How to secure an OpenVZ cPanel /tmp directory
Recently on an OpenVZ VPS we kept getting messages from ConfigServer Security and Firewall stating “lfd on server.host.com: Suspicious File Alert”, with the message pointing specifically to a file in the /tmp directory. After going through the files I didn’t find anything that looked suspicious in nature (exploit, malware, etc), but I did notice that this older VPS did not have the /tmp directory mounted correctly to secure it. When I attempted to use cPanel’s built in /scripts/securetmp I got an error saying the loop module wasn’t detected/installed “*** Notice *** No loop module detected”After doing a good bit of searching online, and troubleshooting, for the most part I found out that with older kernels and such you could actually enable this with OpenVZ by running a few commands on the host node, but it looks like that is no longer supported.
The fix is actually very simple, and all you need to do is edit the /etc/fstab file and have it mount the /tmp directory on boot with nodev, nosuid, and noexec. Even though you can’t use cPanel’s script to secure the /tmp directory, this is probably the best option you have available.
Edit /etc/fstab
So first we need to edit the /etc/fstab file and add in our mount, so using vim, vi, pico, nano, whatever your favorite editor is, open /etc/fstab and add this to the bottom of the file:
|
1 |
none /tmp tmpfs nodev,nosuid,noexec 0 0 |
You can now reboot the VPS if you like, but nobody every really wants to do that now do they…
Mount /tmp with noexec, nosuid from VPS
So instead of rebooting, just issue this command from inside the VPS and you should be good to go:
|
1 |
mount -t tmpfs -o noexec,nosuid tmpfs /tmp |
To verify it was mounted correct, just run df -h and you should see the /tmp directory with “tmpfs” under filesystem.
Profit!
Related Posts
-
Matthew Browne