siempie/simoncor.net
1
0
Fork 0
Code Pull Requests Actions Releases Activity

[BLOG] FreeBSD Jail Jumphost markup update

Browse Source
This commit is contained in:
Simon Cornet 2020-10-20 14:07:46 +02:00
parent c1dd6024d6
commit 4add213f6f
4 changed files with 47 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
content/post/freebsd_jail_jumphost.md
View File

@ -6,29 +6,28 @@ date: "2020-10-20"
The goal is to create a limited jail using rbash and securing it so it can only accept secure SSH sessions. It should only be used as an SSH jumphost to connect further. It should therefor not be possible to create, use or install other code in this limited environment. The goal is to create a limited jail using rbash and securing it so it can only accept secure SSH sessions. It should only be used as an SSH jumphost to connect further. It should therefor not be possible to create, use or install other code in this limited environment.
All commands are executed as root inside the jail, unless specified otherwise.
# FreeBSD jail # FreeBSD jail
Create a jail and connect to the console. Create a jail and connect to the console.
``` ```
ezjail-admin create bastion 'bridge0|10.0.0.10' [simon@host ~]$ sudo ezjail-admin create bastion 'bridge0|10.0.0.10'
ezjail-admin console bastion [simon@host ~]$ sudo ezjail-admin console bastion
``` ```
Install `bash`. Install `bash`.
``` ```
pkg install bash # pkg install bash
``` ```
# OpenSSH-Portable # OpenSSH-Portable
Install `openssh-portable`. Install `openssh-portable`.
``` ```
pkg install openssh-portable # pkg install openssh-portable
``` ```
Configure `rc.conf`. Configure `rc.conf`.
``` ```
$ cat /etc/rc.conf # sysrc sshd_enable=NO
# sysrc openssh_enable=YES
# OpenSSH-Portable
sshd_enable="NO"
openssh_enable="YES"
``` ```
Check only what the current best practices are regarding the full OpenSSH daemon configuration. Check only what the current best practices are regarding the full OpenSSH daemon configuration.
@ -37,8 +36,7 @@ For example check; https://infosec.mozilla.org/guidelines/openssh
Make sure the daemon only listens to the assigned IP for this jail. And make sure the firewall running on the host accepts incoming and outgoing SSH connections. Make sure the daemon only listens to the assigned IP for this jail. And make sure the firewall running on the host accepts incoming and outgoing SSH connections.
``` ```
$ cat /usr/local/etc/sshd # cat /usr/local/etc/sshd
... ...
ListenAddress 10.0.0.10 ListenAddress 10.0.0.10
... ...
@ -46,48 +44,48 @@ ListenAddress 10.0.0.10
Stop and start the services. Stop and start the services.
``` ```
service sshd stop # service sshd stop
service openssh start # service openssh start
``` ```
# User # User
Create a default `user` and make sure the `user` has the `/usr/local/bin/rbash` shell configured. Create a default `user` and make sure the `user` has the `/usr/local/bin/rbash` shell configured.
``` ```
$ mkdir /usr/home/user/bin # mkdir /usr/home/user/bin
``` ```
Symlink the only required binaries into this directory. Symlink the only required binaries into this directory.
``` ```
$ ln -s /usr/local/bin/ssh /usr/home/user/bin/ssh # ln -s /usr/local/bin/ssh /usr/home/user/bin/ssh
``` ```
Create bash profile. Create bash profile.
``` ```
$ cat .bash_profile # cat /usr/home/user/.bash_profile
PATH=$HOME/bin PATH=$HOME/bin
export PATH export PATH
``` ```
Make sure the permissions are so that the user cannot modify its own `.(bash_)profile` files. Make sure the permissions are so that the user cannot modify its own `.(bash_)profile` files.
``` ```
$ chown root:<user> .bash_profile .profile # chown root:<user> .bash_profile .profile
``` ```
Remove also all unused <shell>rc files like cshrc, shrc, etc. Remove also all unused <shell>rc files like cshrc, shrc, etc.
``` ```
$ rm .cshrc .shrc ... # rm .cshrc .shrc ...
``` ```
Create .ssh folder and fill authorized_keys file (optional). Create `.ssh` folder and fill `authorized_keys` file (optional).
``` ```
mkdir /usr/home/user/.ssh # mkdir /usr/home/user/.ssh
echo "ssh-ed25519 AAA...3p0bv" >> /usr/home/user/.ssh/authorized_keys # echo "your_public_key_here" >> /usr/home/user/.ssh/authorized_keys
chown -R user:user /usr/home/user/.ssh # chown -R user:user /usr/home/user/.ssh
chmod -R 700 /usr/home/user/.ssh # chmod -R 700 /usr/home/user/.ssh
``` ```
User directory can look like this. User directory can look like this.
``` ```
[root@bastion /usr/home/user]# ls -al [user@bastion ~]$ ls -al
total 3 total 3
drwxr-xr-x 4 user user 5 Oct 20 11:24 . drwxr-xr-x 4 user user 5 Oct 20 11:24 .
drwxr-xr-x 4 root wheel 4 Oct 19 11:59 .. drwxr-xr-x 4 root wheel 4 Oct 19 11:59 ..

