Linux and Unix like operating system can mount system partitions with additional options. These options can cane enhances the security of your server. These options are set in the file /etc/fstab. You can use the following option to control malicious behavior or make it difficult for attackers to exploit your server:
- nodev – Do not interpret character or block special devices on the file system.
- noexec – Do not allow direct execution of any binaries on the mounted filesystem.
- nosuid – Do not allow set-user-identifier or set-group-identifier bits to take effect.
First, create a file called /root/images/tmpfile.bin as follows :
# mkdir -p /root/images/
# dd if=/dev/zero of=/root/images/tmpfile.bin bs=1 count=0 seek=4G
Format the file system using the mkfs.ext4 command:
# mkfs.ext4 /root/images/tmpfile.bin
mke2fs 1.41.12 (17-May-2010) /root/images/tmpfile.bin is not a block special device. Proceed anyway? (y,n) y Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 262144 inodes, 1048576 blocks 52428 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=1073741824 32 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736 Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 37 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override.
Add nodev, nosuid, and noexec options and mount the file system at /tmp
# mount -o loop,rw,nodev,nosuid,noexec /root/images/tmpfile.bin /tmp
# chmod 1777 /tmp
Type the following command to bind mount the /var/tmp directory onto /tmp:
# mount -o rw,noexec,nosuid,nodev,bind /tmp /var/tmp
Edit the file /etc/fstab, enter:
# vi /etc/fstab
Modify /tmp line as follows:
/root/images/tmpfile.bin /tmp ext4 rw,noexec,nosuid,nodev,bind 0 0
Append the following line:
/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0
Save and close the file.