similar to: jailing transfer-only accounts

This message was sent to bugtraq today: While playing around with FreeBSD 5.4 and jailing I discovered that it was possible to put an ethernet interface into promiscious mode from within the jailed environment, allowing a packetsniffer to gather data not meant for the jailed box. This also affects FreeBSD 5.3 (tested) but not FreeBSD 4.x This can be reproduced on boxes where BPF support is

Folks, I've been tasked to find a solution that will create file-transfer-only accounts that are jailed or chrooted to a specific directory. (Not an uncommon task, I think.) Using the OpenSSH server and the OpenSSH scp client program, I can achieve the goal of having a file transfer only account jailed to a specified directory, by using the "scpjail" script (attached) as a

Dear all I'm looking for instructions on how to setup a jailed chroot directory for user which needs to upload via scp to the server. Especially I miss clear instructions about what needs to be in the jailed directory available, like binaries, libraries, etc... Without jail I get it to work, but I want to prevent user downloading for example /etc folder from the server. Does anybody have a

The sshd server has what I think is a serious flaw. There appears to be no way to turn off remote command execution. (someone please correct me if I am wrong). We have a server which uses a chroot jail, and rbash to severely limit what users can do on our system. The remote command bypasses all of that. ie. ssh user at host cat /etc/passwd will display the password file for the live system

Howdy! I'm not sure if this is actually an issue, feature or a bug, but I have found that inside a jail, the jailed root user is able to sniff traffic (and enable promiscuous mode) on at least the interface of the IP address the jail is attached to. I have not found any documentation explaining if this should occur or not, but I feel it is something that should at least be known to those

I'm going to apply the ssh patch. Applying it to the "real" server seems straightforward enough, but I'm wondering what the right procedure is to apply this patch to my jailed servers.

-----Original Message----- From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Rainer Duffner Sent: Samstag, 21. Oktober 2017 00:41 To: CentOS mailing list Subject: Re: [CentOS] scp setup jailed chroot on Centos7 > Am 20.10.2017 um 15:58 schrieb Adrian Jenzer <a.jenzer at herzogdemeuron.com>: > > Dear all > > I'm looking for instructions on how to setup a

Maybe one of you can help. We have set up a CentOS server so that each user who logs in via sftp will be jailed in their home directory. Here's the relevant sshd_config: # override default of no subsystems Subsystem sftp internal-sftp -f LOCAL2 -l INFO Match Group sftponly ChrootDirectory /home/%u ForceCommand internal-sftp This actually works great, but none of

Hi, i've set the outside ip for the jail..It works.. When i try to ssh to jail'ed system from the main system (in which is created jail) the connection is successful, but when i try to connect to jailed system from anywhere else i get this message: ssh: connect to host IP_NUMBER port 22: Operation timed out What can be wrong here? How to solve this problem?

A client wants me to set up a mechanism whereby his customers can drop files securely into directories on his FreeBSD server; he also wants them to be able to retrieve files if needed. The server is already running OpenSSH, and he himself is using Windows clients (TeraTerm and WinSCP) to access it, so the logical thing to do seems to be to have his clients send and receive files via SFTP or SCP.

I'm setting up a server where I plan to use Jails to improve security I also have installed and am configuring ipfilter. Here are my questions: Because I'm using Jails, I will have to have multiple ip aliases on the network interface. I will use ipfilter to specify what can go to each of the addresses. (e.g., allow only incoming to port 80 on the jail running apache). Another

> I recently did something like this. I have a webserver in a jail that > needs to talk to a database, and the webserver is the only thing that > should talk to the databse. > My solution was to use 2 jails: one for the webserver, and another for the > database. > Jail 1: > * runs webserver > * binds to real interface with real, routable IP > Jail 2: > *

Hello, I'm new to the list, but hopefully I've done enough digging around that I don't get yelled at too terribly ;) We're looking to implement a chrooted environment for allowing users to scp files from servers. That's basically the only functionality that we need in this case. We're looking to chroot the user and/or remove any chance that the account can login via

HI everyone, I have resently installed a jail environment on my freebsd box, and had some problems getting postgresql running under it. After looking a bit on various mailinglists i figured out that I needed to set jail.sysvipc_allowed to be 1 using sysctl in order to make postgresql run. However man jail gives me: jail.sysvipc_allowed This MIB entry determines whether or not

On Thu, 2002-12-19 at 01:30, msmith@labyrinth.net.au wrote: > Alan Silvester <mascdman@shaw.ca> said: > > > Hi, > > > > (Sorry for the long email) > > > > As a bit of a learning exercise, I'm trying to place the icecast daemon > > in a chroot jail. I've been mostly sucessful: I can get icecast to > > serve the default stream from

Although RAW sockets can be used when specifying the source address of packets (defeating one of the aspects of the jail) some people may find it usefull to use utilities like ping(8) or traceroute(8) from inside jails. Enclosed is a patch I have written which gives you the option of allowing prison-root to create raw sockets inside the prison, so

I am currently setting up a firewall that translates my internal network over to 5 public IP addresses. The addresses are dynamically assigned, so I use ddclient to update my www.dyndns.org account. I've set up several aliases on the external interface of the firewall, and succeeded in having the internal computers use those extra public IPs. What I want to do is have 5 copies of ddclient

Hello, I'm trying to work through an issue that cropped up on a server I've been working on and haven't found a very good workaround. Dovecot is operating in a jailed environment. The configuration in dovecot-sql.conf.ext has been set appropriately with the host=127.0.0.1 (which works from a jailed environment) and when dovecot attempts to auth it appears to perform a reverse dns

I read this (http://www.petur.eu/blog/?p=459) blog post today. It's about that a remote user with root privilegs to a FreeBSD jail & user privileges to the jails host machine can obtain root privileges on the host machine. Can someone confirm if this bugg/exploit works?

On 2/17/19 8:18 PM, Rowland Penny via samba wrote: > Possible things to check: > Is the ip for vlan1 10.1.2.34 ? Sure. It's the only IP vlan1 has inside the jail; it's shown as an alias on the base host. > Try just setting 'vlan1' You mean change "interfaces=vlan1 10.1.2.34/24" to just "interfaces=vlan1"? It doesn't change anything (still