simoncor.net/public/post/freebsd_jumpjail/index.html

190 lines
6.9 KiB
HTML
Raw Normal View History

2020-10-20 13:36:10 +02:00
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="Content-Language" content="en">
<meta name="author" content="Simon Cornet">
<meta name="description" content="FreeBSD">
<meta name="keywords" content="personal, cv">
<meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="FreeBSD - Jail - Secure Jumphost"/>
<meta name="twitter:description" content="FreeBSD"/>
<meta property="og:title" content="FreeBSD - Jail - Secure Jumphost" />
<meta property="og:description" content="FreeBSD" />
<meta property="og:type" content="article" />
<meta property="og:url" content="https://simoncor.net/post/freebsd_jumpjail/" />
<meta property="article:published_time" content="2020-10-19T00:00:00+00:00" />
<meta property="article:modified_time" content="2020-10-19T00:00:00+00:00" />
<base href="https://simoncor.net/post/freebsd_jumpjail/">
<title>
FreeBSD - Jail - Secure Jumphost · /usr/home/simon/
</title>
<link rel="canonical" href="https://simoncor.net/post/freebsd_jumpjail/">
<link href="https://fonts.googleapis.com/css?family=Lato:400,700%7CMerriweather:300,700%7CSource+Code+Pro:400,700&display=swap" rel="stylesheet">
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.13.0/css/all.css" integrity="sha384-Bfad6CLCknfcloXFOyFnlgtENryhrpZCe29RTifKEixXQZ38WheV+i/6YWSzkz3V" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/8.0.1/normalize.min.css" integrity="sha256-l85OmPOjvil/SOvVt3HnSSjzF1TUMyT9eV0c2BzEGzU=" crossorigin="anonymous" />
<link rel="stylesheet" href="https://simoncor.net/css/coder.min.3219ef62ae52679b7a9c19043171c3cd9f523628c2a65f3ef247ee18836bc90b.css" integrity="sha256-MhnvYq5SZ5t6nBkEMXHDzZ9SNijCpl8&#43;8kfuGINryQs=" crossorigin="anonymous" media="screen" />
<link rel="stylesheet" href="https://simoncor.net/css/coder-dark.min.e78e80fc3a585a4d1c8fc7f58623b6ff852411e38431a9cd1792877ecaa160f6.css" integrity="sha256-546A/DpYWk0cj8f1hiO2/4UkEeOEManNF5KHfsqhYPY=" crossorigin="anonymous" media="screen" />
<link rel="icon" type="image/png" href="https://simoncor.net/images/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="https://simoncor.net/images/favicon-16x16.png" sizes="16x16">
<meta name="generator" content="Hugo 0.75.1" />
</head>
<body class="colorscheme-dark"
onload=""
>
<main class="wrapper">
<nav class="navigation">
<section class="container">
<a class="navigation-title" href="https://simoncor.net/">
/usr/home/simon/
</a>
<input type="checkbox" id="menu-toggle" />
<label class="menu-button float-right" for="menu-toggle"><i class="fas fa-bars"></i></label>
<ul class="navigation-list">
<li class="navigation-item">
<a class="navigation-link" href="https://simoncor.net/post/">Blog</a>
</li>
<li class="navigation-item">
<a class="navigation-link" href="https://simoncor.net/status/">Status</a>
</li>
<li class="navigation-item">
<a class="navigation-link" href="https://simoncor.net/position/">About</a>
</li>
<li class="navigation-item">
<a class="navigation-link" href="https://simoncor.net/scornet_cv.pdf">CV</a>
</li>
</ul>
</section>
</nav>
<div class="content">
<section class="container page">
<article>
<header>
<h1>FreeBSD - Jail - Secure Jumphost</h1>
</header>
<h1 id="freebsd-jail">FreeBSD jail</h1>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">ezjail-admin create bastion &#39;bridge0|10.0.0.10&#39;
</code></pre></div><div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">pkg install bash
</code></pre></div><h1 id="openssh-portable">OpenSSH-Portable</h1>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">pkg install openssh-portable
</code></pre></div><div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ cat /etc/rc.conf
# OpenSSH
sshd_enable=&#34;NO&#34;
openssh_enable=&#34;YES&#34;
</code></pre></div><p>Check only what the current best practices are regarding the full OpenSSH daemon configuration.
For example check; <a href="https://infosec.mozilla.org/guidelines/openssh">https://infosec.mozilla.org/guidelines/openssh</a></p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ cat /usr/local/etc/sshd
...
ListenAddress 10.0.0.10
...
</code></pre></div><p>Stop and start the services.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">service sshd stop
service openssh start
</code></pre></div><h1 id="user">User</h1>
<p>Create a default user and make sure the user has the <code>/usr/local/bin/rbash</code> shell.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ mkdir &lt;user homedir path&gt;/bin
</code></pre></div><p>Symlink the only required binaries into this directory.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ ln -s /usr/local/bin/ssh &lt;user homedir path&gt;/bin/ssh
</code></pre></div><p>Create bash profile.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ cat .bash_profile
PATH=$HOME/bin
export PATH
</code></pre></div><p>Make sure the permissions are correct.</p>
</article>
</section>
</div>
<footer class="footer">
<section class="container">
<p>Ansible | FreeBSD | Linux | Networking | Security</p>
©
2020
Simon Cornet
·
Powered by <a href="https://gohugo.io/">Hugo</a> & <a href="https://github.com/luizdepra/hugo-coder/">Coder</a>.
</section>
</footer>
</main>
</body>
</html>