows :
# mkdir -p /root/images/
# dd if=/dev/zero of=/root/images/tmpfile.bin bs=1 count=0 seek=4G
Format the file system using the mkfs.ext4 command:
# mkfs.ext4 /root/images/tmpfile.bin
Sample outputs:
mke2fs 1.41.12 (17-May-2010) /root/images/tmpfile.bin is not a block special device. Proceed anyway? (y,n) y Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 262144 inodes, 1048576 blocks 52428 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=1073741824 32 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736 Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 37 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override.
Add nodev, nosuid, and noexec options and mount the file system at /tmp
# mount -o loop,rw,nodev,nosuid,noexec /root/images/tmpfile.bin /tmp
# chmod 1777 /tmp
Type the following command to bind mount the /var/tmp directory onto /tmp:
# mount -o rw,noexec,nosuid,nodev,bind /tmp /var/tmp
Update /etc/fstab
Edit the file /etc/fstab, enter:
# vi /etc/fstab
Modify /tmp line as follows:
/root/images/tmpfile.bin /tmp ext4 rw,noexec,nosuid,nodev,bind 0 0
Append the following line:
/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0
Save and close the file.
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 0 comments… add one now }