From c1dd6024d62f87546ac3efad8b61b01898d31456 Mon Sep 17 00:00:00 2001 From: Simon Cornet Date: Tue, 20 Oct 2020 13:36:10 +0200 Subject: [PATCH] [POST] Added FreeBSD secure jail post --- content/post/freebsd_jail_jumphost.md | 125 ++++++++++ public/post/freebsd_jail_jumphost/index.html | 238 +++++++++++++++++++ public/post/freebsd_jumpjail/index.html | 189 +++++++++++++++ 3 files changed, 552 insertions(+) create mode 100644 content/post/freebsd_jail_jumphost.md create mode 100644 public/post/freebsd_jail_jumphost/index.html create mode 100644 public/post/freebsd_jumpjail/index.html diff --git a/content/post/freebsd_jail_jumphost.md b/content/post/freebsd_jail_jumphost.md new file mode 100644 index 0000000..57b8962 --- /dev/null +++ b/content/post/freebsd_jail_jumphost.md @@ -0,0 +1,125 @@ +--- +title: 'FreeBSD - Jail - Secure Jumphost' +description: "FreeBSD" +date: "2020-10-20" +--- + +The goal is to create a limited jail using rbash and securing it so it can only accept secure SSH sessions. It should only be used as an SSH jumphost to connect further. It should therefor not be possible to create, use or install other code in this limited environment. + +# FreeBSD jail +Create a jail and connect to the console. +``` +ezjail-admin create bastion 'bridge0|10.0.0.10' +ezjail-admin console bastion +``` +Install `bash`. +``` +pkg install bash +``` + +# OpenSSH-Portable +Install `openssh-portable`. +``` +pkg install openssh-portable +``` +Configure `rc.conf`. +``` +$ cat /etc/rc.conf + +# OpenSSH-Portable +sshd_enable="NO" +openssh_enable="YES" +``` + +Check only what the current best practices are regarding the full OpenSSH daemon configuration. +For example check; https://infosec.mozilla.org/guidelines/openssh + +Make sure the daemon only listens to the assigned IP for this jail. And make sure the firewall running on the host accepts incoming and outgoing SSH connections. + +``` +$ cat /usr/local/etc/sshd + +... +ListenAddress 10.0.0.10 +... +``` + +Stop and start the services. +``` +service sshd stop +service openssh start +``` + + +# User +Create a default `user` and make sure the `user` has the `/usr/local/bin/rbash` shell configured. +``` +$ mkdir /usr/home/user/bin +``` +Symlink the only required binaries into this directory. +``` +$ ln -s /usr/local/bin/ssh /usr/home/user/bin/ssh +``` +Create bash profile. +``` +$ cat .bash_profile +PATH=$HOME/bin +export PATH +``` + +Make sure the permissions are so that the user cannot modify its own `.(bash_)profile` files. +``` +$ chown root: .bash_profile .profile +``` + +Remove also all unused rc files like cshrc, shrc, etc. +``` +$ rm .cshrc .shrc ... +``` + +Create .ssh folder and fill authorized_keys file (optional). +``` +mkdir /usr/home/user/.ssh +echo "ssh-ed25519 AAA...3p0bv" >> /usr/home/user/.ssh/authorized_keys +chown -R user:user /usr/home/user/.ssh +chmod -R 700 /usr/home/user/.ssh +``` + +User directory can look like this. +``` +[root@bastion /usr/home/user]# ls -al +total 3 +drwxr-xr-x 4 user user 5 Oct 20 11:24 . +drwxr-xr-x 4 root wheel 4 Oct 19 11:59 .. +-rw-r--r-- 1 root user 43 Oct 19 14:09 .bash_profile +drwx------ 2 user user 5 Oct 19 12:40 .ssh +drwxr-xr-x 2 user user 3 Oct 19 14:21 bin +``` + +# Result + - Commands are unavailable and absolute paths are not allowed. + - The `$PATH` variable is read-only. + - The `.bash_profile` file is read-only for the user. + - Only some bash functions + the `ssh` binary is available for the user. + +``` +[user@bastion ~]$ ls +-rbash: ls: command not found + +[user@bastion ~]$ /bin/ls +-rbash: /bin/ls: restricted: cannot specify `/' in command names + +[user@bastion ~]$ export PATH=/usr/bin +-rbash: PATH: readonly variable + +[user@bastion ~]$ +! break continue else fg in pushd shopt true while +./ builtin coproc enable fi jobs pwd source type { +: caller declare esac for kill read ssh typeset } +[ case dirs eval function let readarray suspend ulimit +[[ cd disown exec getopts local readonly test umask +]] command do exit hash logout return then unalias +alias compgen done export help mapfile select time unset +bg complete echo false history popd set times until +bind compopt elif fc if printf shift trap wait +``` diff --git a/public/post/freebsd_jail_jumphost/index.html b/public/post/freebsd_jail_jumphost/index.html new file mode 100644 index 0000000..8c2399c --- /dev/null +++ b/public/post/freebsd_jail_jumphost/index.html @@ -0,0 +1,238 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + FreeBSD - Jail - Secure Jumphost · /usr/home/simon/ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + +
+ +
+
+
+

FreeBSD - Jail - Secure Jumphost

+
+ +

The goal is to create a limited jail using rbash and securing it so it can only accept secure SSH sessions. It should only be used as an SSH jumphost to connect further. It should therefor not be possible to create, use or install other code in this limited environment.

