siempie/simoncor.net
1
0
Fork 0
Code Pull Requests Actions Releases Activity

[POST] Added FreeBSD secure jail post

Browse Source
This commit is contained in:
Simon Cornet 2020-10-20 13:36:10 +02:00
parent 9934d2b060
commit c1dd6024d6
3 changed files with 552 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
content/post/freebsd_jail_jumphost.md Normal file
View File

@ -0,0 +1,125 @@
---
title: 'FreeBSD - Jail - Secure Jumphost'
description: "FreeBSD"
date: "2020-10-20"
---
The goal is to create a limited jail using rbash and securing it so it can only accept secure SSH sessions. It should only be used as an SSH jumphost to connect further. It should therefor not be possible to create, use or install other code in this limited environment.
# FreeBSD jail
Create a jail and connect to the console.
```
ezjail-admin create bastion 'bridge0|10.0.0.10'
ezjail-admin console bastion
```
Install `bash`.
```
pkg install bash
```
# OpenSSH-Portable
Install `openssh-portable`.
```
pkg install openssh-portable
```
Configure `rc.conf`.
```
$ cat /etc/rc.conf
# OpenSSH-Portable
sshd_enable="NO"
openssh_enable="YES"
```
Check only what the current best practices are regarding the full OpenSSH daemon configuration.
For example check; https://infosec.mozilla.org/guidelines/openssh
Make sure the daemon only listens to the assigned IP for this jail. And make sure the firewall running on the host accepts incoming and outgoing SSH connections.
```
$ cat /usr/local/etc/sshd
...
ListenAddress 10.0.0.10
...
```
Stop and start the services.
```
service sshd stop
service openssh start
```
# User
Create a default `user` and make sure the `user` has the `/usr/local/bin/rbash` shell configured.
```
$ mkdir /usr/home/user/bin
```
Symlink the only required binaries into this directory.
```
$ ln -s /usr/local/bin/ssh /usr/home/user/bin/ssh
```
Create bash profile.
```
$ cat .bash_profile
PATH=$HOME/bin
export PATH
```
Make sure the permissions are so that the user cannot modify its own `.(bash_)profile` files.
```
$ chown root:<user> .bash_profile .profile
```
Remove also all unused <shell>rc files like cshrc, shrc, etc.
```
$ rm .cshrc .shrc ...
```
Create .ssh folder and fill authorized_keys file (optional).
```
mkdir /usr/home/user/.ssh
echo "ssh-ed25519 AAA...3p0bv" >> /usr/home/user/.ssh/authorized_keys
chown -R user:user /usr/home/user/.ssh
chmod -R 700 /usr/home/user/.ssh
```
User directory can look like this.
```
[root@bastion /usr/home/user]# ls -al
total 3
drwxr-xr-x 4 user user 5 Oct 20 11:24 .
drwxr-xr-x 4 root wheel 4 Oct 19 11:59 ..
-rw-r--r-- 1 root user 43 Oct 19 14:09 .bash_profile
drwx------ 2 user user 5 Oct 19 12:40 .ssh
drwxr-xr-x 2 user user 3 Oct 19 14:21 bin
```
# Result
- Commands are unavailable and absolute paths are not allowed.
- The `$PATH` variable is read-only.
- The `.bash_profile` file is read-only for the user.
- Only some bash functions + the `ssh` binary is available for the user.
```
[user@bastion ~]$ ls
-rbash: ls: command not found
[user@bastion ~]$ /bin/ls
-rbash: /bin/ls: restricted: cannot specify `/' in command names
[user@bastion ~]$ export PATH=/usr/bin
-rbash: PATH: readonly variable
[user@bastion ~]$
! break continue else fg in pushd shopt true while
./ builtin coproc enable fi jobs pwd source type {
: caller declare esac for kill read ssh typeset }
[ case dirs eval function let readarray suspend ulimit
[[ cd disown exec getopts local readonly test umask
]] command do exit hash logout return then unalias
alias compgen done export help mapfile select time unset
bg complete echo false history popd set times until
bind compopt elif fc if printf shift trap wait
```