5
public/index.xml
View File

@ -14,9 +14,8 @@
<guid>https://simoncor.net/post/freebsd_jail_jumphost/</guid> <guid>https://simoncor.net/post/freebsd_jail_jumphost/</guid>
<description>The goal is to create a limited jail using rbash and securing it so it can only accept secure SSH sessions. It should only be used as an SSH jumphost to connect further. It should therefor not be possible to create, use or install other code in this limited environment. <description>The goal is to create a limited jail using rbash and securing it so it can only accept secure SSH sessions. It should only be used as an SSH jumphost to connect further. It should therefor not be possible to create, use or install other code in this limited environment.
FreeBSD jail Create a jail and connect to the console. All commands are executed as root inside the jail, unless specified otherwise.
ezjail-admin create bastion &amp;#39;bridge0|10.0.0.10&amp;#39; ezjail-admin console bastion Install bash. FreeBSD jail Create a jail and connect to the console.</description>
pkg install bash OpenSSH-Portable Install openssh-portable.</description>
</item> </item>
<item> <item>

45
public/post/freebsd_jail_jumphost/index.html
View File

@ -117,52 +117,49 @@
</header> </header>
<p>The goal is to create a limited jail using rbash and securing it so it can only accept secure SSH sessions. It should only be used as an SSH jumphost to connect further. It should therefor not be possible to create, use or install other code in this limited environment.</p> <p>The goal is to create a limited jail using rbash and securing it so it can only accept secure SSH sessions. It should only be used as an SSH jumphost to connect further. It should therefor not be possible to create, use or install other code in this limited environment.</p>
<p>All commands are executed as root inside the jail, unless specified otherwise.</p>
<h1 id="freebsd-jail">FreeBSD jail</h1> <h1 id="freebsd-jail">FreeBSD jail</h1>
<p>Create a jail and connect to the console.</p> <p>Create a jail and connect to the console.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">ezjail-admin create bastion &#39;bridge0|10.0.0.10&#39; <div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">[simon@host ~]$ sudo ezjail-admin create bastion &#39;bridge0|10.0.0.10&#39;
ezjail-admin console bastion [simon@host ~]$ sudo ezjail-admin console bastion
</code></pre></div><p>Install <code>bash</code>.</p> </code></pre></div><p>Install <code>bash</code>.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">pkg install bash <div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback"># pkg install bash
</code></pre></div><h1 id="openssh-portable">OpenSSH-Portable</h1> </code></pre></div><h1 id="openssh-portable">OpenSSH-Portable</h1>
<p>Install <code>openssh-portable</code>.</p> <p>Install <code>openssh-portable</code>.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">pkg install openssh-portable <div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback"># pkg install openssh-portable
</code></pre></div><p>Configure <code>rc.conf</code>.</p> </code></pre></div><p>Configure <code>rc.conf</code>.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ cat /etc/rc.conf <div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback"># sysrc sshd_enable=NO
# sysrc openssh_enable=YES
# OpenSSH-Portable
sshd_enable=&#34;NO&#34;
openssh_enable=&#34;YES&#34;
</code></pre></div><p>Check only what the current best practices are regarding the full OpenSSH daemon configuration. </code></pre></div><p>Check only what the current best practices are regarding the full OpenSSH daemon configuration.
For example check; <a href="https://infosec.mozilla.org/guidelines/openssh">https://infosec.mozilla.org/guidelines/openssh</a></p> For example check; <a href="https://infosec.mozilla.org/guidelines/openssh">https://infosec.mozilla.org/guidelines/openssh</a></p>
<p>Make sure the daemon only listens to the assigned IP for this jail. And make sure the firewall running on the host accepts incoming and outgoing SSH connections.</p> <p>Make sure the daemon only listens to the assigned IP for this jail. And make sure the firewall running on the host accepts incoming and outgoing SSH connections.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ cat /usr/local/etc/sshd <div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback"># cat /usr/local/etc/sshd
... ...
ListenAddress 10.0.0.10 ListenAddress 10.0.0.10
... ...
