Web server hardening question - fstab and partitions

[TSMJ]

Alright guys - quick question.
In the process of hardening my web server, and came across this: "Let this be a lesson to people to make your /tmp and /var directories on a seperate partition and add the noexec flag to fstab."

Linux is already installed and set up so I don't know whether its possible (or even practical) to move the dir's, plus I'd just like a few details on the adding the noexec flag part - do I add it to every partition or just the /home section (where all the user data is being stored, (FTP root, websites, home directories and emails)?

Thanks - all help and advice appreciated

 

[ericbrunson]

If they are not listed in fstab, they aren't on different partitions.

You'll need to create a new partitions (a pain on Intel if you aren't comfortable with a partition editor, man fdisk or man parted). Then create the filesystems (man mkfs). Then add them to the fstab (man fstab) and reboot. And you add the noexec to any partition you don't want programs to be run from, this may break cgis if you put it on /home.

You don't really need to reboot, but if there are files open in /var and /tmp you could screw up whatever has them open.

 

[tarn]

You can mount a directory on any slice you want, if your have another disk then set-up the partitions change the fstab unmount /tmp and /var then remount them on the new slices.

It should be that simple, as for where to add noexec I think that they mean only /var and /tmp as these are usually world writable so this prevents someone droping a script in there.

I hope that helps.

Laurie.

 

[TSMJ]

Thanks