restricting sftp/ssh login access
Hi, I would like to know if there is a way to restrict user logins to their home directories (or any other designated directory for that matter) using sftp/ssh. I've got my ftp server configured so that normal ftp access is restricted to their home directories, but since sftp uses (Open)SSH, it uses the ssh configuration, and I just can't seem to find any mention of how to do this anywhere (if it's even possible). I have OpenSSH 3.7 installed on my Woody server. Thanks much! Robert -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: restricting sftp/ssh login access
On Monday 28 June 2004 12.17, Robert Cates wrote: I would like to know if there is a way to restrict user logins to their home directories (or any other designated directory for that matter) using sftp/ssh. I've got my ftp server configured so that rssh is what you are looking for. Be sure to read and understand the README.Debian thoroughly - when you do it wrong, you grant full shell access to the accounts, and that's exactly what you don't want, after all... cheers -- vbi -- Si tu vecino te alaba y felicita, en algo te necesita. pgpdxeriM82Ly.pgp Description: signature
Re: restricting sftp/ssh login access
Hi! 1.) Set users shell to /bin/false and add it to /etc/shells. This will prevent ssh access for users, but allows ftp etc. But what you are asking for is that (I think) 2.) http://chrootssh.sourceforge.net/index.php Chroot your ssh for non-admin users by - patching ssh - replacing Users homedir from /home/username/ to /home/username/./ (sshd recognizes /./ at the end of the homedir and chroots that user - build a mini-system in users homedir (necessary!). I played around with that but had not much success because I don't want to set up a *real* whole system for every user, because I would run in apt-ing probs. I had a look at busybox, which could solve that problem. If anyone knows how this works (login-shell with busybox-static + basic commands) please write a howto for me ;) ! rgds, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
SCSI Controller for Linux
Hi all, What SCSI controller is recommended nowardays for connecting an external U160 SCSI storage system? NCR? Adaptec? Speed is good, STABILITY is most important however - one will be for a postgres database the other for a mail server. Thanks for your help, Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: restricting sftp/ssh login access
Hi, It sounds to me like you are looking for a chroot jail for some users. apt-get install jailer ( jailer - Builds and maintains chrooted environments ) You will need to run a special daemon (jk_socketd) to log users into the jail, but that is about the hardest part. I'll post my startup script if you would like. Mark p.s. If this were my machine, I would turn off ftp and only allow sftp, btw. Andreas John wrote: Hi! 1.) Set users shell to /bin/false and add it to /etc/shells. This will prevent ssh access for users, but allows ftp etc. But what you are asking for is that (I think) 2.) http://chrootssh.sourceforge.net/index.php Chroot your ssh for non-admin users by - patching ssh - replacing Users homedir from /home/username/ to /home/username/./ (sshd recognizes /./ at the end of the homedir and chroots that user - build a mini-system in users homedir (necessary!). I played around with that but had not much success because I don't want to set up a *real* whole system for every user, because I would run in apt-ing probs. I had a look at busybox, which could solve that problem. If anyone knows how this works (login-shell with busybox-static + basic commands) please write a howto for me ;) ! rgds, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to prevent being a 'bouncer' of evil mail?
Yves Junqueira wrote: On Fri, 25 Jun 2004 18:21:20 -0400, Kris Deugau [EMAIL PROTECTED] wrote: I've been lucky enough to only work with *nix mail servers except for that one Novell system- and it had some advantages I've yet to see in any *nix system. g Interesting. Was that Novell server old? In what architecture did it run on? x86 Novell Netware 4.11, supporting Novell's Internet Messaging System mail package. It had some truly *peculiar* behaviour in some respects, and some horrible bugs with respect to some DNS-related operations, but it integrated *very* nicely with the Netware administration system and was ideal for a small ISP. Exchange 2003, the final server in the case I said, is ok. It is not that stupid. The problem is with Norton for Gateways. In our current setting, it gets the message before Exchange does, and it is very dumb. Ah. You'd think that a tool designed to integrate in some way with Exchange would be able to hook in to things like a recipient check. We will be removing NAV in the future, when we are more confident on Clamav (it still misses some old MS Word Macro viruses). I can't say I've seen much trouble with Clam, and the most recent release (0.73) has fixed the problems I've had. But, hmmm..., even we didn't have NAV, it wouldn't help much. Let's say Postfix (the gateway) delivers the message to Exchange, which is smart. Even so, AFAIR, we would have another e-mail created notifying the failure, instead of a so desired SMTP error code. After Postfix gets the message, it sends a success reply to the client, and just then tries to send the mail to the destination, that will give postfix a failure reply code. Postfix will then have to send a DSN, right? As a fresh new message, yes. At least, that's what happens by default on any MTA I've ever met, in such a setup. Or could you issue the RCPT TO command to the other server BEFORE sending the final result to the client, in the front server? Hmm. I know sendmail doesn't support anything like this out of the box; but I don't know for sure about any other MTAs. I've used a very nice milter for sendmail (MIMEDefang) to do exactly this- check a recipient against the next server in the chain when the remote client server attempts RCPT TO:- and it worked very well. The world would be so much easier if Debian ruled from the beginning... *shrug* I've had some problems using Debian for email handling; I've ended up having to build custom .deb's for a number of Perl modules, and use packages from backports.org to get the functionality I wanted. It didn't help that in one case I was converting from a RedHat system in production use. :/ On the other hand, apt-get is *very* nice... -kgd -- Sendmail administration is not black magic. There are legitimate technical reasons why it requires the sacrificing of a live chicken. - Unknown -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SCSI Controller for Linux
You can get a IBM server RAID card for about $200. http://froogle.google.com/froogle?hl=enlr=ie=UTF-8tab=wfq=%22ibm+serveraid+4l%22scoring=p I like the IBM server RAID card on our mailserver: 01:02.0 RAID bus controller: IBM Netfinity ServeRAID controller Subsystem: IBM: Unknown device 020e Flags: bus master, 66Mhz, slow devsel, latency 96, IRQ 21 Memory at f4ffc000 (32-bit, prefetchable) [size=8K] Expansion ROM at unassigned [disabled] [size=512K] Capabilities: [80] Power Management version 2 Uses kernel module 'isp.o' Adaptec also makes good ones. On 28/06/04 16:12 +0200, Andrew Miehs wrote: Hi all, What SCSI controller is recommended nowardays for connecting an external U160 SCSI storage system? NCR? Adaptec? Speed is good, STABILITY is most important however - one will be for a postgres database the other for a mail server. Thanks for your help, Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- -- Ted Knab Chester, Maryland 21619 USA -- Conquest is easy. Control is not. -- Kirk, Mirror, Mirror, stardate unknown -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SCSI Controller for Linux
Am 2004-06-28 16:12:19, schrieb Andrew Miehs: Hi all, What SCSI controller is recommended nowardays for connecting an external U160 SCSI storage system? NCR? Adaptec? Speed is good, STABILITY is most important however - one will be for a postgres database the other for a mail server. Adaptec is good, but IPC Vortex is better. Thanks for your help, Andrew Greetings Michelle -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/3/8845235667100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: restricting sftp/ssh login access
John,
First off, I make a small mistake, the package I used was jailkit,
from either:
http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html
or
http://freshmeat.net/projects/jailkit/
It has tons of documentation to help you create a jailed environment,
including loading your jail with whatever executables needed.
Looks like I simplified my script to one line:
---
#!/bin/bash
/usr/sbin/jk_socketd
This produces a group of daemonized processes:
nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd]
but I think that I had a much more elaborate script to
{start|stop|restart} this daemon, something like:
/etc/init.d/chroot_jail
#!/bin/bash
case $1 in
start)
echo -n Starting Chroot Jail Server: chroot jail
start-stop-daemon --start --quiet --pidfile
/var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
echo .
;;
stop)
echo -n Stopping Chroot Jail Server: chroot jail
start-stop-daemon --stop --quiet --oknodo --pidfile
/var/run/jk_socketd.pid
echo .
;;
restart)
echo -n Restarting Chroot Jail Server: chroot jail
start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile
/var/run/jk_socketd.pid
start-stop-daemon --start --quiet --pidfile
/var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
echo .
;;
*)
echo Usage: /etc/init.d/chroot_jail {start|stop|restart}
exit 1
esac
exit 0
---
Mark
--- Andreas John [EMAIL PROTECTED] wrote:
Hi Mark!
You will need to run a special daemon (jk_socketd) to log users
into the
jail, but that is about the hardest part. I'll post my startup
script
if you would like.
Do I need the ssh-patch if I run this jk_socketd? Does it replace
that
patch? It's pain in the ass to maintain an ssh package that is
seperate
from the debian tree.
And yes - please post me that startup-script. Would be nice.
Best regards and many pengiuns,
Andreas
--
Andreas John
net-lab GmbH
Luisenstrasse 30b
63067 Offenbach
Tel: +49 69 85700331
http://www.net-lab.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: restricting sftp/ssh login access
John,
Looks like there is a debian package created for jailkit now:
http://olivier.sessink.nl/jailkit/jailkit_0.9-1_i386.deb
md5 sums for these packages:
de67f1dbf6cec002290fe4faadf53821 jailkit_0.9-1_i386.deb
Mark
--- MB [EMAIL PROTECTED] wrote:
John,
First off, I make a small mistake, the package I used was jailkit,
from either:
http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html
or
http://freshmeat.net/projects/jailkit/
It has tons of documentation to help you create a jailed environment,
including loading your jail with whatever executables needed.
