{"id":135,"date":"2011-05-26T22:47:32","date_gmt":"2011-05-27T05:47:32","guid":{"rendered":"http:\/\/blog.networkpresence.co\/?p=135"},"modified":"2011-05-27T05:47:39","modified_gmt":"2011-05-27T12:47:39","slug":"securing-tmp-other-linux-webhost-tightening-measures","status":"publish","type":"post","link":"http:\/\/blog.networkpresence.co\/?p=135","title":{"rendered":"Securing \/tmp &#038; other Linux Webhost &#8220;tightening&#8221; measures"},"content":{"rendered":"<p>As per a post in our Forums, we&#8217;ve recently outlined how to get your Linux system a <a href=\"http:\/\/netpr.es\/bettertmp\">separate \/tmp filesystem<\/a>, which won&#8217;t allow executables and has other values to keep &#8216;nefarious&#8217; content out of \/tmp<\/p>\n<p>In this post we outline some other simple things that can be done to stop &#8220;unwanted usage&#8221; of your web hosting Linux server.<\/p>\n<p>What&#8217;s &#8220;unwanted usage&#8221; mean, well basically anything that isn&#8217;t what you want your web server to do. In many cases, there are code vulnerabilities which can be exploited in common web hosting software like; PHP and other, which mean that crackers can try to find ways to get your web server to do things which you hadn&#8217;t intended (eg: IRC servers, hosting other content &#038; more).<\/p>\n<p>Often PHP &#038; other backend software system exploits are used to get your web host to download other software, install it &#038; then run it. There are many conventional Linux commands which can be used to do this initial downloading, including commands like; wget, lynx, ftp (as a client) &#038; more. But usually these commands are needed in the regular operation of a web server, so one solution is to stop the ability of the process running your web server (eg: the user apache or www on your web server) from accessing these commands. A simple way to do this is to remove the &#8216;other&#8217; permission from the executables of these commands, like:<br \/>\nchmod o= \/usr\/bin\/wget<br \/>\nThen do the same for the &#8216;ftp&#8217;, &#8216;lynx&#8217; &#038; other Internet client commands.<\/p>\n<p>Of course, completely removing unnecessary software from your web server host is also a good thing to do &#038; you can do that through your favourite Package Management system (eg: yum, apt, etc). eg: &#8220;yum remove wget&#8221; in the case of the wget utility.<br \/>\nIf you&#8217;re not sure what Package installed the relevant executable program and you&#8217;re using Yum, then &#8220;yum whatprovides &#8216;*\/wget'&#8221; would reveal the package name that installed the wget program to your Linux system.<\/p>\n<p>Another idea is to remove unnecessary scripting languages from being able to be accessed by the web server processes &#038; user, so like above, remove the executable flag for the web server (or &#8216;other&#8217;) user from files like; the Python &#038; Ruby executables (if they&#8217;re installed).<\/p>\n<p>Finally, as also <a href=\"http:\/\/networkpresence.com.au\/index.php\/General-Discussion\/109-Kernel-System-Updates-recommended.html#109\">mentioned in our Forums<\/a>, wherever possible, we recommend that customers keep their systems up to date with the latest available software versions &#038; releases. In Redhat based Linux, this can be done with the Yum command, &#8220;yum upgrade&#8221;, and in Debian\/GNU Linux versions, if you&#8217;re using APT, the command, &#8220;apt-get upgrade&#8221;.<br \/>\nNaturally, if these upgrades install a new kernel version, you will probably need to update your Boot Loaders config for that new kernel release&#8217;s file. eg: \/boot\/grub\/grub.conf (Redhat based) or \/boot\/grub\/menu.lst (GNU Linux based)<\/p>\n<p>Don&#8217;t forget that <a href=\"http:\/\/netpr.es\/saas1\">we&#8217;re available to assist Network Presence customers<\/a> with any of these issues &#038; actions, so please feel free to contact us.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As per a post in our Forums, we&#8217;ve recently outlined how to get your Linux system a separate \/tmp filesystem, which won&#8217;t allow executables and has other values to keep &#8216;nefarious&#8217; content out of \/tmp In this post we outline &hellip; <a href=\"http:\/\/blog.networkpresence.co\/?p=135\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[18,21],"class_list":["post-135","post","type-post","status-publish","format-standard","hentry","category-network-presence","tag-linux","tag-security"],"_links":{"self":[{"href":"http:\/\/blog.networkpresence.co\/index.php?rest_route=\/wp\/v2\/posts\/135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/blog.networkpresence.co\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.networkpresence.co\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.networkpresence.co\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.networkpresence.co\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=135"}],"version-history":[{"count":4,"href":"http:\/\/blog.networkpresence.co\/index.php?rest_route=\/wp\/v2\/posts\/135\/revisions"}],"predecessor-version":[{"id":148,"href":"http:\/\/blog.networkpresence.co\/index.php?rest_route=\/wp\/v2\/posts\/135\/revisions\/148"}],"wp:attachment":[{"href":"http:\/\/blog.networkpresence.co\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.networkpresence.co\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=135"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.networkpresence.co\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}