nbari
February 28th, 2009, 08:04
I created a jail and configured sshd on it with the following options:
Port 22
Protocol 2
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
KeyRegenerationInterval 3600
PermitRootLogin no
RSAAuthentication no
PubkeyAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding no
PrintLastLog yes
Compression yes
KeepAlive yes
ClientAliveInterval 60
Uselogin no
Banner /etc/ssh/banner
Subsystem sftp /usr/libexec/sftp-server
UseDNS no
MaxStartups 10:30:60
MaxAuthTries 3
UsePrivilegeSeparation yes
StrictModes yes
I start to notice on the /var/log/auth lot of lines like this:
Feb 28 00:47:38 ssh sshd[62899]: login_getclass: unknown class 'staff'
Feb 28 00:47:38 ssh sshd[62899]: login_getclass: unknown class 'staff'
I change the LogLevel to DEBUG for trying to fund more info but for my surprise in DEBUG or VERBOSE mode i never got that lines.
this is the output of VERBOSE
Feb 28 00:51:53 ssh sshd[63025]: warning: /etc/hosts.allow, line 30: can't verify hostname: getaddrinfo(189-228-129-192.static.as29550.net, AF_INET) failed
Feb 28 00:51:53 ssh sshd[63025]: Connection from 189.228.129.192 port 54551
Feb 28 00:51:54 ssh sshd[63025]: Failed none for nbari from 189.228.129.192 port 54551 ssh2
Feb 28 00:51:54 ssh sshd[63025]: Failed publickey for nbari from 189.228.129.192 port 54551 ssh2
Feb 28 00:51:55 ssh sshd[63025]: Accepted password for nbari from 189.228.129.192 port 54551 ssh2
Feb 28 00:51:55 ssh sshd[63025]: User child is on pid 63027
the host server has FreeBSD 7.1 amd64 and the jails make.conf looks like:
# BUILD OPTIONS
NO_ACPI= true # do not build acpiconf(8) and related programs
NO_BOOT= true # do not build boot blocks and loader
NO_BLUETOOTH= true # do not build Bluetooth related stuff
NO_FORTRAN= true # do not build g77 and related libraries
NO_GDB= true # do not build GDB
NO_GPIB= true # do not build GPIB support
NO_I4B= true # do not build isdn4bsd package
NO_IPFILTER= true # do not build IP Filter package
NO_PF= true # do not build PF firewall package
NO_AUTHPF= true # do not build and install authpf (setuid/gid)
NO_KERBEROS= true # do not build and install Kerberos 5 (KTH Heimdal)
NO_LPR= true # do not build lpr and related programs
NO_MODULES= true # do not build modules with the kernel
NO_NETCAT= true # do not build netcat
NO_NIS= true # do not build NIS support and related programs
NO_SHAREDOCS= true # do not build the 4.4BSD legacy docs
NO_USB= true # do not build usbd(8) and related programs
NO_VINUM= true # do not build Vinum utilities
NO_ATM= true # do not build ATM related programs and libraries
NO_GAMES= true # do not build games (games/ subdir)
NO_RCMDS= true # do not build or install BSD r* commands (rsh, etc).
NO_INTE6= true # do not build IPv6 related programs and libraries
NO_PROFILE= true # Avoid compiling profiled libraries
# BIND OPTIONS
NO_BIND= true # Do not build any part of BIND
NO_BIND_DNSSEC= true # Do not build dnssec-keygen, dnssec-signzone
NO_BIND_ETC= true # Do not install files to /etc/namedb
NO_BIND_LIBS_LWRES= true # Do not install the lwres library
NO_BIND_MTREE= true # Do not run mtree to create chroot directories
NO_BIND_NAMED= true # Do not build named, rndc, lwresd, etc
And the login.conf of the jail looks like:
default:\
:passwd_format=blf:\
:minpasswordlen=6:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/welcome:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
:path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin ~/bin:\
:nologin=/var/run/nologin:\
:coredumpsize=0:\
:cputime=unlimited:\
:datasize=10M:\
:filesize=5m:\
:maxproc=20:\
:memorylocked=7M:\
:memoryuse=15M:\
:openfiles=50:\
:sbsize=unlimited:\
:vmemoryuse:100M:\
:stacksize=2M:\
:priority=5:\
:ignoretime@:\
:requirehome=1:\
:idletime=30:\
:umask=077:
staff:\
:ignorenologin:\
:coredumpsize=0:\
:cputime=unlimited:\
:datasize=unlimited:\
:filesize=unlimited:\
:maxproc=unlimited:\
:memorylocked=unlimited:\
:memoryuse=unlimited:\
:openfiles=unlimited: \
:sbsize=unlimited:\
:vmemoryuse:unlimited:\
:stacksize=unlimited:\
:priority=0: \
:requirehome=0: \
:tc=default:
root:\
:ignorenologin:\
:sbsize=unlimited:\
:tc=staff:
daemon:\
:tc=staff:
Any comments ?