238
public/post/freebsd_jail_jumphost/index.html Normal file
View File

@ -0,0 +1,238 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="Content-Language" content="en">
<meta name="author" content="Simon Cornet">
<meta name="description" content="FreeBSD">
<meta name="keywords" content="personal, cv">
<meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="FreeBSD - Jail - Secure Jumphost"/>
<meta name="twitter:description" content="FreeBSD"/>
<meta property="og:title" content="FreeBSD - Jail - Secure Jumphost" />
<meta property="og:description" content="FreeBSD" />
<meta property="og:type" content="article" />
<meta property="og:url" content="https://simoncor.net/post/freebsd_jail_jumphost/" />
<meta property="article:published_time" content="2020-10-20T00:00:00+00:00" />
<meta property="article:modified_time" content="2020-10-20T00:00:00+00:00" />
<base href="https://simoncor.net/post/freebsd_jail_jumphost/">
<title>
FreeBSD - Jail - Secure Jumphost · /usr/home/simon/
</title>
<link rel="canonical" href="https://simoncor.net/post/freebsd_jail_jumphost/">
<link href="https://fonts.googleapis.com/css?family=Lato:400,700%7CMerriweather:300,700%7CSource+Code+Pro:400,700&display=swap" rel="stylesheet">
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.13.0/css/all.css" integrity="sha384-Bfad6CLCknfcloXFOyFnlgtENryhrpZCe29RTifKEixXQZ38WheV+i/6YWSzkz3V" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/8.0.1/normalize.min.css" integrity="sha256-l85OmPOjvil/SOvVt3HnSSjzF1TUMyT9eV0c2BzEGzU=" crossorigin="anonymous" />
<link rel="stylesheet" href="https://simoncor.net/css/coder.min.3219ef62ae52679b7a9c19043171c3cd9f523628c2a65f3ef247ee18836bc90b.css" integrity="sha256-MhnvYq5SZ5t6nBkEMXHDzZ9SNijCpl8&#43;8kfuGINryQs=" crossorigin="anonymous" media="screen" />
<link rel="stylesheet" href="https://simoncor.net/css/coder-dark.min.e78e80fc3a585a4d1c8fc7f58623b6ff852411e38431a9cd1792877ecaa160f6.css" integrity="sha256-546A/DpYWk0cj8f1hiO2/4UkEeOEManNF5KHfsqhYPY=" crossorigin="anonymous" media="screen" />
<link rel="icon" type="image/png" href="https://simoncor.net/images/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="https://simoncor.net/images/favicon-16x16.png" sizes="16x16">
<meta name="generator" content="Hugo 0.75.1" />
</head>
<body class="colorscheme-dark"
onload=""
>
<main class="wrapper">
<nav class="navigation">
<section class="container">
<a class="navigation-title" href="https://simoncor.net/">
/usr/home/simon/
</a>
<input type="checkbox" id="menu-toggle" />
<label class="menu-button float-right" for="menu-toggle"><i class="fas fa-bars"></i></label>
<ul class="navigation-list">
<li class="navigation-item">
<a class="navigation-link" href="https://simoncor.net/post/">Blog</a>
</li>
<li class="navigation-item">
<a class="navigation-link" href="https://simoncor.net/status/">Status</a>
</li>
<li class="navigation-item">
<a class="navigation-link" href="https://simoncor.net/position/">About</a>
</li>
<li class="navigation-item">
<a class="navigation-link" href="https://simoncor.net/scornet_cv.pdf">CV</a>
</li>
</ul>
</section>
</nav>
<div class="content">
<section class="container page">
<article>
<header>
<h1>FreeBSD - Jail - Secure Jumphost</h1>
</header>
<p>The goal is to create a limited jail using rbash and securing it so it can only accept secure SSH sessions. It should only be used as an SSH jumphost to connect further. It should therefor not be possible to create, use or install other code in this limited environment.</p>
<h1 id="freebsd-jail">FreeBSD jail</h1>
<p>Create a jail and connect to the console.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">ezjail-admin create bastion &#39;bridge0|10.0.0.10&#39;
ezjail-admin console bastion
</code></pre></div><p>Install <code>bash</code>.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">pkg install bash
</code></pre></div><h1 id="openssh-portable">OpenSSH-Portable</h1>
<p>Install <code>openssh-portable</code>.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">pkg install openssh-portable