Looks like I simplified my script to one line:
---
#!/bin/bash
/usr/sbin/jk_socketd
This produces a group of daemonized processes:
nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd]
but I think that I had a much more elaborate script to
{start|stop|restart} this daemon, something like:
/etc/init.d/chroot_jail
#!/bin/bash
case $1 in
start)
echo -n Starting Chroot Jail Server: chroot jail
start-stop-daemon --start --quiet --pidfile
/var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
echo .
;;
stop)
echo -n Stopping Chroot Jail Server: chroot jail
start-stop-daemon --stop --quiet --oknodo --pidfile
/var/run/jk_socketd.pid
echo .
;;
restart)
echo -n Restarting Chroot Jail Server: chroot jail
start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile
/var/run/jk_socketd.pid
start-stop-daemon --start --quiet --pidfile
/var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
echo .
;;
*)
echo Usage: /etc/init.d/chroot_jail {start|stop|restart}
exit 1
esac
exit 0
---
Mark
--- Andreas John [EMAIL PROTECTED] wrote:
Hi Mark!
You will need to run a special daemon (jk_socketd) to log users
into the
jail, but that is about the hardest part. I'll post my startup
script
if you would like.
Do I need the ssh-patch if I run this jk_socketd? Does it replace
that
patch? It's pain in the ass to maintain an ssh package that is
seperate
from the debian tree.
And yes - please post me that startup-script. Would be nice.
Best regards and many pengiuns,
Andreas
--
Andreas John
net-lab GmbH
Luisenstrasse 30b
63067 Offenbach
Tel: +49 69 85700331
http://www.net-lab.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: restricting sftp/ssh login access
Hi, and thanks for the quick replies!
Just to be a bit clearer in what I'm asking: I would like to be able to
allow my customers to access their accounts (update their web sites) with
sftp which as I understand it is an extention to (Open)SSH, and not FTP. I
know for example that the Windows application - WS_FTP Pro - has an option
to use sftp/ssh on port 22 and when I tested it, I landed way up at root
/. So, I'd like to be able to allow secure access, but with an ftp client
like WS_FTP Pro using sftp, and not a Secure SHell. I have my server setup
so that the customer can use SSH to change their password, and that's all
they can do with SSH.
Is there nothing in the ssh_config or sshd_config which can be set to
restrict sftp access to a designated directory?
It seems to me that the patched OpenSSH way that Hiren pointed out is
workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html but I'm
open to other maybe better ways.
Thanks again,
Robert
- Original Message -
From: MB [EMAIL PROTECTED]
To: Andreas John [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, June 28, 2004 6:47 PM
Subject: Re: restricting sftp/ssh login access
John,
First off, I make a small mistake, the package I used was jailkit,
from either:
http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html
or
http://freshmeat.net/projects/jailkit/
It has tons of documentation to help you create a jailed environment,
including loading your jail with whatever executables needed.
Looks like I simplified my script to one line:
---
#!/bin/bash
/usr/sbin/jk_socketd
This produces a group of daemonized processes:
nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd]
but I think that I had a much more elaborate script to
{start|stop|restart} this daemon, something like:
/etc/init.d/chroot_jail
#!/bin/bash
case $1 in
start)
echo -n Starting Chroot Jail Server: chroot jail
start-stop-daemon --start --quiet --pidfile
/var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
echo .
;;
stop)
echo -n Stopping Chroot Jail Server: chroot jail
start-stop-daemon --stop --quiet --oknodo --pidfile
/var/run/jk_socketd.pid
echo .
;;
restart)
echo -n Restarting Chroot Jail Server: chroot jail
start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile
/var/run/jk_socketd.pid
start-stop-daemon --start --quiet --pidfile
/var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
echo .
;;
*)
echo Usage: /etc/init.d/chroot_jail {start|stop|restart}
exit 1
esac
exit 0
---
Mark
--- Andreas John [EMAIL PROTECTED] wrote:
Hi Mark!
You will need to run a special daemon (jk_socketd) to log users
into the
jail, but that is about the hardest part. I'll post my startup
script
if you would like.
Do I need the ssh-patch if I run this jk_socketd? Does it replace
that
patch? It's pain in the ass to maintain an ssh package that is
seperate
from the debian tree.
And yes - please post me that startup-script. Would be nice.
Best regards and many pengiuns,
Andreas
--
Andreas John
net-lab GmbH
Luisenstrasse 30b
63067 Offenbach
Tel: +49 69 85700331
http://www.net-lab.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: restricting sftp/ssh login access
The cleanest way I have found was using rssh. All you do is change the
shell to /usr/bin/rssh. The only issue I have with it is that to jail them
to their home directory you need a separate chroot for each folder of the
following. I jailed the /home folder and thus only need one jail, if you
want each user to be jailed to ~/ as / then you need a separate jail for
each user through copying or linking the files.
Ehren Wilson
jail components:
./etc
./etc/ld.so.cache
./etc/ld.so.conf
./usr
./usr/bin
./usr/bin/scp
./usr/lib
./usr/lib/i686
./usr/lib/i686/cmov
./usr/lib/i686/cmov/libcrypto.so.0.9.7
./usr/lib/libz.so.1
./usr/lib/rssh
./usr/lib/rssh/rssh_chroot_helper
./usr/lib/sftp-server
-Original Message-
From: Robert Cates [mailto:[EMAIL PROTECTED]
Sent: Monday, June 28, 2004 11:54 AM
To: [EMAIL PROTECTED]
Cc: Andreas John; MB; [EMAIL PROTECTED]
Subject: Re: restricting sftp/ssh login access
Hi, and thanks for the quick replies!
Just to be a bit clearer in what I'm asking: I would like to be able to
allow my customers to access their accounts (update their web sites) with
sftp which as I understand it is an extention to (Open)SSH, and
not FTP. I
know for example that the Windows application - WS_FTP Pro - has an option
to use sftp/ssh on port 22 and when I tested it, I landed way up at root
/. So, I'd like to be able to allow secure access, but with an
ftp client
like WS_FTP Pro using sftp, and not a Secure SHell. I have my
server setup
so that the customer can use SSH to change their password, and that's all
they can do with SSH.
Is there nothing in the ssh_config or sshd_config which can be set to
restrict sftp access to a designated directory?
It seems to me that the patched OpenSSH way that Hiren pointed out is
workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html but I'm
open to other maybe better ways.
Thanks again,
Robert
- Original Message -
From: MB [EMAIL PROTECTED]
To: Andreas John [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, June 28, 2004 6:47 PM
Subject: Re: restricting sftp/ssh login access
John,
First off, I make a small mistake, the package I used was jailkit,
from either:
http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html
or
http://freshmeat.net/projects/jailkit/
It has tons of documentation to help you create a jailed environment,
including loading your jail with whatever executables needed.
Looks like I simplified my script to one line:
---
#!/bin/bash
/usr/sbin/jk_socketd
This produces a group of daemonized processes:
nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd]
but I think that I had a much more elaborate script to
{start|stop|restart} this daemon, something like:
/etc/init.d/chroot_jail
#!/bin/bash
case $1 in
start)
echo -n Starting Chroot Jail Server: chroot jail
start-stop-daemon --start --quiet --pidfile
/var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
echo .
;;
stop)
echo -n Stopping Chroot Jail Server: chroot jail
start-stop-daemon --stop --quiet --oknodo --pidfile
/var/run/jk_socketd.pid
echo .
;;
restart)
echo -n Restarting Chroot Jail Server: chroot jail
start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile
/var/run/jk_socketd.pid
start-stop-daemon --start --quiet --pidfile
/var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
echo .
;;
*)
echo Usage: /etc/init.d/chroot_jail {start|stop|restart}
exit 1
esac
exit 0
---
Mark
--- Andreas John [EMAIL PROTECTED] wrote:
Hi Mark!
You will need to run a special daemon (jk_socketd) to log users
into the
jail, but that is about the hardest part. I'll post my startup
script
if you would like.
Do I need the ssh-patch if I run this jk_socketd? Does it replace
that
patch? It's pain in the ass to maintain an ssh package that is
seperate
from the debian tree.
And yes - please post me that startup-script. Would be nice.
