Only wheel group can log in with ssh.

B

bryn1u

Hi.

I have locked myself by using chmod. Only users who are added to wheel group can log in with ssh to server. And I don't know which option of chmod is responsible for log in to ssh. Someone can help?
 
I use this little script :p

Code: 
chmod o= /etc/fstab   
chmod o= /etc/ftpusers   
chmod o= /etc/group   
chmod o= /etc/hosts   
chmod o= /etc/hosts.allow   
chmod o= /etc/hosts.equiv
chmod o= /etc/hosts.lpd 
chmod o= /etc/inetd.conf   
chmod o= /etc/login.access   
chmod o= /etc/login.conf 
chmod o= /etc/newsyslog.conf 
chmod o= /etc/rc.conf   
chmod o= /etc/ssh/sshd_config
chmod o= /etc/sysctl.conf 
chmod o= /etc/syslog.conf
chmod o= /etc/ttys

chmod o= /usr/bin/users
chmod o= /usr/bin/w
chmod o= /usr/bin/who
chmod o= /usr/bin/lastcomm
chmod o= /usr/sbin/jls
chmod o= /usr/bin/last
chmod o= /usr/sbin/lastlogin

chmod ugo= /usr/bin/rlogin
chmod ugo= /usr/bin/rsh

chmod o= /usr/local/bin/nmap
chmod o= /usr/local/bin/nessus

echo "root" > /var/cron/allow
echo "root" > /var/at/at.allow

chmod o= /etc/crontab
chmod o= /usr/bin/crontab
chmod o= /usr/bin/at
chmod o= /usr/bin/atq
chmod o= /usr/bin/atrm
chmod o= /usr/bin/batch

chmod 700 /root
chmod 751 /
chmod 751 /home/
chmod 700 /home/*
chmod 650 /etc/rc.*
chmod 600 /etc/master.passwd
chmod o= /var/log

chflags schg /bin/*
chflags schg /sbin/*
chflags schg /usr/sbin/*


echo 'kern_securelevel_enable="YES"' >> /etc/rc.conf
echo 'kern_securelevel="3"' >> /etc/rc.conf

echo 'icmp_drop_redirect="YES"' >> /etc/rc.conf
echo 'icmp_log_redirect="YES"' >> /etc/rc.conf
echo 'tcp_drop_synfin=”YES”' >> /etc/rc.conf

echo 'log_in_vain="YES"' >> /etc/rc.conf

echo 'nfs_server_enable="NO"' >> /etc/rc.conf
echo 'nfs_client_enable="NO"' >> /etc/rc.conf
echo 'portmap_enable="NO"' >> /etc/rc.conf

echo 'icmp_bmcastecho="NO"' >>/etc/rc.conf
echo 'icmp_bandlim="YES"' >> /etc/rc.conf

echo 'sendmail_enable="NO"' >> /etc/rc.conf
echo 'sendmail_submit_enable="NO"' >> /etc/rc.conf
echo 'sendmail_outbound_enable="NO"' >> /etc/rc.conf
echo 'sendmail_msp_queue_enable="NO"' >> /etc/rc.conf
echo 'sendmail_enable="NO"' >> /etc/rc.conf

echo 'syslogd_enable="YES"' >> /etc/rc.conf
echo 'syslogd_flags="-ss"' >> /etc/rc.conf

echo 'update_motd="NO"' >> /etc/rc.conf
echo 'accounting_enable="YES"' >> /etc/rc.conf
echo 'clear_tmp_enable="YES"' >> /etc/rc.conf
echo 'net.inet.udp.blackhole=1' >> /etc/sysctl.conf
echo 'net.inet.tcp.blackhole=2' >> /etc/sysctl.conf

echo 'net.inet.tcp.log_in_vain=1' >> /etc/sysctl.conf
echo 'net.inet.udp.log_in_vain=1' >> /etc/sysctl.conf

echo 'net.inet.ip.check_interface=1' >> /etc/sysctl.conf
echo 'net.inet.tcp.recvspace=65535' >> /etc/sysctl.conf
echo 'net.inet.tcp.sendspace=65535' >> /etc/sysctl.conf
echo 'net.inet.ip.rtexpire=2' >> /etc/sysctl.conf
echo 'net.inet.ip.rtminexpire=2' >> /etc/sysctl.conf
echo 'net.inet.ip.rtmaxcache=256' >> /etc/sysctl.conf

echo 'security.jail.allow_raw_sockets=1' >> /etc/sysctl.conf

echo 'net.inet.ip.random_id=1' >> /etc/sysctl.conf
echo 'net.inet.tcp.syncookies=0' >> /etc/sysctl.conf
echo 'net.inet.icmp.bmcastecho=0' >> /etc/sysctl.conf
echo 'net.inet.icmp.maskrepl=0' >> /etc/sysctl.conf
echo 'net.inet.icmp.icmplim=50' >> /etc/sysctl.conf
echo 'net.inet.icmp.drop_redirect=1' >> /etc/sysctl.conf
echo 'net.inet.tcp.icmp_may_rst=0' >> /etc/sysctl.conf

echo 'kern.ipc.shmmax=134217728' >> /etc/sysctl.conf
echo 'kern.ipc.shmall=32768' >> /etc/sysctl.conf
echo 'kern.ipc.semmap=256' >> /etc/sysctl.conf
 
My god man you need to learn about looping!