</code></pre></div><p>Configure <code>rc.conf</code>.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ cat /etc/rc.conf
# OpenSSH-Portable
sshd_enable=&#34;NO&#34;
openssh_enable=&#34;YES&#34;
</code></pre></div><p>Check only what the current best practices are regarding the full OpenSSH daemon configuration.
For example check; <a href="https://infosec.mozilla.org/guidelines/openssh">https://infosec.mozilla.org/guidelines/openssh</a></p>
<p>Make sure the daemon only listens to the assigned IP for this jail. And make sure the firewall running on the host accepts incoming and outgoing SSH connections.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ cat /usr/local/etc/sshd
...
ListenAddress 10.0.0.10
...
</code></pre></div><p>Stop and start the services.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">service sshd stop
service openssh start
</code></pre></div><h1 id="user">User</h1>
<p>Create a default <code>user</code> and make sure the <code>user</code> has the <code>/usr/local/bin/rbash</code> shell configured.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ mkdir /usr/home/user/bin
</code></pre></div><p>Symlink the only required binaries into this directory.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ ln -s /usr/local/bin/ssh /usr/home/user/bin/ssh
</code></pre></div><p>Create bash profile.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ cat .bash_profile
PATH=$HOME/bin
export PATH
</code></pre></div><p>Make sure the permissions are so that the user cannot modify its own <code>.(bash_)profile</code> files.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ chown root:&lt;user&gt; .bash_profile .profile
</code></pre></div><p>Remove also all unused <!-- raw HTML omitted -->rc files like cshrc, shrc, etc.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ rm .cshrc .shrc ...
</code></pre></div><p>Create .ssh folder and fill authorized_keys file (optional).</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">mkdir /usr/home/user/.ssh
echo &#34;ssh-ed25519 AAA...3p0bv&#34; &gt;&gt; /usr/home/user/.ssh/authorized_keys
chown -R user:user /usr/home/user/.ssh
chmod -R 700 /usr/home/user/.ssh
</code></pre></div><p>User directory can look like this.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">[root@bastion /usr/home/user]# ls -al
total 3
drwxr-xr-x 4 user user 5 Oct 20 11:24 .
drwxr-xr-x 4 root wheel 4 Oct 19 11:59 ..
-rw-r--r-- 1 root user 43 Oct 19 14:09 .bash_profile
drwx------ 2 user user 5 Oct 19 12:40 .ssh
drwxr-xr-x 2 user user 3 Oct 19 14:21 bin
</code></pre></div><h1 id="result">Result</h1>
<ul>
<li>Commands are unavailable and absolute paths are not allowed.</li>
<li>The <code>$PATH</code> variable is read-only.</li>
<li>The <code>.bash_profile</code> file is read-only for the user.</li>
<li>Only some bash functions + the <code>ssh</code> binary is available for the user.</li>
</ul>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">[user@bastion ~]$ ls
-rbash: ls: command not found
[user@bastion ~]$ /bin/ls
-rbash: /bin/ls: restricted: cannot specify `/&#39; in command names
[user@bastion ~]$ export PATH=/usr/bin
-rbash: PATH: readonly variable
[user@bastion ~]$
! break continue else fg in pushd shopt true while
./ builtin coproc enable fi jobs pwd source type {
: caller declare esac for kill read ssh typeset }
[ case dirs eval function let readarray suspend ulimit
[[ cd disown exec getopts local readonly test umask
]] command do exit hash logout return then unalias
alias compgen done export help mapfile select time unset
bg complete echo false history popd set times until
bind compopt elif fc if printf shift trap wait
</code></pre></div>
</article>
</section>
</div>
<footer class="footer">
<section class="container">
<p>Ansible | FreeBSD | Linux | Networking | Security</p>
©
2020
Simon Cornet
·
Powered by <a href="https://gohugo.io/">Hugo</a> & <a href="https://github.com/luizdepra/hugo-coder/">Coder</a>.
</section>
</footer>
</main>
</body>
</html>

