Setting noexec on /tmp and /home

Hi guys,

Hope you are all doing well. I have been having serious issues with hackers targeting several wordpress installs on one of our servers. The latest thing they did was upload a script to /tmp and run it which created several processes which 1 of them attached itself to the /sbin/init process ( PPID = 1 ) which meant I had to reboot the server to exit whatever it was doing.

My quick research is pointing at mounting /tmp and possibly /home as noexec. But before I do that I thought I would ask you guys what that might do to the normal operation of Virtualmin/Webmin.

Also, is there a way to set the default shell to /bin/false ?

~Jeremy

Status: 
Closed (fixed)

Comments

Howdy --

Also, is there a way to set the default shell to /bin/false ?

You can tweak what shell is used by default by going into System Customization -> Custom Shells.

My quick research is pointing at mounting /tmp and possibly /home as noexec

Well, setting /home to noexec would break execution of web applications in most cases, so we wouldn't recommend that.

You could set /tmp to noexec if you like, though that would only solve some problems. I don't personally do that on my own servers.

That would prevent programs from being run directly from /tmp -- but that would not stop, say, a Perl script from being uploaded and placed that into /tmp. They could then call Perl, which resides in /usr/bin, and just pass in the script in /tmp as an argument.

Setting noexec on /tmp wouldn't prevent the above scenario.

I know this solution sucks, but the best way to prevent these problems is to prevent them from getting access in the first place. Keeping apps up to date, keeping plugins up to date, and not using apps/plugins that have unfixed security issues, or aren't kept up to date.

I know it's not always that easy though :-)

We've had some luck using this tool here for scanning for malware:

http://www.rfxn.com/projects/linux-malware-detect/

Thx for the info Eric.

You are right, that does suck : ).

I am currently using Untangle to stop many attempts at the gateway and Fail2ban on the actual server itself.

I will look into LMD and give it a whirl on Ubuntu.

~Jeremy

Just a Follow up,

LMD ROCKS!!!!

It discovered several sites that had been compromised and is running nightly now.

Thank you for pointing me in the right direction, our server load is way down after fixing these sites.

Please mark this as fixed.

~Jeremy

Great, I'm glad to hear that helped!

I'll mark this as fixed. Feel free to let us know if you have any other questions.

Automatically closed -- issue fixed for 2 weeks with no activity.