bryn1u said:
I use this little script :p

Code: 
chmod o= /etc/fstab   
chmod o= /etc/ftpusers   
chmod o= /etc/group   
chmod o= /etc/hosts   
chmod o= /etc/hosts.allow   
chmod o= /etc/hosts.equiv
chmod o= /etc/hosts.lpd 
chmod o= /etc/inetd.conf   
chmod o= /etc/login.access   
chmod o= /etc/login.conf 
chmod o= /etc/newsyslog.conf 
chmod o= /etc/rc.conf   
chmod o= /etc/ssh/sshd_config
chmod o= /etc/sysctl.conf 
chmod o= /etc/syslog.conf
chmod o= /etc/ttys

chmod o= /usr/bin/users
chmod o= /usr/bin/w
chmod o= /usr/bin/who
chmod o= /usr/bin/lastcomm
chmod o= /usr/sbin/jls
chmod o= /usr/bin/last
chmod o= /usr/sbin/lastlogin

chmod ugo= /usr/bin/rlogin
chmod ugo= /usr/bin/rsh

chmod o= /usr/local/bin/nmap
chmod o= /usr/local/bin/nessus

echo "root" > /var/cron/allow
echo "root" > /var/at/at.allow

chmod o= /etc/crontab
chmod o= /usr/bin/crontab
chmod o= /usr/bin/at
chmod o= /usr/bin/atq
chmod o= /usr/bin/atrm
chmod o= /usr/bin/batch

chmod 700 /root
chmod 751 /
chmod 751 /home/
chmod 700 /home/*
chmod 650 /etc/rc.*
chmod 600 /etc/master.passwd
chmod o= /var/log

chflags schg /bin/*
chflags schg /sbin/*
chflags schg /usr/sbin/*


echo 'kern_securelevel_enable="YES"' >> /etc/rc.conf
echo 'kern_securelevel="3"' >> /etc/rc.conf

echo 'icmp_drop_redirect="YES"' >> /etc/rc.conf
echo 'icmp_log_redirect="YES"' >> /etc/rc.conf
echo 'tcp_drop_synfin=”YES”' >> /etc/rc.conf

echo 'log_in_vain="YES"' >> /etc/rc.conf

echo 'nfs_server_enable="NO"' >> /etc/rc.conf
echo 'nfs_client_enable="NO"' >> /etc/rc.conf
echo 'portmap_enable="NO"' >> /etc/rc.conf

echo 'icmp_bmcastecho="NO"' >>/etc/rc.conf
echo 'icmp_bandlim="YES"' >> /etc/rc.conf

echo 'sendmail_enable="NO"' >> /etc/rc.conf
echo 'sendmail_submit_enable="NO"' >> /etc/rc.conf
echo 'sendmail_outbound_enable="NO"' >> /etc/rc.conf
echo 'sendmail_msp_queue_enable="NO"' >> /etc/rc.conf
echo 'sendmail_enable="NO"' >> /etc/rc.conf

echo 'syslogd_enable="YES"' >> /etc/rc.conf
echo 'syslogd_flags="-ss"' >> /etc/rc.conf

echo 'update_motd="NO"' >> /etc/rc.conf
echo 'accounting_enable="YES"' >> /etc/rc.conf
echo 'clear_tmp_enable="YES"' >> /etc/rc.conf
echo 'net.inet.udp.blackhole=1' >> /etc/sysctl.conf
echo 'net.inet.tcp.blackhole=2' >> /etc/sysctl.conf

echo 'net.inet.tcp.log_in_vain=1' >> /etc/sysctl.conf
echo 'net.inet.udp.log_in_vain=1' >> /etc/sysctl.conf

echo 'net.inet.ip.check_interface=1' >> /etc/sysctl.conf
echo 'net.inet.tcp.recvspace=65535' >> /etc/sysctl.conf
echo 'net.inet.tcp.sendspace=65535' >> /etc/sysctl.conf
echo 'net.inet.ip.rtexpire=2' >> /etc/sysctl.conf
echo 'net.inet.ip.rtminexpire=2' >> /etc/sysctl.conf
echo 'net.inet.ip.rtmaxcache=256' >> /etc/sysctl.conf

echo 'security.jail.allow_raw_sockets=1' >> /etc/sysctl.conf

echo 'net.inet.ip.random_id=1' >> /etc/sysctl.conf
echo 'net.inet.tcp.syncookies=0' >> /etc/sysctl.conf
echo 'net.inet.icmp.bmcastecho=0' >> /etc/sysctl.conf
echo 'net.inet.icmp.maskrepl=0' >> /etc/sysctl.conf
echo 'net.inet.icmp.icmplim=50' >> /etc/sysctl.conf
echo 'net.inet.icmp.drop_redirect=1' >> /etc/sysctl.conf
echo 'net.inet.tcp.icmp_may_rst=0' >> /etc/sysctl.conf

echo 'kern.ipc.shmmax=134217728' >> /etc/sysctl.conf
echo 'kern.ipc.shmall=32768' >> /etc/sysctl.conf
echo 'kern.ipc.semmap=256' >> /etc/sysctl.conf
Click to expand...
 
What fluca1978 means is that you should: # chmod 644 /etc/login*
and if it won't work, which I think it won't, reverse your script to go to your system's initial state (at least as far as chmod commands are concerned) and then run each command of your script one-by-one to see after which the loging-in procedure through ssh becomes unavailable. For binaries (all */bin/*) I would use: # chmod o+rx /path/to/binaries and to do it faster I would just do:# chmod o+rx /usr/bin/* /usr/sbin/* /usr/local/bin/* /usr/local/sbin/* /bin/* /sbin/* and: # chmod o+r /path/to/file
for all other files (non executable ones).
 
Reinstall and let that be a lesson. Don't just run things that you find in the net if you don't understand what they do.
 
You must log in or register to reply here.
Back
Top