</code></pre></div><p>Stop and start the services.</p> </code></pre></div><p>Stop and start the services.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">service sshd stop <div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback"># service sshd stop
service openssh start # service openssh start
</code></pre></div><h1 id="user">User</h1> </code></pre></div><h1 id="user">User</h1>
<p>Create a default <code>user</code> and make sure the <code>user</code> has the <code>/usr/local/bin/rbash</code> shell configured.</p> <p>Create a default <code>user</code> and make sure the <code>user</code> has the <code>/usr/local/bin/rbash</code> shell configured.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ mkdir /usr/home/user/bin <div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback"># mkdir /usr/home/user/bin
</code></pre></div><p>Symlink the only required binaries into this directory.</p> </code></pre></div><p>Symlink the only required binaries into this directory.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ ln -s /usr/local/bin/ssh /usr/home/user/bin/ssh <div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback"># ln -s /usr/local/bin/ssh /usr/home/user/bin/ssh
</code></pre></div><p>Create bash profile.</p> </code></pre></div><p>Create bash profile.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ cat .bash_profile <div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback"># cat /usr/home/user/.bash_profile
PATH=$HOME/bin PATH=$HOME/bin
export PATH export PATH
</code></pre></div><p>Make sure the permissions are so that the user cannot modify its own <code>.(bash_)profile</code> files.</p> </code></pre></div><p>Make sure the permissions are so that the user cannot modify its own <code>.(bash_)profile</code> files.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ chown root:&lt;user&gt; .bash_profile .profile <div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback"># chown root:&lt;user&gt; .bash_profile .profile
</code></pre></div><p>Remove also all unused <!-- raw HTML omitted -->rc files like cshrc, shrc, etc.</p> </code></pre></div><p>Remove also all unused <!-- raw HTML omitted -->rc files like cshrc, shrc, etc.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ rm .cshrc .shrc ... <div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback"># rm .cshrc .shrc ...
</code></pre></div><p>Create .ssh folder and fill authorized_keys file (optional).</p> </code></pre></div><p>Create <code>.ssh</code> folder and fill <code>authorized_keys</code> file (optional).</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">mkdir /usr/home/user/.ssh <div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback"># mkdir /usr/home/user/.ssh
echo &#34;ssh-ed25519 AAA...3p0bv&#34; &gt;&gt; /usr/home/user/.ssh/authorized_keys # echo &#34;your_public_key_here&#34; &gt;&gt; /usr/home/user/.ssh/authorized_keys
chown -R user:user /usr/home/user/.ssh # chown -R user:user /usr/home/user/.ssh
chmod -R 700 /usr/home/user/.ssh # chmod -R 700 /usr/home/user/.ssh
</code></pre></div><p>User directory can look like this.</p> </code></pre></div><p>User directory can look like this.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">[root@bastion /usr/home/user]# ls -al <div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">[user@bastion ~]$ ls -al
total 3 total 3
drwxr-xr-x 4 user user 5 Oct 20 11:24 . drwxr-xr-x 4 user user 5 Oct 20 11:24 .
drwxr-xr-x 4 root wheel 4 Oct 19 11:59 .. drwxr-xr-x 4 root wheel 4 Oct 19 11:59 ..

5
public/post/index.xml
View File

@ -14,9 +14,8 @@
<guid>https://simoncor.net/post/freebsd_jail_jumphost/</guid> <guid>https://simoncor.net/post/freebsd_jail_jumphost/</guid>
<description>The goal is to create a limited jail using rbash and securing it so it can only accept secure SSH sessions. It should only be used as an SSH jumphost to connect further. It should therefor not be possible to create, use or install other code in this limited environment. <description>The goal is to create a limited jail using rbash and securing it so it can only accept secure SSH sessions. It should only be used as an SSH jumphost to connect further. It should therefor not be possible to create, use or install other code in this limited environment.
FreeBSD jail Create a jail and connect to the console. All commands are executed as root inside the jail, unless specified otherwise.
ezjail-admin create bastion &amp;#39;bridge0|10.0.0.10&amp;#39; ezjail-admin console bastion Install bash. FreeBSD jail Create a jail and connect to the console.</description>
pkg install bash OpenSSH-Portable Install openssh-portable.</description>
</item> </item>
<item> <item>