Chroot JAIL for SSH

Creating a Chroot Jail for SSH Access

on serverside:

/etc/init.d/iptables stop

setenforce 0

mkdir -p /var/jail/{dev,etc,lib,usr,bin,home}

mkdir -p /var/jail/usr/bin

chown root.root /var/jail

mknod -m 666 /var/jail/dev/null c 1 3

cd /var/jail/etc

cp /etc/ld.so.cache .

cp /etc/ld.so.conf .

cp /etc/nsswitch.conf .

cp /etc/hosts .

cd /var/jail/usr/bin

cp /bin/ls .

cp /bin/bash .

cd /var/jail/bin

cp /bin/ls .

cp /bin/bash .

cd /sbin

wget -O l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt

chmod +x l2chroot

vim l2chroot

BASE=”/var/jail”

l2chroot /bin/ls

l2chroot /bin/bash

vim /etc/ssh/sshd_config

# override default of no subsystems

#Subsystem    sftp    /usr/libexec/openssh/sftp-server

Subsystem    sftp    internal-sftp

# Example of overriding settings on a per-user basis

#Match User anoncvs

#    X11Forwarding no

#    AllowTcpForwarding no

#    ForceCommand cvs server

Match Group sshusers

   ChrootDirectory /var/jail

   X11Forwarding no

   AllowTcpForwarding no

#    ForceCommand cvs server

/etc/init.d/sshd restasrt

useradd -d /var/jail/home/test1 -s /bin/bash -G sshusers test1

passwd test1

on client side:

[root@desktop6 sbin]# ssh test1@192.168.0.106

test1@192.168.0.106’s password:

Last login: Mon Jul 16 16:39:56 2012 from desktop6.example.com

-bash-4.1$ ls

bin  dev  etc  home  lib  lib64  usr

-bash-4.1$ pwd

/

-bash-4.1$ cd /

-bash-4.1$ ls

bin  dev  etc  home  lib  lib64  usr

-bash-4.1$ mkdir abcd

-bash: mkdir: command not found

-bash-4.1$ exit

logout

Connection to 192.168.0.106 closed.

l2chroot script

#!/bin/bash
# Use this script to copy shared (libs) files to Apache/Lighttpd chrooted
# jail server.
# —————————————————————————-
# Written by nixCraft <http://www.cyberciti.biz/tips/&gt;
# (c) 2006 nixCraft under GNU GPL v2.0+
# + Added ld-linux support
# + Added error checking support
# ——————————————————————————
# See url for usage:
# http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html
# ——————————————————————————-
# Set CHROOT directory name
BASE=”/webroot”

if [ $# -eq 0 ]; then
echo “Syntax : $0 /path/to/executable”
echo “Example: $0 /usr/bin/php5-cgi”
exit 1
fi

[ ! -d $BASE ] && mkdir -p $BASE || :

# iggy ld-linux* file as it is not shared one
FILES=”$(ldd $1 | awk ‘{ print $3 }’ |egrep -v ^’\(‘)”

echo “Copying shared files/libs to $BASE…”
for i in $FILES
do
d=”$(dirname $i)”
[ ! -d $BASE$d ] && mkdir -p $BASE$d || :
/bin/cp $i $BASE$d
done

# copy /lib/ld-linux* or /lib64/ld-linux* to $BASE/$sldlsubdir
# get ld-linux full file location
sldl=”$(ldd $1 | grep ‘ld-linux’ | awk ‘{ print $1}’)”
# now get sub-dir
sldlsubdir=”$(dirname $sldl)”

if [ ! -f $BASE$sldl ];
then
echo “Copying $sldl $BASE$sldlsubdir…”
/bin/cp $sldl $BASE$sldlsubdir
else
:
fi

Advertisements

About bpn4it

Feel Free in Linux. Bipin Patel bpn4it@gmail.com Ahmadabad, Gujarat, India
This entry was posted in Uncategorized and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s