How to Set Up a Secure Chrooted Jail with RSSH

In this guide I will show you how to install and configure Restricted SSH (rssh) using the default port 22, create a chrooted jail for your users and how to properly secure it all afterwards.

This method is tried and tested as I originally wrote this for my own benefit when building servers at work.

There are 5 steps:

  1. Installing rssh
  2. Configuring rssh
  3. Building the chrooted jail
  4. Locking it all down
  5. Adding users with rssh over SCP and/or SFTP access to the jail.

Confirmed compatable with default installations of CentOS 5.2 and Redhat 5.2

During this guide the CentOS/Redhat default webroot of /var/www/html will be used.

Let’s get started!

1. Installing RSSH

In a terminal type:
cd /tmp

wget http://dag.wieers.com/rpm/packages/rssh/rssh-2.3.2-1.2.el5.rf.i386.rpm

rpm -ivh rssh-2.3.2-1.2.el5.rf.i386.rpm

 

2. Configuring RSSH

Type (with root privilages):
gedit /etc/rssh.conf
Change the umask from 022 to 002. This will set the default permisions of all SFTP and SCP uploads to 775.
# set the default umask

umask = 002
Uncomment chrootpath and change to to /var/www

# if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.
chrootpath = /var/www
Uncomment allowscp and allowsftp
allowscp

allowsftp

#allowcvs

#allowrdist

#allowrsync
Save rssh.conf overwriting the original (you do not need to restart any services as rssh will read this file on the fly).

3. Build the Chrooted Jail

In a terminal type the following lines (remember to be root!):
mkdir -p /var/www/{dev,etc,lib,usr,bin}

mkdir -p /var/www/usr/bin

mkdir -p /var/www/libexec/openssh

mknod -m 666 /var/www/dev/null c 1 3
cd /var/www/etc

cp /etc/ld.so.cache .

cp -avr /etc/ld.so.cache .

cp /etc/ld.so.conf .

cp /etc/nsswitch.conf .

cp /etc/passwd .

cp /etc/group .

cp /etc/hosts .

cp /etc/resolv.conf .
gedit passwd
Gedit will open. Delete entire contents of the file and save it and then close the editor.

Then type:
gedit group
Again, delete entire contents of the file and save it and then close the editor.

Back in the terminal, type:
cd /var/www/usr/bin

cp /usr/bin/scp .

cp /usr/bin/rssh .

cp /usr/bin/sftp .

cd /var/www/libexec/openssh/

cp /usr/libexec/openssh/sftp-server .
Now you need to copy the shared library files to the new folder structure. The easiest way to do this is to use a simple script written by Vivek at nixcraft.com

In a terminal type:
cd /sbin

wget -O l2chroot http://www.adamhawkins.net/blog/downloads/l2chroot.txt

chmod +x l2chroot

gedit l2chroot
l2chroot will open with gedit. Find the following line:
BASE="/webroot"
Change it to:
BASE="/var/www”
Save the file.

In a terminal type:
l2chroot /usr/bin/scp

l2chroot /usr/bin/rssh

l2chroot /usr/bin/sftp

l2chroot /usr/libexec/openssh/sftp-server

gedit /etc/sysconfig/syslog
Find the line:

SYSLOGD_OPTIONS=”-m 0″

Change it to:

SYSLOGD_OPTIONS=”-m 0 -a /var/www/dev/log”

Save the file

In a terminal type:
/etc/init.d/syslog restart
Finally, move the folder libexec from /var/www/ to /var/www/usr/

4. Permissions

In a terminal type:
cd /var/www

chmod 700 bin -R

chmod 750 dev -R

chmod 700 error -R

chmod 700 etc -R

chmod 700 icons -R

chmod 750 lib -R

chmod 750 usr -R

chmod 700 cgi-bin -R

chmod 755 html
chown root:users usr -R

chown root:users lib -R

chown root:users html

chown root:users dev -R

chown root:users cgi-bin -R

chown root:root icons -R

chown root:root etc -R

chown root:root error -R

chown root:root bin -R

cd /var/www/dev

chmod 770 null

 

5. Add Users with RSSH over SCP and/or SFTP Access to the Jail

Create a good password eg. D4zf96xpvSma
(goodpassword.com is a good place to start if you cant think of a good one)

Goto System > Administration > Users and Groups

Click Add User

Enter the following:

Username: xxxxxxxxxxx (eg. ahawkins)
Password: xxxxxxxxxxxx

Untick Create a private group for the user.

Press OK

Double-click on the user

Goto the Groups tab

Add the user to other groups depending what they need access to, eg. web_computing. Leave the Primary Group as users.

Press OK

Open a terminal and enter this command to restrict ssh access to sftp and scp only, replacing xxxxxxxx with the required username.

usermod -s /usr/bin/rssh xxxxxxxx

That’s it, you can now start using your new configuration.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s