Best regards and many pengiuns,
Andreas
--
Andreas John
net-lab GmbH
Luisenstrasse 30b
63067 Offenbach
Tel: +49 69 85700331
http://www.net-lab.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: restricting sftp/ssh login access
Hi, I don't exactly like the idea of having to setup a mini-system in everybodies home dir, so maybe the Jailkit will be the answer.(?) Somehow I'm a little surprised that the OpenSSH project hasn't provided this feature in SSH and sftp that I'm looking for. Maybe somebody knows the reason why? I think my next e-mail will be to the OpenSSH project ;-) Thanks, Robert - Original Message - From: Andreas John [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Robert Cates [EMAIL PROTECTED] Sent: Monday, June 28, 2004 2:28 PM Subject: Re: restricting sftp/ssh login access Hi! 1.) Set users shell to /bin/false and add it to /etc/shells. This will prevent ssh access for users, but allows ftp etc. But what you are asking for is that (I think) 2.) http://chrootssh.sourceforge.net/index.php Chroot your ssh for non-admin users by - patching ssh - replacing Users homedir from /home/username/ to /home/username/./ (sshd recognizes /./ at the end of the homedir and chroots that user - build a mini-system in users homedir (necessary!). I played around with that but had not much success because I don't want to set up a *real* whole system for every user, because I would run in apt-ing probs. I had a look at busybox, which could solve that problem. If anyone knows how this works (login-shell with busybox-static + basic commands) please write a howto for me ;) ! rgds, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: restricting sftp/ssh login access
I agree that a jail is the cleanest way. My setup is as follows:
chroot jail:
/home/jailedUsers
dirs and files within the jail:
./lib
./lib/libnsl.so.1
./lib/libnsl-2.3.2.so
./lib/libc.so.6
./lib/libc-2.3.2.so
./lib/ld-linux.so.2
./lib/ld-2.3.2.so
./lib/libnss_compat.so.2
./lib/libnss_compat-2.3.2.so
./lib/libnss_files.so.2
./lib/libnss_files-2.3.2.so
./lib/libresolv.so.2
./lib/libresolv-2.3.2.so
./lib/libutil.so.1
./lib/libutil-2.3.2.so
./lib/libcrypt.so.1
./lib/libcrypt-2.3.2.so
./lib/libdl.so.2
./lib/libdl-2.3.2.so
./lib/libncurses.so.5
./lib/libncurses.so.5.4
./lib/librt.so.1
./lib/librt-2.3.2.so
./lib/libpthread.so.0
./lib/libpthread-0.10.so
./lib/libacl.so.1
./lib/libacl.so.1.1.0
./lib/libattr.so.1
./lib/libattr.so.1.1.0
./lib/libm.so.6
./lib/libm-2.3.2.so
./lib/libpam.so.0
./lib/libpam_misc.so.0
./etc
./etc/nsswitch.conf
./etc/passwd
./etc/group
./etc/jailkit
./etc/jailkit/jk_lsh.ini
./etc/resolv.conf
./etc/host.conf
./etc/hosts
./etc/protocols
./etc/motd
./etc/issue
./etc/bash.bashrc
./etc/profile
./etc/terminfo -- bunch of dirs in here ---
./usr
./usr/bin
./usr/bin/jk_lsh
./usr/bin/ssh
./usr/bin/nvi
./usr/bin/scp
./usr/bin/awk
./usr/bin/bzip2
./usr/bin/bunzip2
./usr/bin/away
./usr/lib
./usr/lib/sftp-server
./usr/lib/i586
./usr/lib/i586/libcrypto.so.0.9.7
./usr/lib/libz.so.1
./usr/lib/libz.so.1.2.1
./usr/lib/libbz2.so.1.0
./usr/lib/libbz2.so.1.0.2
./dev
./dev/urandom
./dev/tty
./dev/log
./bin
./bin/sh
./bin/bash
./bin/ls
./bin/cat
./bin/chmod
./bin/mkdir
./bin/cp
./bin/cpio
./bin/date
./bin/dd
./bin/echo
./bin/egrep
./bin/false
./bin/sleep
./home
./home/drocke
./root
And by only allowing the user write access to his/her own directory
(within the jail) will limit the liability to the system.
Mark
--- Ehren Wilson [EMAIL PROTECTED] wrote:
The cleanest way I have found was using rssh. All you do is change
the
shell to /usr/bin/rssh. The only issue I have with it is that to
jail them
to their home directory you need a separate chroot for each folder of
the
following. I jailed the /home folder and thus only need one jail, if
you
want each user to be jailed to ~/ as / then you need a separate jail
for
each user through copying or linking the files.
Ehren Wilson
jail components:
./etc
./etc/ld.so.cache
./etc/ld.so.conf
./usr
./usr/bin
./usr/bin/scp
./usr/lib
./usr/lib/i686
./usr/lib/i686/cmov
./usr/lib/i686/cmov/libcrypto.so.0.9.7
./usr/lib/libz.so.1
./usr/lib/rssh
./usr/lib/rssh/rssh_chroot_helper
./usr/lib/sftp-server
-Original Message-
From: Robert Cates [mailto:[EMAIL PROTECTED]
Sent: Monday, June 28, 2004 11:54 AM
To: [EMAIL PROTECTED]
Cc: Andreas John; MB; [EMAIL PROTECTED]
Subject: Re: restricting sftp/ssh login access
Hi, and thanks for the quick replies!
Just to be a bit clearer in what I'm asking: I would like to be
able to
allow my customers to access their accounts (update their web
sites) with
sftp which as I understand it is an extention to (Open)SSH, and
not FTP. I
know for example that the Windows application - WS_FTP Pro - has an
option
to use sftp/ssh on port 22 and when I tested it, I landed way up at
root
/. So, I'd like to be able to allow secure access, but with an
ftp client
like WS_FTP Pro using sftp, and not a Secure SHell. I have my
server setup
so that the customer can use SSH to change their password, and
that's all
they can do with SSH.
Is there nothing in the ssh_config or sshd_config which can be set
to
restrict sftp access to a designated directory?
It seems to me that the patched OpenSSH way that Hiren pointed out
is
workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html
but I'm
open to other maybe better ways.
Thanks again,
Robert
- Original Message -
From: MB [EMAIL PROTECTED]
To: Andreas John [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, June 28, 2004 6:47 PM
Subject: Re: restricting sftp/ssh login access
John,
First off, I make a small mistake, the package I used was
jailkit,
from either:
http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html
or
http://freshmeat.net/projects/jailkit/
It has tons of documentation to help you create a jailed
environment,
including loading your jail with whatever executables needed.
Looks like I simplified my script to one line:
---
#!/bin/bash
/usr/sbin/jk_socketd
This produces a group of daemonized processes:
nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd]
but I think that I had a much more elaborate script to
{start|stop|restart} this daemon, something like:
/etc/init.d/chroot_jail
#!/bin/bash
case $1 in
start)
echo -n Starting Chroot Jail Server: chroot jail
start-stop-daemon --start --quiet --pidfile
/var/run/jk_socketd.pid --exec
nat ipchains on debian woody
Hello Gurus, I have installed a debian woody with to interfaces eth0 and eth1. I has configuredthe internet conexionon eth0 which has got a static ip on internet. And on eth1 i want to put a interface to do a proxy nat gateway on my internal lan (i want to put a 192.168.0.1 on it). I have read doc to do it but when i apply this doc i have a "your kernel seems to not support ipchains" messages when i try to do this. After this i have a 192.168.0.1 ip on eth1 but my pc´s on the internal lan can´t have internet access througth the eth0 (internet conexion). Ithink that the problem is that the kernel do not have a ipmasquerade support (NAT suppport), so i think that this is the only steep i need to do in order to apply correct the steps of the configuration that i has a problem with. So Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? What do exactly the command "apt-get install ipmasq" in this context ? Thanks in advance, Francisco.