+

FreeBSD jail

+

Create a jail and connect to the console.

+
ezjail-admin create bastion 'bridge0|10.0.0.10'
+ezjail-admin console bastion
+

Install bash.

+
pkg install bash
+

OpenSSH-Portable

+

Install openssh-portable.

+
pkg install openssh-portable
+

Configure rc.conf.

+
$ cat /etc/rc.conf
+
+# OpenSSH-Portable
+sshd_enable="NO"
+openssh_enable="YES"
+

Check only what the current best practices are regarding the full OpenSSH daemon configuration. +For example check; https://infosec.mozilla.org/guidelines/openssh

+

Make sure the daemon only listens to the assigned IP for this jail. And make sure the firewall running on the host accepts incoming and outgoing SSH connections.

+
$ cat /usr/local/etc/sshd
+
+...
+ListenAddress 10.0.0.10
+...
+

Stop and start the services.

+
service sshd stop
+service openssh start
+

User

+

Create a default user and make sure the user has the /usr/local/bin/rbash shell configured.

+
$ mkdir /usr/home/user/bin
+

Symlink the only required binaries into this directory.

+
$ ln -s /usr/local/bin/ssh /usr/home/user/bin/ssh
+

Create bash profile.

+
$ cat .bash_profile
+PATH=$HOME/bin
+export PATH
+

Make sure the permissions are so that the user cannot modify its own .(bash_)profile files.

+
$ chown root:<user> .bash_profile .profile
+

Remove also all unused rc files like cshrc, shrc, etc.

+
$ rm .cshrc .shrc ...
+

Create .ssh folder and fill authorized_keys file (optional).

+
mkdir /usr/home/user/.ssh
+echo "ssh-ed25519 AAA...3p0bv" >> /usr/home/user/.ssh/authorized_keys
+chown -R user:user /usr/home/user/.ssh
+chmod -R 700 /usr/home/user/.ssh
+

User directory can look like this.

+
[root@bastion /usr/home/user]# ls -al
+total 3
+drwxr-xr-x  4 user  user   5 Oct 20 11:24 .
+drwxr-xr-x  4 root  wheel  4 Oct 19 11:59 ..
+-rw-r--r--  1 root  user  43 Oct 19 14:09 .bash_profile
+drwx------  2 user  user   5 Oct 19 12:40 .ssh
+drwxr-xr-x  2 user  user   3 Oct 19 14:21 bin
+

Result

+
    +
  • Commands are unavailable and absolute paths are not allowed.
    • +
  • The $PATH variable is read-only.
    • +
  • The .bash_profile file is read-only for the user.
    • +
  • Only some bash functions + the ssh binary is available for the user.
    • +
+
[user@bastion ~]$ ls
+-rbash: ls: command not found
+
+[user@bastion ~]$ /bin/ls  
+-rbash: /bin/ls: restricted: cannot specify `/' in command names
+
+[user@bastion ~]$ export PATH=/usr/bin
+-rbash: PATH: readonly variable
+
+[user@bastion ~]$
+!          break      continue   else       fg         in         pushd      shopt      true       while
+./         builtin    coproc     enable     fi         jobs       pwd        source     type       {
+:          caller     declare    esac       for        kill       read       ssh        typeset    }
+[          case       dirs       eval       function   let        readarray  suspend    ulimit     
+[[         cd         disown     exec       getopts    local      readonly   test       umask      
+]]         command    do         exit       hash       logout     return     then       unalias    
+alias      compgen    done       export     help       mapfile    select     time       unset      
+bg         complete   echo       false      history    popd       set        times      until      
+bind       compopt    elif       fc         if         printf     shift      trap       wait
+
+
+
+ + + +
+ + +
+
+ +

Ansible | FreeBSD | Linux | Networking | Security

+ + + © + + 2020 + Simon Cornet + + + · + Powered by Hugo & Coder. + + + + +
+
+ +
+ + + + + + + + + + diff --git a/public/post/freebsd_jumpjail/index.html b/public/post/freebsd_jumpjail/index.html new file mode 100644 index 0000000..ec6f707 --- /dev/null +++ b/public/post/freebsd_jumpjail/index.html @@ -0,0 +1,189 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + FreeBSD - Jail - Secure Jumphost · /usr/home/simon/ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + +
+ +
+
+
+

FreeBSD - Jail - Secure Jumphost

+
+ +

FreeBSD jail

+
ezjail-admin create bastion 'bridge0|10.0.0.10'
+
pkg install bash
+

OpenSSH-Portable

+
pkg install openssh-portable
+
$ cat /etc/rc.conf
+
+# OpenSSH
+sshd_enable="NO"
+openssh_enable="YES"
+

Check only what the current best practices are regarding the full OpenSSH daemon configuration. +For example check; https://infosec.mozilla.org/guidelines/openssh

+
$ cat /usr/local/etc/sshd
+
+...
+ListenAddress 10.0.0.10
+...
+

Stop and start the services.

+
service sshd stop
+service openssh start
+

User

+

Create a default user and make sure the user has the /usr/local/bin/rbash shell.

+
$ mkdir <user homedir path>/bin
+

Symlink the only required binaries into this directory.

+
$ ln -s /usr/local/bin/ssh <user homedir path>/bin/ssh
+

Create bash profile.

+
$ cat .bash_profile
+PATH=$HOME/bin
+export PATH
+

Make sure the permissions are correct.

+ +
+
+ + + +
+ + + + +
+ + + + + + + + + +