If you are renting a server then chances are everything is lumped in / and a small amount partitioned for /boot and some for swap. With this current setup, you have no room for making more partitions unless you have a second hard-drive. Learn how to create a secure /tmp partition even while your server is already up and running.
One of the beat way to secure /tmp is to give /tmp it's own partition and mount it using noexec- This would protect your system from MANY local and remote exploits of rootkits being run from your /tmp folder.
What we are doing it creating a file that we will use to mount at /tmp. So log into SSH and SU to root
cd /dev
Create 100MB file for our /tmp partition. If you need more space, make count size larger.
dd if=/dev/zero of=tmpMnt bs=1024 count=100000
Make an extended filesystem for our tmpMnt file
/sbin/mke2fs /dev/tmpMnt
Backup your /tmp dir- I had mysql.sock file that I needed to recreate the symbolic link for. Other programs may use it to store cache files or whatever.
cd /
cp -R /tmp /tmp_backup
Mount the new /tmp filesystem with noexec
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
chmod 1777 /tmp
Copy everything back to new /tmp and remove backup
cp -R /tmp_backup/* /tmp/
rm -rf /tmp_backup
Now we need to add this to fstab so it mounts automatically on reboots.
pico -w /etc/fstab
You should see something like this:
/dev/hda3 / ext3 defaults,usrquota 1 1
/dev/hda1 /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/hda2 swap swap defaults 0 0
At the bottom add
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
(Each space is a tab)
Save it!
Ctrl + X and Y
Your done- /tmp is now mounted as noexec.
2009/10/11
How to upgrade the kernel on RHEL3
If you are trying to upgrade the pre-built kernel from Redhat Network or are you trying to compile your own kernel?
If it's the former, just do up2date -uf kernel-smp. If it's the latter, here's some quick instructions to learn how to compile their own kernel (for the 2.6 kernel):
1) cd /usr/src
2) unlink linux
3) rm -rfv linux-oldversion
4) wget http://kernel.org/pub/linux/kernel/v2.6/li...version.tar.bz2 (see www.kernel.org)
5) tar -jxvf linux-newversion.tar.bz2
6) ln -s linux-newversion linux
7) cd linux
8) make mrproper
9) make oldconfig (you may have to select new options available that wasn't on the old kernel. Generally, you're safe to just keep presseing enter for it to select the default for those new options.)
10) make menuconfig (ONLY if you want to edit kernel configuration)
11) make (go make some coffee)
12) make modules_install
13) make install
14) cp /usr/src/linux/.config /boot/config-newversion (newversion=version of the new kernel)
15) grub (you'll be enterred into a "grub>" prompt)
16) savedefault --default=0 --once
17) quit (you'll go back to normal bash prompt)
18) reboot
If the kernel boots up successfully:
1) open up /boot/grub/grub.conf in text editor
2) change "default=1" to "default=0"
3) save
If the kernel does not boot:
1) have techs simply hardboot the server letting it boot the default kernel (the old one)
2) figure out what went wrong and try again
To remove and old version of a kernel (do NOT do this for the rpm installed kernels (yum/up2date):
1) cd /boot
2)rm -fv config-oldversion initrd-oldversion System.map-oldversion vmlinuz-oldversion
3) cd /lib/modules
4) rm -rfv oldversion
5) remove entry from /boot/grub/grub.conf
Generally, when I go and delete a kernel, I leave atleast 2 installed. One older one (the previous working one) and the latest one installed. Anything older than those 2 can be removed.
If it's the former, just do up2date -uf kernel-smp. If it's the latter, here's some quick instructions to learn how to compile their own kernel (for the 2.6 kernel):
1) cd /usr/src
2) unlink linux
3) rm -rfv linux-oldversion
4) wget http://kernel.org/pub/linux/kernel/v2.6/li...version.tar.bz2 (see www.kernel.org)
5) tar -jxvf linux-newversion.tar.bz2
6) ln -s linux-newversion linux
7) cd linux
8) make mrproper
9) make oldconfig (you may have to select new options available that wasn't on the old kernel. Generally, you're safe to just keep presseing enter for it to select the default for those new options.)
10) make menuconfig (ONLY if you want to edit kernel configuration)
11) make (go make some coffee)
12) make modules_install
13) make install
14) cp /usr/src/linux/.config /boot/config-newversion (newversion=version of the new kernel)
15) grub (you'll be enterred into a "grub>" prompt)
16) savedefault --default=0 --once
17) quit (you'll go back to normal bash prompt)
18) reboot
If the kernel boots up successfully:
1) open up /boot/grub/grub.conf in text editor
2) change "default=1" to "default=0"
3) save
If the kernel does not boot:
1) have techs simply hardboot the server letting it boot the default kernel (the old one)
2) figure out what went wrong and try again
To remove and old version of a kernel (do NOT do this for the rpm installed kernels (yum/up2date):
1) cd /boot
2)rm -fv config-oldversion initrd-oldversion System.map-oldversion vmlinuz-oldversion
3) cd /lib/modules
4) rm -rfv oldversion
5) remove entry from /boot/grub/grub.conf
Generally, when I go and delete a kernel, I leave atleast 2 installed. One older one (the previous working one) and the latest one installed. Anything older than those 2 can be removed.
Subscribe to:
Posts (Atom)