weird http probes
Hi, I noticed the following just now in my apache logs: 208.200.158.49 - - [28/Jun/2004:20:11:46 +0200] GET / HTTP/1.0 200 6137 - - 208.200.158.49 - - [28/Jun/2004:20:12:00 +0200] GET /index.php HTTP/1.0 404 269 - - 208.200.158.49 - - [28/Jun/2004:20:12:00 +0200] GET /main.php HTTP/1.0 404 268 - - 208.200.158.49 - - [28/Jun/2004:20:12:00 +0200] GET /test.php HTTP/1.0 404 268 - - 208.200.158.49 - - [28/Jun/2004:20:12:01 +0200] GET /index.php3 HTTP/1.0 404 270 - - 208.200.158.49 - - [28/Jun/2004:20:12:01 +0200] GET /phpinfo.php HTTP/1.0 200 14249 - - What could this be? I run a very small webserver on this host (just a few personal docs actually, not even a 'site'), and as far as I know I haven't signed up for some kind of security probe lately. Notice the very uncool double reverse resolve of that ip: $ host 208.200.158.49 49.158.200.208.in-addr.arpa domain name pointer nth1.net1plus.com. 49.158.200.208.in-addr.arpa domain name pointer web.rresults.com. I don't have any connection to those companies. I don't know what's the dominant feeling on this right now... I'm concerned this meight be some kind of security scan (not worried about that machine, but just about a new attack in general). I'm a little angry because I meight be used into online statistics without my permission, and I fear for my privacy if I've ended up on some probe these hosts list. Could someone shed some light on this? -- Greetings, Joris [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nat ipchains on debian woody
Have you tried iptables instead? If your kernel supports iptables, then: echo 1 /proc/sys/net/ipv4/ip_forward echo 1 /proc/sys/net/ipv4/conf/$both_eth_devs/rp_filter iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -i eth1 -o eth0 -j MASQUERADE iptables also does the firewalling in other chains, btw Mark --- Francisco Castillo [EMAIL PROTECTED] wrote: Hello Gurus, I have installed a debian woody with to interfaces eth0 and eth1. I has configured the internet conexion on eth0 which has got a static ip on internet. And on eth1 i want to put a interface to do a proxy nat gateway on my internal lan (i want to put a 192.168.0.1 on it). I have read doc to do it but when i apply this doc i have a your kernel seems to not support ipchains messages when i try to do this. After this i have a 192.168.0.1 ip on eth1 but my pc´s on the internal lan can´t have internet access througth the eth0 (internet conexion). I think that the problem is that the kernel do not have a ipmasquerade support (NAT suppport), so i think that this is the only steep i need to do in order to apply correct the steps of the configuration that i has a problem with. So Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? What do exactly the command apt-get install ipmasq in this context ? Thanks in advance, Francisco. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nat ipchains on debian woody
Hello Francisco, Francisco Castillo wrote: I have read doc to do it but when i apply this doc i have a your kernel seems to not support ipchains messages when i try to do this. For what reason do you want to use ipchains? If you just set up debian successfully i think you have also an actual kernel ( 2.4.x) From Version 2.4.x there is a new packet filter which is called iptables. On www.netfilter.org you find a lot of documentation. Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? Sorry, do not know about that. Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nat ipchains on debian woody
Hello Francisco, Francisco Castillo wrote: I have read doc to do it but when i apply this doc i have a your kernel seems to not support ipchains messages when i try to do this. For what reason do you want to use ipchains? If you just set up debian successfully i think you have also an actual kernel ( 2.4.x) From Version 2.4.x there is a new packet filter which is called iptables. On www.netfilter.org you find a lot of documentation. Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? Sorry, do not know about that. Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nat ipchains on debian woody
Hi Mark, I have test your script but my woody give me this response: morpheo:~# cat compartir2 echo 1 /proc/sys/net/ipv4/ip_forward echo 1 /proc/sys/net/ipv4/conf/eth0/rp_filter echo 1 /proc/sys/net/ipv4/conf/eth1/rp_filter iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -i eth1 -o eth0 -j MASQUERADE morpheo:~# ./compartir2 modprobe: Can't locate module ip_tables iptables v1.2.6a: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. morpheo:~# What can i do to solve this new issue? My fisrt script which use ipchains was this: morpheo:~# cat compartir echo 1 /proc/sys/net/ipv4/ip_forward /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -j MASQ -s 192.168.0.0/16 Thanks in advance, - Original Message - From: MB [EMAIL PROTECTED] To: Francisco Castillo [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, June 28, 2004 9:16 PM Subject: Re: nat ipchains on debian woody Have you tried iptables instead? If your kernel supports iptables, then: echo 1 /proc/sys/net/ipv4/ip_forward echo 1 /proc/sys/net/ipv4/conf/$both_eth_devs/rp_filter iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -i eth1 -o eth0 -j MASQUERADE iptables also does the firewalling in other chains, btw Mark --- Francisco Castillo [EMAIL PROTECTED] wrote: Hello Gurus, I have installed a debian woody with to interfaces eth0 and eth1. I has configured the internet conexion on eth0 which has got a static ip on internet. And on eth1 i want to put a interface to do a proxy nat gateway on my internal lan (i want to put a 192.168.0.1 on it). I have read doc to do it but when i apply this doc i have a your kernel seems to not support ipchains messages when i try to do this. After this i have a 192.168.0.1 ip on eth1 but my pc´s on the internal lan can´t have internet access througth the eth0 (internet conexion). I think that the problem is that the kernel do not have a ipmasquerade support (NAT suppport), so i think that this is the only steep i need to do in order to apply correct the steps of the configuration that i has a problem with. So Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? What do exactly the command apt-get install ipmasq in this context ? Thanks in advance, Francisco. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: restricting sftp/ssh login access
how about using rbash? Only does the shell part, and it is not very hard to break out of the jail, but then again, allowing shell when you think users are going to purposely try to break it isn't a good idea... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nat ipchains on debian woody
On Mon, 28 Jun 2004 21:35:40 +0200 Christoph Löffler [EMAIL PROTECTED] wrote: Hello Fraancisco: The first thinng you must do is to install a kernel with IPTABLES support, the ipchains is not recomendable for kernels up to 2.4. The kernel packages of woody distro have this support Next you MUST install iptables: ip-tables apt-get install iptables Then you should enable ip forward and ipfilter, with the instructions early mentioned by Mark, but if you want to run a proxy ip forward is not necesary You must read a lot of documentation of Squid and IPtables Enrique Dorantes Ahora en español, Hola franciso: Lo primero que tienes que hacer es bajar un kernel que soporte iptables, ipchains esta desconntinuado. Despues tienes que instalar ip-tables apt-get install iptables Deespues hacer lo que te indicaron con anterioridad habilitar el ip forward quee no es necesario si vas a poner un proxxy y el ipfilter. Hay que leer mucha documentaciion de Squid y de IPtabless. Saludos Enrique Hello Francisco, Francisco Castillo wrote: I have read doc to do it but when i apply this doc i have a your kernel seems to not support ipchains messages when i try to do this. For what reason do you want to use ipchains? If you just set up debian successfully i think you have also an actual kernel ( 2.4.x) From Version 2.4.x there is a new packet filter which is called iptables. On www.netfilter.org you find a lot of documentation. Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? Sorry, do not know about that. Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nat ipchains on debian woody
Enrique, Im novice on debian, i have decided recently to change from redhat or mandrake (fatal experiencie in two years), so excuse my ignorance. First i dont know how to do this step The first thinng you must do is to install a kernel with IPTABLES support How can I do it ? How can i test if it is on my server? Second, I have see this on my server morpheo:~# apt-get install iptables Reading Package Lists... Done Building Dependency Tree... Done Sorry, iptables is already the newest version. 0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. morpheo:~# It seems to be iptables installed but the previos errors said that iptables where not avaliable. Thanks in advance, and for your spanish response, I have a poor english too, Francisco. - Original Message - From: Enrique Dorantes [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 28, 2004 10:09 PM Subject: Re: nat ipchains on debian woody On Mon, 28 Jun 2004 21:35:40 +0200 Christoph Lffler [EMAIL PROTECTED] wrote: Hello Fraancisco: The first thinng you must do is to install a kernel with IPTABLES support, the ipchains is not recomendable for kernels up to 2.4. The kernel packages of woody distro have this support Next you MUST install iptables: ip-tables apt-get install iptables Then you should enable ip forward and ipfilter, with the instructions early mentioned by Mark, but if you want to run a proxy ip forward is not necesary You must read a lot of documentation of Squid and IPtables Enrique Dorantes Ahora en espaol, Hola franciso: Lo primero que tienes que hacer es bajar un kernel que soporte iptables, ipchains esta desconntinuado. Despues tienes que instalar ip-tables apt-get install iptables Deespues hacer lo que te indicaron con anterioridad habilitar el ip forward quee no es necesario si vas a poner un proxxy y el ipfilter. Hay que leer mucha documentaciion de Squid y de IPtabless. Saludos Enrique Hello Francisco, Francisco Castillo wrote: I have read doc to do it but when i apply this doc i have a your kernel seems to not support ipchains messages when i try to do this. For what reason do you want to use ipchains? If you just set up debian successfully i think you have also an actual kernel ( 2.4.x) From Version 2.4.x there is a new packet filter which is called iptables. On www.netfilter.org you find a lot of documentation. Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? Sorry, do not know about that. Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nat ipchains on debian woody
Christoph, You are right. Looks like he should also modprobe or insmod iptables and many other modules. I insmod a whole list of routing modules: ipt_REDIRECT ipt_MASQUERADE iptable_mangle iptable_nat ipt_REJECT iptable_filter ip_tables ( and some others... ) Mark --- Enrique Dorantes [EMAIL PROTECTED] wrote: On Mon, 28 Jun 2004 21:35:40 +0200 Christoph Löffler [EMAIL PROTECTED] wrote: Hello Fraancisco: The first thinng you must do is to install a kernel with IPTABLES support, the ipchains is not recomendable for kernels up to 2.4. The kernel packages of woody distro have this support Next you MUST install iptables: ip-tables apt-get install iptables Then you should enable ip forward and ipfilter, with the instructions early mentioned by Mark, but if you want to run a proxy ip forward is not necesary You must read a lot of documentation of Squid and IPtables Enrique Dorantes Ahora en español, Hola franciso: Lo primero que tienes que hacer es bajar un kernel que soporte iptables, ipchains esta desconntinuado. Despues tienes que instalar ip-tables apt-get install iptables Deespues hacer lo que te indicaron con anterioridad habilitar el ip forward quee no es necesario si vas a poner un proxxy y el ipfilter. Hay que leer mucha documentaciion de Squid y de IPtabless. Saludos Enrique Hello Francisco, Francisco Castillo wrote: I have read doc to do it but when i apply this doc i have a your kernel seems to not support ipchains messages when i try to do this. For what reason do you want to use ipchains? If you just set up debian successfully i think you have also an actual kernel ( 2.4.x) From Version 2.4.x there is a new packet filter which is called iptables. On www.netfilter.org you find a lot of documentation. Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? Sorry, do not know about that. Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: restricting sftp/ssh login access