Port 22
Protocol 2
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
KeyRegenerationInterval 3600
PermitRootLogin no
RSAAuthentication no
PubkeyAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding no
PrintLastLog yes
Compression yes
KeepAlive yes
ClientAliveInterval 60
Uselogin no
Banner /etc/ssh/banner
Subsystem sftp /usr/libexec/sftp-server
UseDNS no
MaxStartups 10:30:60
MaxAuthTries 3
UsePrivilegeSeparation yes
StrictModes yes
I start to notice on the /var/log/auth lot of lines like this:
Feb 28 00:47:38 ssh sshd[62899]: login_getclass: unknown class 'staff'
Feb 28 00:47:38 ssh sshd[62899]: login_getclass: unknown class 'staff'
I change the LogLevel to DEBUG for trying to fund more info but for my surprise in DEBUG or VERBOSE mode i never got that lines.
this is the output of VERBOSE
Feb 28 00:51:53 ssh sshd[63025]: warning: /etc/hosts.allow, line 30: can't verify hostname: getaddrinfo(189-228-129-192.static.as29550.net, AF_INET) failed
Feb 28 00:51:53 ssh sshd[63025]: Connection from 189.228.129.192 port 54551
Feb 28 00:51:54 ssh sshd[63025]: Failed none for nbari from 189.228.129.192 port 54551 ssh2
Feb 28 00:51:54 ssh sshd[63025]: Failed publickey for nbari from 189.228.129.192 port 54551 ssh2
Feb 28 00:51:55 ssh sshd[63025]: Accepted password for nbari from 189.228.129.192 port 54551 ssh2
Feb 28 00:51:55 ssh sshd[63025]: User child is on pid 63027
the host server has FreeBSD 7.1 amd64 and the jails make.conf looks like:
# BUILD OPTIONS
NO_ACPI= true # do not build acpiconf(8) and related programs
NO_BOOT= true # do not build boot blocks and loader
NO_BLUETOOTH= true # do not build Bluetooth related stuff
NO_FORTRAN= true # do not build g77 and related libraries
NO_GDB= true # do not build GDB
NO_GPIB= true # do not build GPIB support
NO_I4B= true # do not build isdn4bsd package
NO_IPFILTER= true # do not build IP Filter package
NO_PF= true # do not build PF firewall package
NO_AUTHPF= true # do not build and install authpf (setuid/gid)
NO_KERBEROS= true # do not build and install Kerberos 5 (KTH Heimdal)
NO_LPR= true # do not build lpr and related programs
NO_MODULES= true # do not build modules with the kernel
NO_NETCAT= true # do not build netcat
NO_NIS= true # do not build NIS support and related programs
NO_SHAREDOCS= true # do not build the 4.4BSD legacy docs
NO_USB= true # do not build usbd(8) and related programs
NO_VINUM= true # do not build Vinum utilities
NO_ATM= true # do not build ATM related programs and libraries
NO_GAMES= true # do not build games (games/ subdir)
NO_RCMDS= true # do not build or install BSD r* commands (rsh, etc).
NO_INTE6= true # do not build IPv6 related programs and libraries
NO_PROFILE= true # Avoid compiling profiled libraries
# BIND OPTIONS
NO_BIND= true # Do not build any part of BIND
NO_BIND_DNSSEC= true # Do not build dnssec-keygen, dnssec-signzone
NO_BIND_ETC= true # Do not install files to /etc/namedb
NO_BIND_LIBS_LWRES= true # Do not install the lwres library
NO_BIND_MTREE= true # Do not run mtree to create chroot directories
NO_BIND_NAMED= true # Do not build named, rndc, lwresd, etc
And the login.conf of the jail looks like:
default:\
:passwd_format=blf:\
:minpasswordlen=6:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/welcome:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
:path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin ~/bin:\
:nologin=/var/run/nologin:\
:coredumpsize=0:\
:cputime=unlimited:\
:datasize=10M:\
:filesize=5m:\
:maxproc=20:\
:memorylocked=7M:\
:memoryuse=15M:\
:openfiles=50:\
:sbsize=unlimited:\
:vmemoryuse:100M:\
:stacksize=2M:\
:priority=5:\
:ignoretime@:\
:requirehome=1:\
:idletime=30:\
:umask=077:
staff:\
:ignorenologin:\
:coredumpsize=0:\
:cputime=unlimited:\
:datasize=unlimited:\
:filesize=unlimited:\
:maxproc=unlimited:\
:memorylocked=unlimited:\
:memoryuse=unlimited:\
:openfiles=unlimited: \
:sbsize=unlimited:\
:vmemoryuse:unlimited:\
:stacksize=unlimited:\
:priority=0: \
:requirehome=0: \
:tc=default:
root:\
:ignorenologin:\
:sbsize=unlimited:\
:tc=staff:
daemon:\
:tc=staff:
Any comments ?