siempie/simoncor.net
1
0
Fork 0
Code Pull Requests Actions Releases Activity
933a54a53c
simoncor.net/public/post/freebsd_jail_jumphost/index.html
Simon Cornet 23e8b2833a
All checks were successful
continuous-integration/drone/push Build is passing
Details
[GLOBAL] Updated favicons
2022-05-30 11:05:49 +02:00

243 lines
14 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="Content-Language" content="en">
<meta name="author" content="Simon Cornet">
<meta name="description" content="FreeBSD">
<meta name="keywords" content="personal, cv">
<meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="FreeBSD - Jail - Secure Jumphost"/>
<meta name="twitter:description" content="FreeBSD"/>
<meta property="og:title" content="FreeBSD - Jail - Secure Jumphost" />
<meta property="og:description" content="FreeBSD" />
<meta property="og:type" content="article" />
<meta property="og:url" content="https://simoncor.net/post/freebsd_jail_jumphost/" /><meta property="article:section" content="post" />
<meta property="article:published_time" content="2020-10-20T00:00:00+00:00" />
<meta property="article:modified_time" content="2020-10-20T00:00:00+00:00" />
<base href="https://simoncor.net/post/freebsd_jail_jumphost/">
<title>
FreeBSD - Jail - Secure Jumphost · /usr/home/simon/
</title>
<link rel="canonical" href="https://simoncor.net/post/freebsd_jail_jumphost/">
<link href="https://fonts.googleapis.com/css?family=Lato:400,700%7CMerriweather:300,700%7CSource+Code+Pro:400,700&display=swap" rel="stylesheet">
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.13.0/css/all.css" integrity="sha384-Bfad6CLCknfcloXFOyFnlgtENryhrpZCe29RTifKEixXQZ38WheV+i/6YWSzkz3V" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/8.0.1/normalize.min.css" integrity="sha256-l85OmPOjvil/SOvVt3HnSSjzF1TUMyT9eV0c2BzEGzU=" crossorigin="anonymous" />
<link rel="stylesheet" href="https://simoncor.net/css/coder.min.3219ef62ae52679b7a9c19043171c3cd9f523628c2a65f3ef247ee18836bc90b.css" integrity="sha256-MhnvYq5SZ5t6nBkEMXHDzZ9SNijCpl8&#43;8kfuGINryQs=" crossorigin="anonymous" media="screen" />
<link rel="stylesheet" href="https://simoncor.net/css/coder-dark.min.e78e80fc3a585a4d1c8fc7f58623b6ff852411e38431a9cd1792877ecaa160f6.css" integrity="sha256-546A/DpYWk0cj8f1hiO2/4UkEeOEManNF5KHfsqhYPY=" crossorigin="anonymous" media="screen" />
<link rel="apple-touch-icon" sizes="180x180" href="https://simoncor.net/images/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="32x32" href="https://simoncor.net/images/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="https://simoncor.net/images/favicon-16x16.png">
<link rel="manifest" href="https://simoncor.net/images/site.webmanifest">
<link rel="mask-icon" href="https://simoncor.net/images/safari-pinned-tab.svg" color="#5bbad5">
<meta name="msapplication-TileColor" content="#2b5797">
<meta name="theme-color" content="#ffffff">
<meta name="generator" content="Hugo 0.93.3" />
</head>
<body class="colorscheme-dark"
onload=""
>
<main class="wrapper">
<nav class="navigation">
<section class="container">
<a class="navigation-title" href="https://simoncor.net/">
/usr/home/simon/
</a>
<input type="checkbox" id="menu-toggle" />
<label class="menu-button float-right" for="menu-toggle"><i class="fas fa-bars"></i></label>
<ul class="navigation-list">
<li class="navigation-item">
<a class="navigation-link" href="https://simoncor.net/post/">Blog</a>
</li>
<li class="navigation-item">
<a class="navigation-link" href="https://simoncor.net/status/">Status</a>
</li>
<li class="navigation-item">
<a class="navigation-link" href="https://simoncor.net/position/">About</a>
</li>
<li class="navigation-item">
<a class="navigation-link" href="https://simoncor.net/scornet_cv.pdf">CV</a>
</li>
</ul>
</section>
</nav>
<div class="content">
<section class="container page">
<article>
<header>
<h1>FreeBSD - Jail - Secure Jumphost</h1>
</header>
<p>The goal is to create a limited jail using rbash and securing it so it can only accept secure SSH sessions. It should only be used as an SSH jumphost to connect further. It should therefor not be possible to create, use or install other code in this limited environment.</p>
<p>All commands are executed as root inside the jail, unless specified otherwise.</p>
<h1 id="freebsd-jail">FreeBSD jail</h1>
<p>Create a jail and connect to the console.</p>
<div class="highlight"><pre tabindex="0" style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>[simon@host ~]$ sudo ezjail-admin create bastion &#39;bridge0|10.0.0.10&#39;
</span></span><span style="display:flex;"><span>[simon@host ~]$ sudo ezjail-admin console bastion
</span></span></code></pre></div><p>Install <code>bash</code>.</p>
<div class="highlight"><pre tabindex="0" style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span># pkg install bash
</span></span></code></pre></div><h1 id="openssh-portable">OpenSSH-Portable</h1>
<p>Install <code>openssh-portable</code>.</p>
<div class="highlight"><pre tabindex="0" style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span># pkg install openssh-portable
</span></span></code></pre></div><p>Configure <code>rc.conf</code>.</p>
<div class="highlight"><pre tabindex="0" style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span># sysrc sshd_enable=NO
</span></span><span style="display:flex;"><span># sysrc openssh_enable=YES
</span></span></code></pre></div><p>Check only what the current best practices are regarding the full OpenSSH daemon configuration.