Robert, There has been extensive discussion on this topic on the ssh mailing lists. Before going on the list I would highly recommend reading up as this is a fairly common topic and the developers have basically said they won't provide this functionality, it is something that belongs in the OS or shell. If you want it in ssh you can use the third party patch. I personally like the way the proftpd jails work, but I do agree with the ssh developers that a chroot is not a real security method, more of a file system abstraction in my opinion. My more oblivious users find it convenient but most of them wouldn't be using sftp anyways. Cheers, Ehren Wilson -Original Message- From: Robert Cates [mailto:[EMAIL PROTECTED] Sent: Monday, June 28, 2004 12:22 PM To: [EMAIL PROTECTED] Cc: Andreas John Subject: Re: restricting sftp/ssh login access Hi, I don't exactly like the idea of having to setup a mini-system in everybodies home dir, so maybe the Jailkit will be the answer.(?) Somehow I'm a little surprised that the OpenSSH project hasn't provided this feature in SSH and sftp that I'm looking for. Maybe somebody knows the reason why? I think my next e-mail will be to the OpenSSH project ;-) Thanks, Robert - Original Message - From: Andreas John [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Robert Cates [EMAIL PROTECTED] Sent: Monday, June 28, 2004 2:28 PM Subject: Re: restricting sftp/ssh login access Hi! 1.) Set users shell to /bin/false and add it to /etc/shells. This will prevent ssh access for users, but allows ftp etc. But what you are asking for is that (I think) 2.) http://chrootssh.sourceforge.net/index.php Chroot your ssh for non-admin users by - patching ssh - replacing Users homedir from /home/username/ to /home/username/./ (sshd recognizes /./ at the end of the homedir and chroots that user - build a mini-system in users homedir (necessary!). I played around with that but had not much success because I don't want to set up a *real* whole system for every user, because I would run in apt-ing probs. I had a look at busybox, which could solve that problem. If anyone knows how this works (login-shell with busybox-static + basic commands) please write a howto for me ;) ! rgds, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nat ipchains on debian woody
Hola Francisco Francisco Castillo wrote: Enrique, Im novice on debian, i have decided recently to change from redhat or mandrake (fatal experiencie in two years), so excuse my ignorance. First i dont know how to do this step The first thinng you must do is to install a kernel with IPTABLES support How can I do it ? How can i test if it is on my server? all stock kernels 2.4.x have iptables support. if you would compile one for your needs you must make sure that iptables support is checked. But for the kernel images you can install with apt this is true. perhaps it helps you to test some things with helper scripts. you can search the available packages with apt-cache search debian:~# apt-cache search iptables |less acidlab - Analysis Console for Intrusion Databases ferm - maintain and setup complicated firewall rules firewall-easy - Easy to use packet filter firewall (usually zero config) fwanalog - iptables log-file report generator (using analog) fwbuilder-iptables - Linux iptables policy compiler for Firewall Builder fwlogwatch - Firewall log analyzer ipac-ng - IP Accounting for iptables( kernel =2.4) ipmenu - A cursel iptables/iproute2 GUI kernel-patch-ttl - TTL matching and setting kernel-patch-ulog - Netfilter userspace logging patch. knetfilter - A GUI for configuring the 2.4 kernel IP Tables ulogd - The Userspace Logging Daemon iptables - Linux kernel 2.4+ iptables administration tools iptables-dev - development files for iptable's libipq and libiptc reaim - Enable AIM and MSN file transfer on Linux iptables based NAT shorewall - Shoreline Firewall (Shorewall) shorewall-doc - Shoreline Firewall (Shorewall) Documentation then apt-cache show tells you more on a specific package: i.e.: apt-cache show shorewall perhaps you can install this and look how it works. read the documentation and look at the source to see what is installed by a package do dpkg -L shorewall | less greetings chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
restricting sftp/ssh login access
Hi, I would like to know if there is a way to restrict user logins to their home directories (or any other designated directory for that matter) using sftp/ssh. I've got my ftp server configured so that normal ftp access is restricted to their home directories, but since sftp uses (Open)SSH, it uses the ssh configuration, and I just can't seem to find any mention of how to do this anywhere (if it's even possible). I have OpenSSH 3.7 installed on my Woody server. Thanks much! Robert
Re: restricting sftp/ssh login access
On Monday 28 June 2004 12.17, Robert Cates wrote: I would like to know if there is a way to restrict user logins to their home directories (or any other designated directory for that matter) using sftp/ssh. I've got my ftp server configured so that rssh is what you are looking for. Be sure to read and understand the README.Debian thoroughly - when you do it wrong, you grant full shell access to the accounts, and that's exactly what you don't want, after all... cheers -- vbi -- Si tu vecino te alaba y felicita, en algo te necesita. pgpzdkAeEZjs4.pgp Description: signature
Re: restricting sftp/ssh login access
Hi! 1.) Set users shell to /bin/false and add it to /etc/shells. This will prevent ssh access for users, but allows ftp etc. But what you are asking for is that (I think) 2.) http://chrootssh.sourceforge.net/index.php Chroot your ssh for non-admin users by - patching ssh - replacing Users homedir from /home/username/ to /home/username/./ (sshd recognizes /./ at the end of the homedir and chroots that user - build a mini-system in users homedir (necessary!). I played around with that but had not much success because I don't want to set up a *real* whole system for every user, because I would run in apt-ing probs. I had a look at busybox, which could solve that problem. If anyone knows how this works (login-shell with busybox-static + basic commands) please write a howto for me ;) ! rgds, Andreas
Re: SCSI Controller for Linux
You can get a IBM server RAID card for about $200. http://froogle.google.com/froogle?hl=enlr=ie=UTF-8tab=wfq=%22ibm+serveraid+4l%22scoring=p I like the IBM server RAID card on our mailserver: 01:02.0 RAID bus controller: IBM Netfinity ServeRAID controller Subsystem: IBM: Unknown device 020e Flags: bus master, 66Mhz, slow devsel, latency 96, IRQ 21 Memory at f4ffc000 (32-bit, prefetchable) [size=8K] Expansion ROM at unassigned [disabled] [size=512K] Capabilities: [80] Power Management version 2 Uses kernel module 'isp.o' Adaptec also makes good ones. On 28/06/04 16:12 +0200, Andrew Miehs wrote: Hi all, What SCSI controller is recommended nowardays for connecting an external U160 SCSI storage system? NCR? Adaptec? Speed is good, STABILITY is most important however - one will be for a postgres database the other for a mail server. Thanks for your help, Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- -- Ted Knab Chester, Maryland 21619 USA -- Conquest is easy. Control is not. -- Kirk, Mirror, Mirror, stardate unknown
Re: SCSI Controller for Linux
Am 2004-06-28 16:12:19, schrieb Andrew Miehs: Hi all, What SCSI controller is recommended nowardays for connecting an external U160 SCSI storage system? NCR? Adaptec? Speed is good, STABILITY is most important however - one will be for a postgres database the other for a mail server. Adaptec is good, but IPC Vortex is better. Thanks for your help, Andrew Greetings Michelle -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/3/8845235667100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: restricting sftp/ssh login access
John,
First off, I make a small mistake, the package I used was jailkit,
from either:
http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html
or
http://freshmeat.net/projects/jailkit/
It has tons of documentation to help you create a jailed environment,
including loading your jail with whatever executables needed.
Looks like I simplified my script to one line:
---
#!/bin/bash
/usr/sbin/jk_socketd
This produces a group of daemonized processes:
nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd]
but I think that I had a much more elaborate script to
{start|stop|restart} this daemon, something like:
/etc/init.d/chroot_jail
#!/bin/bash
case $1 in
start)
echo -n Starting Chroot Jail Server: chroot jail
start-stop-daemon --start --quiet --pidfile
/var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
echo .
;;
stop)
echo -n Stopping Chroot Jail Server: chroot jail
start-stop-daemon --stop --quiet --oknodo --pidfile
/var/run/jk_socketd.pid
echo .
;;
restart)
echo -n Restarting Chroot Jail Server: chroot jail
start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile
/var/run/jk_socketd.pid
start-stop-daemon --start --quiet --pidfile
/var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
echo .
;;
*)
echo Usage: /etc/init.d/chroot_jail {start|stop|restart}
exit 1
esac
exit 0
---
Mark
--- Andreas John [EMAIL PROTECTED] wrote:
Hi Mark!
You will need to run a special daemon (jk_socketd) to log users
into the
jail, but that is about the hardest part. I'll post my startup
script
if you would like.
Do I need the ssh-patch if I run this jk_socketd? Does it replace
that
patch? It's pain in the ass to maintain an ssh package that is
seperate
from the debian tree.
And yes - please post me that startup-script. Would be nice.
Best regards and many pengiuns,
Andreas
--
Andreas John
net-lab GmbH
Luisenstrasse 30b
63067 Offenbach
Tel: +49 69 85700331
http://www.net-lab.net
Re: restricting sftp/ssh login access
John,
Looks like there is a debian package created for jailkit now:
http://olivier.sessink.nl/jailkit/jailkit_0.9-1_i386.deb
md5 sums for these packages:
de67f1dbf6cec002290fe4faadf53821 jailkit_0.9-1_i386.deb
Mark
--- MB [EMAIL PROTECTED] wrote:
John,
First off, I make a small mistake, the package I used was jailkit,
from either:
http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html
or
http://freshmeat.net/projects/jailkit/
It has tons of documentation to help you create a jailed environment,
including loading your jail with whatever executables needed.
Looks like I simplified my script to one line:
---
#!/bin/bash
/usr/sbin/jk_socketd
This produces a group of daemonized processes:
nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd]
but I think that I had a much more elaborate script to
{start|stop|restart} this daemon, something like:
/etc/init.d/chroot_jail
#!/bin/bash
case $1 in
start)
echo -n Starting Chroot Jail Server: chroot jail
start-stop-daemon --start --quiet --pidfile
/var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
echo .
