How To Set Up A Secure Chrooted Jail With RSSH

| May 31, 2009 | 0 comments

In this guide I will show you how to install and configure Restricted SSH (rssh) using the default port 22, create a chrooted jail for your users and how to properly secure it all afterwards.

This method is tried and tested as I originally wrote this for my own benefit when building servers at work.

There are 5 steps:

  1. Installing rssh
  2. Configuring rssh
  3. Building the chrooted jail
  4. Locking it all down
  5. Adding users with rssh over SCP and/or SFTP access to the jail.

Confirmed compatable with default installations of CentOS 5.2 and Redhat 5.2

During this guide the CentOS/Redhat default webroot of /var/www/html will be used.

Let’s get started!

1. Installing RSSH

In a terminal type:

cd /tmp

wget http://dag.wieers.com/rpm/packages/rssh/rssh-2.3.2-1.2.el5.rf.i386.rpm

rpm -ivh rssh-2.3.2-1.2.el5.rf.i386.rpm

2. Configuring RSSH

Type (with root privilages):

gedit /etc/rssh.conf

Change the umask from 022 to 002. This will set the default permisions of all SFTP and SCP uploads to 775.

# set the default umask

umask = 002

Uncomment chrootpath and change to to /var/www

# if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.

chrootpath = /var/www

Uncomment allowscp and allowsftp

allowscp

allowsftp

#allowcvs

#allowrdist

#allowrsync

Save rssh.conf overwriting the original (you do not need to restart any services as rssh will read this file on the fly).

3. Build the Chrooted Jail

In a terminal type the following lines (remember to be root!):

mkdir -p /var/www/{dev,etc,lib,usr,bin}

mkdir -p /var/www/usr/bin

mkdir -p /var/www/libexec/openssh

mknod -m 666 /var/www/dev/null c 1 3

cd /var/www/etc

cp /etc/ld.so.cache .

cp -avr /etc/ld.so.cache .

cp /etc/ld.so.conf .

cp /etc/nsswitch.conf .

cp /etc/passwd .

cp /etc/group .

cp /etc/hosts .

cp /etc/resolv.conf .

gedit passwd

Gedit will open. Delete entire contents of the file and save it and then close the editor.

Then type:

gedit group

Again, delete entire contents of the file and save it and then close the editor.

Back in the terminal, type:

cd /var/www/usr/bin

cp /usr/bin/scp .

cp /usr/bin/rssh .

cp /usr/bin/sftp .

cd /var/www/libexec/openssh/

cp /usr/libexec/openssh/sftp-server .

Now you need to copy the shared library files to the new folder structure. The easiest way to do this is to use a simple script written by Vivek at nixcraft.com

In a terminal type:

cd /sbin

wget -O l2chroot http://www.adamhawkins.net/downloads/l2chroot.txt

chmod +x l2chroot

gedit l2chroot

l2chroot will open with gedit. Find the following line:

BASE=”/webroot”

Change it to:

BASE=”/var/www”

Save the file.

In a terminal type:

l2chroot /usr/bin/scp

l2chroot /usr/bin/rssh

l2chroot /usr/bin/sftp

l2chroot /usr/libexec/openssh/sftp-server

gedit /etc/sysconfig/syslog

Find the line:

SYSLOGD_OPTIONS=”-m 0″

Change it to:

SYSLOGD_OPTIONS=”-m 0 -a /var/www/dev/log”

Save the file

In a terminal type:

/etc/init.d/syslog restart

Finally, move the folder libexec from /var/www/ to /var/www/usr/

4. Permissions

In a terminal type:

cd /var/www

chmod 700 bin -R

chmod 750 dev -R

chmod 700 error -R

chmod 700 etc -R

chmod 700 icons -R

chmod 750 lib -R

chmod 750 usr -R

chmod 700 cgi-bin -R

chmod 755 html

chown root:users usr -R

chown root:users lib -R

chown root:users html

chown root:users dev -R

chown root:users cgi-bin -R

chown root:root icons -R

chown root:root etc -R

chown root:root error -R

chown root:root bin -R

cd /var/www/dev

chmod 770 null

5. Add Users with RSSH over SCP and/or SFTP Access to the Jail

Create a good password eg. D4zf96xpvSma
(goodpassword.com is a good place to start if you cant think of a good one)

Goto System > Administration > Users and Groups

Click Add User

Enter the following:

Username: xxxxxxxxxxx (eg. ahawkins)
Password: xxxxxxxxxxxx

Untick Create a private group for the user.

Press OK

Double-click on the user

Goto the Groups tab

Add the user to other groups depending what they need access to, eg. web_computing. Leave the Primary Group as users.

Press OK

Open a terminal and enter this command to restrict ssh access to sftp and scp only, replacing xxxxxxxx with the required username.

usermod -s /usr/bin/rssh xxxxxxxx

That’s it, you can now start using your new configuration :)

Be Sociable, Share!

No related posts.

Filed Under: Uncategorized

Tags: , , , , , , ,

Comments are closed.