ShareWiz Ultra Secure Server Setup

Memory Security

memory

Memory Security

Secure Shared Memory

/dev/shm can be used in an attack against a running service, such as httpd. Modify the /etc/fstab file to make it more secure.

Mount /dev/shm writable, but without permission to execute programs and without permission to change the UID of running programs.

Issue the following command:

sudo vi /etc/fstab

and add this line:

tmpfs     /dev/shm     tmpfs     defaults,noexec,nosuid     0     0

tmpfs (ramfs formerly) is the name of the temporary file system of Linux. It is implemented directly in the kernel since version 2.6.

/dev/shm implements a temporary system file -type tmpfs. It is mounted as a hard disk but the data is written into RAM. The name comes from shm Shared Memory often used for exchanging data between processes.

Note that in Ubuntu, /dev/shm is a link to /run/shm.

By default, /dev/shm is mounted read/write, with permission to execute programs

In recent years, many security mailing lists have noted many exploits where /dev/shm is used in an attack against a running service, such as httpd. Most of these exploits, however, rely on an insecure web application rather than vulnerability in Apache or Ubuntu. There are a few reasons for it to be mounted read/write in specific configurations, such as real-time configuration of a Synaptics touchpad for laptops, but for servers and desktop installations there is no benefit to mounting /dev/shm read/write.

To change this setting, edit the /etc/fstab file to include the following line:

tmpfs     /dev/shm     tmpfs     defaults,ro     0     0

This will mount /dev/shm in read-only mode. If you have a good reason to keep it writable, put this line in /etc/fstab instead:

tmpfs     /dev/shm     tmpfs     defaults,noexec,nosuid     0     0

The changes will take effect the next time you reboot, unless you remount /dev/shm with the command:

sudo mount -o remount /dev/shm

NOTE: Many programs will not work if you make /dev/shm read-only.

See Ubuntu Stricter Defaults for further information.

top

Increase the size of Shared Memory (Optional)

Issue the following command:

sudo vi /etc/fstab

and modify this line:

tmpfs     /dev/shm     tmpfs     defaults,noexec,nosuid     0     0

to

tmpfs     /dev/shm     tmpfs     defaults,noexec,nosuid,size=2g     0     0

where 2g is the required size.

Increase or reduce the /dev/shm filesystem size as required.

To be even more extreme, you may drop or disable this temporarily RAM-based filesystem entirely, to prevent it from auto-mount during system boots up, if none of the application in that Linux server relying on shared memory function or explicitly using tmpfs (as a quick-and-dirty trick to improve execution performance).

Issue the command man fstab for further information on fstab; and the command man mount for further information on the tmpfs filesystem options.

top

Restart the System

To enable the new settings to be recognized, restart the system.

Issue the following command:

sudo reboot

...and log back in using Putty

top

Continue to the Device Security...