;;
stop)
echo -n Stopping Chroot Jail Server: chroot jail
start-stop-daemon --stop --quiet --oknodo --pidfile
/var/run/jk_socketd.pid
echo .
;;
restart)
echo -n Restarting Chroot Jail Server: chroot jail
start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile
/var/run/jk_socketd.pid
start-stop-daemon --start --quiet --pidfile
/var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
echo .
;;
*)
echo Usage: /etc/init.d/chroot_jail {start|stop|restart}
exit 1
esac
exit 0
---
Mark
--- Andreas John [EMAIL PROTECTED] wrote:
Hi Mark!
You will need to run a special daemon (jk_socketd) to log users
into the
jail, but that is about the hardest part. I'll post my startup
script
if you would like.
Do I need the ssh-patch if I run this jk_socketd? Does it replace
that
patch? It's pain in the ass to maintain an ssh package that is
seperate
from the debian tree.
And yes - please post me that startup-script. Would be nice.
Best regards and many pengiuns,
Andreas
--
Andreas John
net-lab GmbH
Luisenstrasse 30b
63067 Offenbach
Tel: +49 69 85700331
http://www.net-lab.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]
Re: restricting sftp/ssh login access
Hi, and thanks for the quick replies!
Just to be a bit clearer in what I'm asking: I would like to be able to
allow my customers to access their accounts (update their web sites) with
sftp which as I understand it is an extention to (Open)SSH, and not FTP. I
know for example that the Windows application - WS_FTP Pro - has an option
to use sftp/ssh on port 22 and when I tested it, I landed way up at root
/. So, I'd like to be able to allow secure access, but with an ftp client
like WS_FTP Pro using sftp, and not a Secure SHell. I have my server setup
so that the customer can use SSH to change their password, and that's all
they can do with SSH.
Is there nothing in the ssh_config or sshd_config which can be set to
restrict sftp access to a designated directory?
It seems to me that the patched OpenSSH way that Hiren pointed out is
workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html but I'm
open to other maybe better ways.
Thanks again,
Robert
- Original Message -
From: MB [EMAIL PROTECTED]
To: Andreas John [EMAIL PROTECTED]
Cc: debian-isp@lists.debian.org
Sent: Monday, June 28, 2004 6:47 PM
Subject: Re: restricting sftp/ssh login access
John,
First off, I make a small mistake, the package I used was jailkit,
from either:
http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html
or
http://freshmeat.net/projects/jailkit/
It has tons of documentation to help you create a jailed environment,
including loading your jail with whatever executables needed.
Looks like I simplified my script to one line:
---
#!/bin/bash
/usr/sbin/jk_socketd
This produces a group of daemonized processes:
nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd]
but I think that I had a much more elaborate script to
{start|stop|restart} this daemon, something like:
/etc/init.d/chroot_jail
#!/bin/bash
case $1 in
start)
echo -n Starting Chroot Jail Server: chroot jail
start-stop-daemon --start --quiet --pidfile
/var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
echo .
;;
stop)
echo -n Stopping Chroot Jail Server: chroot jail
start-stop-daemon --stop --quiet --oknodo --pidfile
/var/run/jk_socketd.pid
echo .
;;
restart)
echo -n Restarting Chroot Jail Server: chroot jail
start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile
/var/run/jk_socketd.pid
start-stop-daemon --start --quiet --pidfile
/var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
echo .
;;
*)
echo Usage: /etc/init.d/chroot_jail {start|stop|restart}
exit 1
esac
exit 0
---
Mark
--- Andreas John [EMAIL PROTECTED] wrote:
Hi Mark!
You will need to run a special daemon (jk_socketd) to log users
into the
jail, but that is about the hardest part. I'll post my startup
script
if you would like.
Do I need the ssh-patch if I run this jk_socketd? Does it replace
that
patch? It's pain in the ass to maintain an ssh package that is
seperate
from the debian tree.
And yes - please post me that startup-script. Would be nice.
Best regards and many pengiuns,
Andreas
--
Andreas John
net-lab GmbH
Luisenstrasse 30b
63067 Offenbach
Tel: +49 69 85700331
http://www.net-lab.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]
RE: restricting sftp/ssh login access
The cleanest way I have found was using rssh. All you do is change the
shell to /usr/bin/rssh. The only issue I have with it is that to jail them
to their home directory you need a separate chroot for each folder of the
following. I jailed the /home folder and thus only need one jail, if you
want each user to be jailed to ~/ as / then you need a separate jail for
each user through copying or linking the files.
Ehren Wilson
jail components:
./etc
./etc/ld.so.cache
./etc/ld.so.conf
./usr
./usr/bin
./usr/bin/scp
./usr/lib
./usr/lib/i686
./usr/lib/i686/cmov
./usr/lib/i686/cmov/libcrypto.so.0.9.7
./usr/lib/libz.so.1
./usr/lib/rssh
./usr/lib/rssh/rssh_chroot_helper
./usr/lib/sftp-server
-Original Message-
From: Robert Cates [mailto:[EMAIL PROTECTED]
Sent: Monday, June 28, 2004 11:54 AM
To: debian-isp@lists.debian.org
Cc: Andreas John; MB; [EMAIL PROTECTED]
Subject: Re: restricting sftp/ssh login access
Hi, and thanks for the quick replies!
Just to be a bit clearer in what I'm asking: I would like to be able to
allow my customers to access their accounts (update their web sites) with
sftp which as I understand it is an extention to (Open)SSH, and
not FTP. I
know for example that the Windows application - WS_FTP Pro - has an option
to use sftp/ssh on port 22 and when I tested it, I landed way up at root
/. So, I'd like to be able to allow secure access, but with an
ftp client
like WS_FTP Pro using sftp, and not a Secure SHell. I have my
server setup
so that the customer can use SSH to change their password, and that's all
they can do with SSH.
Is there nothing in the ssh_config or sshd_config which can be set to
restrict sftp access to a designated directory?
It seems to me that the patched OpenSSH way that Hiren pointed out is
workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html but I'm
open to other maybe better ways.
Thanks again,
Robert
- Original Message -
From: MB [EMAIL PROTECTED]
To: Andreas John [EMAIL PROTECTED]
Cc: debian-isp@lists.debian.org
Sent: Monday, June 28, 2004 6:47 PM
Subject: Re: restricting sftp/ssh login access
John,
First off, I make a small mistake, the package I used was jailkit,
from either:
http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html
or
http://freshmeat.net/projects/jailkit/
It has tons of documentation to help you create a jailed environment,
including loading your jail with whatever executables needed.
Looks like I simplified my script to one line:
---
#!/bin/bash
/usr/sbin/jk_socketd
This produces a group of daemonized processes:
nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd]
but I think that I had a much more elaborate script to
{start|stop|restart} this daemon, something like:
/etc/init.d/chroot_jail
#!/bin/bash
case $1 in
start)
echo -n Starting Chroot Jail Server: chroot jail
start-stop-daemon --start --quiet --pidfile
/var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
echo .
;;
stop)
echo -n Stopping Chroot Jail Server: chroot jail
start-stop-daemon --stop --quiet --oknodo --pidfile
/var/run/jk_socketd.pid
echo .
;;
restart)
echo -n Restarting Chroot Jail Server: chroot jail
start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile
/var/run/jk_socketd.pid
start-stop-daemon --start --quiet --pidfile
/var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
echo .
;;
*)
echo Usage: /etc/init.d/chroot_jail {start|stop|restart}
exit 1
esac
exit 0
---
Mark
--- Andreas John [EMAIL PROTECTED] wrote:
Hi Mark!
You will need to run a special daemon (jk_socketd) to log users
into the
jail, but that is about the hardest part. I'll post my startup
script
if you would like.
Do I need the ssh-patch if I run this jk_socketd? Does it replace
that
patch? It's pain in the ass to maintain an ssh package that is
seperate
from the debian tree.
And yes - please post me that startup-script. Would be nice.
