Not long ago we rebuilt a number of servers within our production environment at work, migrating from FreeBSD to CentOS. One of the requirements in this migration was that we needed a server that would act as an SSH-only Jail on the new platform. This meant I needed to setup a system where users could SSH into a machine but the only thing they could do on that machine was SSH back out again. We used this as our “bounce” machine. Users would have outside access to their Desktops or other machines only by way of this secured SSH-only machine. The solution I found was a tool called “JailKit“, which allows you to create chroot jails is a very simple way. Below I’ll outline the requirements for installing JailKit and using it to create an SSH chrooted “Jail”. Step 1: Install JailKit I was unable to find an up to date package for JailKit on CentOS, so I did the following to install from source: Read more
Not so long ago I wrote about how you can configure FreeBSD to email you regarding available updates on a weekly basis. This is something that I have had in place for a while now, and I really enjoy the ability to keep things on the patched (read: bleeding) edge. Recently I found a small issue with the setup I had been using. I wanted to share the fix with anyone that may have been doing the same thing. First of all, let me tell you about the issue I came across. When I would recieve an email regarding available updates I would connect to the FreeBSD Jail and use portmaster -a -d to apply all available updates. I noticed that the number of updates applied did not match the number of updates listed in the email. Odd. Well, after thinking about it for a bit I realized what the problem was. Read more
I have had all kinds of problems getting dhcpd running properly inside a FreeBSD jail. I finally got it running this morning and wanted to document what I’ve done in hopes that I can recreate it. On the host system I had to allow sockets within jails. This is done by adding this line to your /etc/sysctl.conf: security.jail.allow_raw_sockets=1 The above will make it a persistent change, but you’ll also need to make it an immediate change using the sysctl tool directly: sysctl -w security.jail.allow_raw_sockets=1 Within the jail I then installed the net/isc-dhcp30-server port. I configured this with just two of the available options. Allow sockets instead of bpf (jails-only) Use base openSSL After this was compiled I configured my /usr/local/etc/dhcpd.conf and added the following lines to my /etc/rc.conf: ## dhcpd options dhcpd_enable=”YES” dhcpd_flags=”-q” dhcpd_conf=”/usr/local/etc/dhcpd.conf” dhcpd_ifaces=”” Read more
I spent some time this afternoon trying to setup named (BIND 9.5) within a FreeBSD jail for internal use. I ran into an issue where it was unable to mount devfs and failed on me. After a little bit of digging I found a solution. This is the error that was reported (see link): /etc/rc.d/named: WARNING: devfs_domount(): Unable to mount devfs on /var/named/dev<br /> devfs rule: ioctl DEVFSIO_RAPPLY: Operation not permitted<br /> devfs rule: ioctl DEVFSIO_RAPPLY: Operation not permitted In a nutshell, add the following line to the jail /etc/rc.conf and you should be OK. named_chrootdir="" Yes, this means that you’re not running named within a chroot like it would by default but remember its in a jail anyway–a really fancy, hardened chroot.