189
public/post/freebsd_jumpjail/index.html Normal file
View File

@ -0,0 +1,189 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="Content-Language" content="en">
<meta name="author" content="Simon Cornet">
<meta name="description" content="FreeBSD">
<meta name="keywords" content="personal, cv">
<meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="FreeBSD - Jail - Secure Jumphost"/>
<meta name="twitter:description" content="FreeBSD"/>
<meta property="og:title" content="FreeBSD - Jail - Secure Jumphost" />
<meta property="og:description" content="FreeBSD" />
<meta property="og:type" content="article" />
<meta property="og:url" content="https://simoncor.net/post/freebsd_jumpjail/" />
<meta property="article:published_time" content="2020-10-19T00:00:00+00:00" />
<meta property="article:modified_time" content="2020-10-19T00:00:00+00:00" />
<base href="https://simoncor.net/post/freebsd_jumpjail/">
<title>
FreeBSD - Jail - Secure Jumphost · /usr/home/simon/
</title>
<link rel="canonical" href="https://simoncor.net/post/freebsd_jumpjail/">
<link href="https://fonts.googleapis.com/css?family=Lato:400,700%7CMerriweather:300,700%7CSource+Code+Pro:400,700&display=swap" rel="stylesheet">
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.13.0/css/all.css" integrity="sha384-Bfad6CLCknfcloXFOyFnlgtENryhrpZCe29RTifKEixXQZ38WheV+i/6YWSzkz3V" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/8.0.1/normalize.min.css" integrity="sha256-l85OmPOjvil/SOvVt3HnSSjzF1TUMyT9eV0c2BzEGzU=" crossorigin="anonymous" />
<link rel="stylesheet" href="https://simoncor.net/css/coder.min.3219ef62ae52679b7a9c19043171c3cd9f523628c2a65f3ef247ee18836bc90b.css" integrity="sha256-MhnvYq5SZ5t6nBkEMXHDzZ9SNijCpl8&#43;8kfuGINryQs=" crossorigin="anonymous" media="screen" />
<link rel="stylesheet" href="https://simoncor.net/css/coder-dark.min.e78e80fc3a585a4d1c8fc7f58623b6ff852411e38431a9cd1792877ecaa160f6.css" integrity="sha256-546A/DpYWk0cj8f1hiO2/4UkEeOEManNF5KHfsqhYPY=" crossorigin="anonymous" media="screen" />
<link rel="icon" type="image/png" href="https://simoncor.net/images/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="https://simoncor.net/images/favicon-16x16.png" sizes="16x16">
<meta name="generator" content="Hugo 0.75.1" />
</head>
<body class="colorscheme-dark"
onload=""
>
<main class="wrapper">
<nav class="navigation">
<section class="container">
<a class="navigation-title" href="https://simoncor.net/">
/usr/home/simon/
</a>
<input type="checkbox" id="menu-toggle" />
<label class="menu-button float-right" for="menu-toggle"><i class="fas fa-bars"></i></label>
<ul class="navigation-list">
<li class="navigation-item">
<a class="navigation-link" href="https://simoncor.net/post/">Blog</a>
</li>
<li class="navigation-item">
<a class="navigation-link" href="https://simoncor.net/status/">Status</a>
</li>
<li class="navigation-item">
<a class="navigation-link" href="https://simoncor.net/position/">About</a>
</li>
<li class="navigation-item">
<a class="navigation-link" href="https://simoncor.net/scornet_cv.pdf">CV</a>
</li>
</ul>
</section>
</nav>
<div class="content">
<section class="container page">
<article>
<header>
<h1>FreeBSD - Jail - Secure Jumphost</h1>
</header>
<h1 id="freebsd-jail">FreeBSD jail</h1>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">ezjail-admin create bastion &#39;bridge0|10.0.0.10&#39;
</code></pre></div><div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">pkg install bash
</code></pre></div><h1 id="openssh-portable">OpenSSH-Portable</h1>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">pkg install openssh-portable
</code></pre></div><div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ cat /etc/rc.conf
# OpenSSH
sshd_enable=&#34;NO&#34;
openssh_enable=&#34;YES&#34;
</code></pre></div><p>Check only what the current best practices are regarding the full OpenSSH daemon configuration.
For example check; <a href="https://infosec.mozilla.org/guidelines/openssh">https://infosec.mozilla.org/guidelines/openssh</a></p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ cat /usr/local/etc/sshd
...
ListenAddress 10.0.0.10
...
</code></pre></div><p>Stop and start the services.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">service sshd stop
service openssh start
</code></pre></div><h1 id="user">User</h1>
<p>Create a default user and make sure the user has the <code>/usr/local/bin/rbash</code> shell.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ mkdir &lt;user homedir path&gt;/bin
</code></pre></div><p>Symlink the only required binaries into this directory.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ ln -s /usr/local/bin/ssh &lt;user homedir path&gt;/bin/ssh
</code></pre></div><p>Create bash profile.</p>
<div class="highlight"><pre style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-fallback" data-lang="fallback">$ cat .bash_profile
PATH=$HOME/bin
export PATH
</code></pre></div><p>Make sure the permissions are correct.</p>
</article>
</section>
</div>
<footer class="footer">
<section class="container">
<p>Ansible | FreeBSD | Linux | Networking | Security</p>
©
2020
Simon Cornet
·
Powered by <a href="https://gohugo.io/">Hugo</a> & <a href="https://github.com/luizdepra/hugo-coder/">Coder</a>.
</section>
</footer>
</main>
</body>
</html>