Best regards and many pengiuns,
Andreas
--
Andreas John
net-lab GmbH
Luisenstrasse 30b
63067 Offenbach
Tel: +49 69 85700331
http://www.net-lab.net
Re: restricting sftp/ssh login access
Hi, I don't exactly like the idea of having to setup a mini-system in everybodies home dir, so maybe the Jailkit will be the answer.(?) Somehow I'm a little surprised that the OpenSSH project hasn't provided this feature in SSH and sftp that I'm looking for. Maybe somebody knows the reason why? I think my next e-mail will be to the OpenSSH project ;-) Thanks, Robert - Original Message - From: Andreas John [EMAIL PROTECTED] To: debian-isp@lists.debian.org Cc: Robert Cates [EMAIL PROTECTED] Sent: Monday, June 28, 2004 2:28 PM Subject: Re: restricting sftp/ssh login access Hi! 1.) Set users shell to /bin/false and add it to /etc/shells. This will prevent ssh access for users, but allows ftp etc. But what you are asking for is that (I think) 2.) http://chrootssh.sourceforge.net/index.php Chroot your ssh for non-admin users by - patching ssh - replacing Users homedir from /home/username/ to /home/username/./ (sshd recognizes /./ at the end of the homedir and chroots that user - build a mini-system in users homedir (necessary!). I played around with that but had not much success because I don't want to set up a *real* whole system for every user, because I would run in apt-ing probs. I had a look at busybox, which could solve that problem. If anyone knows how this works (login-shell with busybox-static + basic commands) please write a howto for me ;) ! rgds, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: restricting sftp/ssh login access
I agree that a jail is the cleanest way. My setup is as follows:
chroot jail:
/home/jailedUsers
dirs and files within the jail:
./lib
./lib/libnsl.so.1
./lib/libnsl-2.3.2.so
./lib/libc.so.6
./lib/libc-2.3.2.so
./lib/ld-linux.so.2
./lib/ld-2.3.2.so
./lib/libnss_compat.so.2
./lib/libnss_compat-2.3.2.so
./lib/libnss_files.so.2
./lib/libnss_files-2.3.2.so
./lib/libresolv.so.2
./lib/libresolv-2.3.2.so
./lib/libutil.so.1
./lib/libutil-2.3.2.so
./lib/libcrypt.so.1
./lib/libcrypt-2.3.2.so
./lib/libdl.so.2
./lib/libdl-2.3.2.so
./lib/libncurses.so.5
./lib/libncurses.so.5.4
./lib/librt.so.1
./lib/librt-2.3.2.so
./lib/libpthread.so.0
./lib/libpthread-0.10.so
./lib/libacl.so.1
./lib/libacl.so.1.1.0
./lib/libattr.so.1
./lib/libattr.so.1.1.0
./lib/libm.so.6
./lib/libm-2.3.2.so
./lib/libpam.so.0
./lib/libpam_misc.so.0
./etc
./etc/nsswitch.conf
./etc/passwd
./etc/group
./etc/jailkit
./etc/jailkit/jk_lsh.ini
./etc/resolv.conf
./etc/host.conf
./etc/hosts
./etc/protocols
./etc/motd
./etc/issue
./etc/bash.bashrc
./etc/profile
./etc/terminfo -- bunch of dirs in here ---
./usr
./usr/bin
./usr/bin/jk_lsh
./usr/bin/ssh
./usr/bin/nvi
./usr/bin/scp
./usr/bin/awk
./usr/bin/bzip2
./usr/bin/bunzip2
./usr/bin/away
./usr/lib
./usr/lib/sftp-server
./usr/lib/i586
./usr/lib/i586/libcrypto.so.0.9.7
./usr/lib/libz.so.1
./usr/lib/libz.so.1.2.1
./usr/lib/libbz2.so.1.0
./usr/lib/libbz2.so.1.0.2
./dev
./dev/urandom
./dev/tty
./dev/log
./bin
./bin/sh
./bin/bash
./bin/ls
./bin/cat
./bin/chmod
./bin/mkdir
./bin/cp
./bin/cpio
./bin/date
./bin/dd
./bin/echo
./bin/egrep
./bin/false
./bin/sleep
./home
./home/drocke
./root
And by only allowing the user write access to his/her own directory
(within the jail) will limit the liability to the system.
Mark
--- Ehren Wilson [EMAIL PROTECTED] wrote:
The cleanest way I have found was using rssh. All you do is change
the
shell to /usr/bin/rssh. The only issue I have with it is that to
jail them
to their home directory you need a separate chroot for each folder of
the
following. I jailed the /home folder and thus only need one jail, if
you
want each user to be jailed to ~/ as / then you need a separate jail
for
each user through copying or linking the files.
Ehren Wilson
jail components:
./etc
./etc/ld.so.cache
./etc/ld.so.conf
./usr
./usr/bin
./usr/bin/scp
./usr/lib
./usr/lib/i686
./usr/lib/i686/cmov
./usr/lib/i686/cmov/libcrypto.so.0.9.7
./usr/lib/libz.so.1
./usr/lib/rssh
./usr/lib/rssh/rssh_chroot_helper
./usr/lib/sftp-server
-Original Message-
From: Robert Cates [mailto:[EMAIL PROTECTED]
Sent: Monday, June 28, 2004 11:54 AM
To: debian-isp@lists.debian.org
Cc: Andreas John; MB; [EMAIL PROTECTED]
Subject: Re: restricting sftp/ssh login access
Hi, and thanks for the quick replies!
Just to be a bit clearer in what I'm asking: I would like to be
able to
allow my customers to access their accounts (update their web
sites) with
sftp which as I understand it is an extention to (Open)SSH, and
not FTP. I
know for example that the Windows application - WS_FTP Pro - has an
option
to use sftp/ssh on port 22 and when I tested it, I landed way up at
root
/. So, I'd like to be able to allow secure access, but with an
ftp client
like WS_FTP Pro using sftp, and not a Secure SHell. I have my
server setup
so that the customer can use SSH to change their password, and
that's all
they can do with SSH.
Is there nothing in the ssh_config or sshd_config which can be set
to
restrict sftp access to a designated directory?
It seems to me that the patched OpenSSH way that Hiren pointed out
is
workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html
but I'm
open to other maybe better ways.
Thanks again,
Robert
- Original Message -
From: MB [EMAIL PROTECTED]
To: Andreas John [EMAIL PROTECTED]
Cc: debian-isp@lists.debian.org
Sent: Monday, June 28, 2004 6:47 PM
Subject: Re: restricting sftp/ssh login access
John,
First off, I make a small mistake, the package I used was
jailkit,
from either:
http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html
or
http://freshmeat.net/projects/jailkit/
It has tons of documentation to help you create a jailed
environment,
including loading your jail with whatever executables needed.
Looks like I simplified my script to one line:
---
#!/bin/bash
/usr/sbin/jk_socketd
This produces a group of daemonized processes:
nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd]
but I think that I had a much more elaborate script to
{start|stop|restart} this daemon, something like:
/etc/init.d/chroot_jail
#!/bin/bash
case $1 in
start)
echo -n Starting Chroot Jail Server: chroot jail
start-stop-daemon --start --quiet --pidfile
nat ipchains on debian woody
Hello Gurus, I have installed a debian woody with to interfaces eth0 and eth1. I has configuredthe internet conexionon eth0 which has got a static ip on internet. And on eth1 i want to put a interface to do a proxy nat gateway on my internal lan (i want to put a 192.168.0.1 on it). I have read doc to do it but when i apply this doc i have a "your kernel seems to not support ipchains" messages when i try to do this. After this i have a 192.168.0.1 ip on eth1 but my pc´s on the internal lan can´t have internet access througth the eth0 (internet conexion). Ithink that the problem is that the kernel do not have a ipmasquerade support (NAT suppport), so i think that this is the only steep i need to do in order to apply correct the steps of the configuration that i has a problem with. So Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? What do exactly the command "apt-get install ipmasq" in this context ? Thanks in advance, Francisco.
Re: nat ipchains on debian woody
Hello Francisco, Francisco Castillo wrote: I have read doc to do it but when i apply this doc i have a your kernel seems to not support ipchains messages when i try to do this. For what reason do you want to use ipchains? If you just set up debian successfully i think you have also an actual kernel ( 2.4.x) From Version 2.4.x there is a new packet filter which is called iptables. On www.netfilter.org you find a lot of documentation. Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? Sorry, do not know about that. Chris
Re: nat ipchains on debian woody
Hi Mark, I have test your script but my woody give me this response: morpheo:~# cat compartir2 echo 1 /proc/sys/net/ipv4/ip_forward echo 1 /proc/sys/net/ipv4/conf/eth0/rp_filter echo 1 /proc/sys/net/ipv4/conf/eth1/rp_filter iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -i eth1 -o eth0 -j MASQUERADE morpheo:~# ./compartir2 modprobe: Can't locate module ip_tables iptables v1.2.6a: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. morpheo:~# What can i do to solve this new issue? My fisrt script which use ipchains was this: morpheo:~# cat compartir echo 1 /proc/sys/net/ipv4/ip_forward /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -j MASQ -s 192.168.0.0/16 Thanks in advance, - Original Message - From: MB [EMAIL PROTECTED] To: Francisco Castillo [EMAIL PROTECTED]; debian-isp@lists.debian.org Sent: Monday, June 28, 2004 9:16 PM Subject: Re: nat ipchains on debian woody Have you tried iptables instead? If your kernel supports iptables, then: echo 1 /proc/sys/net/ipv4/ip_forward echo 1 /proc/sys/net/ipv4/conf/$both_eth_devs/rp_filter iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -i eth1 -o eth0 -j MASQUERADE iptables also does the firewalling in other chains, btw Mark --- Francisco Castillo [EMAIL PROTECTED] wrote: Hello Gurus, I have installed a debian woody with to interfaces eth0 and eth1. I has configured the internet conexion on eth0 which has got a static ip on internet. And on eth1 i want to put a interface to do a proxy nat gateway on my internal lan (i want to put a 192.168.0.1 on it). I have read doc to do it but when i apply this doc i have a your kernel seems to not support ipchains messages when i try to do this. After this i have a 192.168.0.1 ip on eth1 but my pc´s on the internal lan can´t have internet access througth the eth0 (internet conexion). I think that the problem is that the kernel do not have a ipmasquerade support (NAT suppport), so i think that this is the only steep i need to do in order to apply correct the steps of the configuration that i has a problem with. So Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? What do exactly the command apt-get install ipmasq in this context ? Thanks in advance, Francisco.
Re: restricting sftp/ssh login access
how about using rbash? Only does the shell part, and it is not very hard to break out of the jail, but then again, allowing shell when you think users are going to purposely try to break it isn't a good idea...