For example check; <a href="https://infosec.mozilla.org/guidelines/openssh">https://infosec.mozilla.org/guidelines/openssh</a></p>
<p>Make sure the daemon only listens to the assigned IP for this jail. And make sure the firewall running on the host accepts incoming and outgoing SSH connections.</p>
<div class="highlight"><pre tabindex="0" style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span># cat /usr/local/etc/sshd
</span></span><span style="display:flex;"><span>...
</span></span><span style="display:flex;"><span>ListenAddress 10.0.0.10
</span></span><span style="display:flex;"><span>...
</span></span></code></pre></div><p>Stop and start the services.</p>
<div class="highlight"><pre tabindex="0" style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span># service sshd stop
</span></span><span style="display:flex;"><span># service openssh start
</span></span></code></pre></div><h1 id="user">User</h1>
<p>Create a default <code>user</code> and make sure the <code>user</code> has the <code>/usr/local/bin/rbash</code> shell configured.</p>
<div class="highlight"><pre tabindex="0" style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span># mkdir /usr/home/user/bin
</span></span></code></pre></div><p>Symlink the only required binaries into this directory.</p>
<div class="highlight"><pre tabindex="0" style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span># ln -s /usr/local/bin/ssh /usr/home/user/bin/ssh
</span></span></code></pre></div><p>Create bash profile.</p>
<div class="highlight"><pre tabindex="0" style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span># cat /usr/home/user/.bash_profile
</span></span><span style="display:flex;"><span>PATH=$HOME/bin
</span></span><span style="display:flex;"><span>export PATH
</span></span></code></pre></div><p>Make sure the permissions are so that the user cannot modify its own <code>.(bash_)profile</code> files.</p>
<div class="highlight"><pre tabindex="0" style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span># chown root:user .bash_profile .profile
</span></span></code></pre></div><p>Remove also all unused <!-- raw HTML omitted -->rc files like cshrc, shrc, etc.</p>
<div class="highlight"><pre tabindex="0" style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span># rm .cshrc .shrc ...
</span></span></code></pre></div><p>Create <code>.ssh</code> folder and fill <code>authorized_keys</code> file (optional).</p>
<div class="highlight"><pre tabindex="0" style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span># mkdir /usr/home/user/.ssh
</span></span><span style="display:flex;"><span># echo &#34;your_public_key_here&#34; &gt;&gt; /usr/home/user/.ssh/authorized_keys
</span></span><span style="display:flex;"><span># chown -R user:user /usr/home/user/.ssh
</span></span><span style="display:flex;"><span># chmod -R 700 /usr/home/user/.ssh
</span></span></code></pre></div><p>User directory can look like this.</p>
<div class="highlight"><pre tabindex="0" style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>[user@bastion ~]$ ls -al
</span></span><span style="display:flex;"><span>total 3
</span></span><span style="display:flex;"><span>drwxr-xr-x 4 user user 5 Oct 20 11:24 .
</span></span><span style="display:flex;"><span>drwxr-xr-x 4 root wheel 4 Oct 19 11:59 ..
</span></span><span style="display:flex;"><span>-rw-r--r-- 1 root user 43 Oct 19 14:09 .bash_profile
</span></span><span style="display:flex;"><span>drwx------ 2 user user 5 Oct 19 12:40 .ssh
</span></span><span style="display:flex;"><span>drwxr-xr-x 2 user user 3 Oct 19 14:21 bin
</span></span></code></pre></div><h1 id="result">Result</h1>
<ul>
<li>FreeBSD Jail with latest packaged version of OpenSSH-Portable</li>
<li>Commands are unavailable and absolute paths are not allowed.</li>
<li>The <code>$PATH</code> variable is read-only.</li>
<li>The <code>.bash_profile</code> file is read-only for the user.</li>
<li>Only some bash functions + the <code>ssh</code> binary is available for the user.</li>
</ul>
<div class="highlight"><pre tabindex="0" style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>[user@bastion ~]$ ls
</span></span><span style="display:flex;"><span>-rbash: ls: command not found
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>[user@bastion ~]$ /bin/ls
</span></span><span style="display:flex;"><span>-rbash: /bin/ls: restricted: cannot specify `/&#39; in command names
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>[user@bastion ~]$ export PATH=/usr/bin
</span></span><span style="display:flex;"><span>-rbash: PATH: readonly variable
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>[user@bastion ~]$
</span></span><span style="display:flex;"><span>! break continue else fg in pushd shopt true while
</span></span><span style="display:flex;"><span>./ builtin coproc enable fi jobs pwd source type {
</span></span><span style="display:flex;"><span>: caller declare esac for kill read ssh typeset }
</span></span><span style="display:flex;"><span>[ case dirs eval function let readarray suspend ulimit
</span></span><span style="display:flex;"><span>[[ cd disown exec getopts local readonly test umask
</span></span><span style="display:flex;"><span>]] command do exit hash logout return then unalias
</span></span><span style="display:flex;"><span>alias compgen done export help mapfile select time unset
</span></span><span style="display:flex;"><span>bg complete echo false history popd set times until
</span></span><span style="display:flex;"><span>bind compopt elif fc if printf shift trap wait
</span></span></code></pre></div>
</article>
</section>
</div>
<footer class="footer">
<section class="container">
<p>Ansible | FreeBSD | Linux | Networking | Security</p>
©
2022
Simon Cornet
·
Powered by <a href="https://gohugo.io/">Hugo</a> & <a href="https://github.com/luizdepra/hugo-coder/">Coder</a>.
</section>
</footer>
</main>
</body>
</html>
View Git Blame Copy Permalink