How to secure an OpenVZ cPanel /tmp directory


Recently on an OpenVZ VPS we kept getting messages from ConfigServer Security and Firewall stating “lfd on Suspicious File Alert”, with the message pointing specifically to a file in the /tmp directory. After going through the files I didn’t find anything that looked suspicious in nature (exploit, malware, etc), but I did notice that this older VPS did not have the /tmp directory mounted correctly to secure it. When I attempted to use cPanel’s built in /scripts/securetmp I got an error saying the loop module wasn’t detected/installed “*** Notice *** No loop module detected”After doing a good bit of searching online, and troubleshooting, for the most part I found out that with older kernels and such you could actually enable this with OpenVZ by running a few commands on the host node, but it looks like that is no longer supported.

The fix is actually very simple, and all you need to do is edit the /etc/fstab file and have it mount the /tmp directory on boot with nodev, nosuid, and noexec.  Even though you can’t use cPanel’s script to secure the /tmp directory, this is probably the best option you have available.

Edit /etc/fstab

So first we need to edit the /etc/fstab file and add in our mount, so using vim, vi, pico, nano, whatever your favorite editor is, open /etc/fstab and add this to the bottom of the file:

You can now reboot the VPS if you like, but nobody every really wants to do that now do they…

Mount /tmp with noexec, nosuid from VPS

So instead of rebooting, just issue this command from inside the VPS and you should be good to go:

To verify it was mounted correct, just run  df -h  and you should see the /tmp directory with “tmpfs” under filesystem.



Orlando, FL

Did this post help you?

Give back and rate it for me!

Related Posts

  • Matthew Browne

    Thanks for this. Does this cause /var/tmp to be more secure as well, or would that require an additional step?