Re: nat ipchains on debian woody
On Mon, 28 Jun 2004 21:35:40 +0200 Christoph Löffler [EMAIL PROTECTED] wrote: Hello Fraancisco: The first thinng you must do is to install a kernel with IPTABLES support, the ipchains is not recomendable for kernels up to 2.4. The kernel packages of woody distro have this support Next you MUST install iptables: ip-tables apt-get install iptables Then you should enable ip forward and ipfilter, with the instructions early mentioned by Mark, but if you want to run a proxy ip forward is not necesary You must read a lot of documentation of Squid and IPtables Enrique Dorantes Ahora en español, Hola franciso: Lo primero que tienes que hacer es bajar un kernel que soporte iptables, ipchains esta desconntinuado. Despues tienes que instalar ip-tables apt-get install iptables Deespues hacer lo que te indicaron con anterioridad habilitar el ip forward quee no es necesario si vas a poner un proxxy y el ipfilter. Hay que leer mucha documentaciion de Squid y de IPtabless. Saludos Enrique Hello Francisco, Francisco Castillo wrote: I have read doc to do it but when i apply this doc i have a your kernel seems to not support ipchains messages when i try to do this. For what reason do you want to use ipchains? If you just set up debian successfully i think you have also an actual kernel ( 2.4.x) From Version 2.4.x there is a new packet filter which is called iptables. On www.netfilter.org you find a lot of documentation. Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? Sorry, do not know about that. Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nat ipchains on debian woody
Enrique, Im novice on debian, i have decided recently to change from redhat or mandrake (fatal experiencie in two years), so excuse my ignorance. First i dont know how to do this step The first thinng you must do is to install a kernel with IPTABLES support How can I do it ? How can i test if it is on my server? Second, I have see this on my server morpheo:~# apt-get install iptables Reading Package Lists... Done Building Dependency Tree... Done Sorry, iptables is already the newest version. 0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. morpheo:~# It seems to be iptables installed but the previos errors said that iptables where not avaliable. Thanks in advance, and for your spanish response, I have a poor english too, Francisco. - Original Message - From: Enrique Dorantes [EMAIL PROTECTED] To: debian-isp@lists.debian.org Sent: Monday, June 28, 2004 10:09 PM Subject: Re: nat ipchains on debian woody On Mon, 28 Jun 2004 21:35:40 +0200 Christoph Lffler [EMAIL PROTECTED] wrote: Hello Fraancisco: The first thinng you must do is to install a kernel with IPTABLES support, the ipchains is not recomendable for kernels up to 2.4. The kernel packages of woody distro have this support Next you MUST install iptables: ip-tables apt-get install iptables Then you should enable ip forward and ipfilter, with the instructions early mentioned by Mark, but if you want to run a proxy ip forward is not necesary You must read a lot of documentation of Squid and IPtables Enrique Dorantes Ahora en espaol, Hola franciso: Lo primero que tienes que hacer es bajar un kernel que soporte iptables, ipchains esta desconntinuado. Despues tienes que instalar ip-tables apt-get install iptables Deespues hacer lo que te indicaron con anterioridad habilitar el ip forward quee no es necesario si vas a poner un proxxy y el ipfilter. Hay que leer mucha documentaciion de Squid y de IPtabless. Saludos Enrique Hello Francisco, Francisco Castillo wrote: I have read doc to do it but when i apply this doc i have a your kernel seems to not support ipchains messages when i try to do this. For what reason do you want to use ipchains? If you just set up debian successfully i think you have also an actual kernel ( 2.4.x) From Version 2.4.x there is a new packet filter which is called iptables. On www.netfilter.org you find a lot of documentation. Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? Sorry, do not know about that. Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nat ipchains on debian woody
Christoph, You are right. Looks like he should also modprobe or insmod iptables and many other modules. I insmod a whole list of routing modules: ipt_REDIRECT ipt_MASQUERADE iptable_mangle iptable_nat ipt_REJECT iptable_filter ip_tables ( and some others... ) Mark --- Enrique Dorantes [EMAIL PROTECTED] wrote: On Mon, 28 Jun 2004 21:35:40 +0200 Christoph Löffler [EMAIL PROTECTED] wrote: Hello Fraancisco: The first thinng you must do is to install a kernel with IPTABLES support, the ipchains is not recomendable for kernels up to 2.4. The kernel packages of woody distro have this support Next you MUST install iptables: ip-tables apt-get install iptables Then you should enable ip forward and ipfilter, with the instructions early mentioned by Mark, but if you want to run a proxy ip forward is not necesary You must read a lot of documentation of Squid and IPtables Enrique Dorantes Ahora en español, Hola franciso: Lo primero que tienes que hacer es bajar un kernel que soporte iptables, ipchains esta desconntinuado. Despues tienes que instalar ip-tables apt-get install iptables Deespues hacer lo que te indicaron con anterioridad habilitar el ip forward quee no es necesario si vas a poner un proxxy y el ipfilter. Hay que leer mucha documentaciion de Squid y de IPtabless. Saludos Enrique Hello Francisco, Francisco Castillo wrote: I have read doc to do it but when i apply this doc i have a your kernel seems to not support ipchains messages when i try to do this. For what reason do you want to use ipchains? If you just set up debian successfully i think you have also an actual kernel ( 2.4.x) From Version 2.4.x there is a new packet filter which is called iptables. On www.netfilter.org you find a lot of documentation. Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? Sorry, do not know about that. Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: restricting sftp/ssh login access
Robert, There has been extensive discussion on this topic on the ssh mailing lists. Before going on the list I would highly recommend reading up as this is a fairly common topic and the developers have basically said they won't provide this functionality, it is something that belongs in the OS or shell. If you want it in ssh you can use the third party patch. I personally like the way the proftpd jails work, but I do agree with the ssh developers that a chroot is not a real security method, more of a file system abstraction in my opinion. My more oblivious users find it convenient but most of them wouldn't be using sftp anyways. Cheers, Ehren Wilson -Original Message- From: Robert Cates [mailto:[EMAIL PROTECTED] Sent: Monday, June 28, 2004 12:22 PM To: debian-isp@lists.debian.org Cc: Andreas John Subject: Re: restricting sftp/ssh login access Hi, I don't exactly like the idea of having to setup a mini-system in everybodies home dir, so maybe the Jailkit will be the answer.(?) Somehow I'm a little surprised that the OpenSSH project hasn't provided this feature in SSH and sftp that I'm looking for. Maybe somebody knows the reason why? I think my next e-mail will be to the OpenSSH project ;-) Thanks, Robert - Original Message - From: Andreas John [EMAIL PROTECTED] To: debian-isp@lists.debian.org Cc: Robert Cates [EMAIL PROTECTED] Sent: Monday, June 28, 2004 2:28 PM Subject: Re: restricting sftp/ssh login access Hi! 1.) Set users shell to /bin/false and add it to /etc/shells. This will prevent ssh access for users, but allows ftp etc. But what you are asking for is that (I think) 2.) http://chrootssh.sourceforge.net/index.php Chroot your ssh for non-admin users by - patching ssh - replacing Users homedir from /home/username/ to /home/username/./ (sshd recognizes /./ at the end of the homedir and chroots that user - build a mini-system in users homedir (necessary!). I played around with that but had not much success because I don't want to set up a *real* whole system for every user, because I would run in apt-ing probs. I had a look at busybox, which could solve that problem. If anyone knows how this works (login-shell with busybox-static + basic commands) please write a howto for me ;) ! rgds, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nat ipchains on debian woody
Hola Francisco Francisco Castillo wrote: Enrique, Im novice on debian, i have decided recently to change from redhat or mandrake (fatal experiencie in two years), so excuse my ignorance. First i dont know how to do this step The first thinng you must do is to install a kernel with IPTABLES support How can I do it ? How can i test if it is on my server? all stock kernels 2.4.x have iptables support. if you would compile one for your needs you must make sure that iptables support is checked. But for the kernel images you can install with apt this is true. perhaps it helps you to test some things with helper scripts. you can search the available packages with apt-cache search debian:~# apt-cache search iptables |less acidlab - Analysis Console for Intrusion Databases ferm - maintain and setup complicated firewall rules firewall-easy - Easy to use packet filter firewall (usually zero config) fwanalog - iptables log-file report generator (using analog) fwbuilder-iptables - Linux iptables policy compiler for Firewall Builder fwlogwatch - Firewall log analyzer ipac-ng - IP Accounting for iptables( kernel =2.4) ipmenu - A cursel iptables/iproute2 GUI kernel-patch-ttl - TTL matching and setting kernel-patch-ulog - Netfilter userspace logging patch. knetfilter - A GUI for configuring the 2.4 kernel IP Tables ulogd - The Userspace Logging Daemon iptables - Linux kernel 2.4+ iptables administration tools iptables-dev - development files for iptable's libipq and libiptc reaim - Enable AIM and MSN file transfer on Linux iptables based NAT shorewall - Shoreline Firewall (Shorewall) shorewall-doc - Shoreline Firewall (Shorewall) Documentation then apt-cache show tells you more on a specific package: i.e.: apt-cache show shorewall perhaps you can install this and look how it works. read the documentation and look at the source to see what is installed by a package do dpkg -L shorewall | less greetings chris
