Install rbash as "restricted shell" to login into ssh console of SME Server

From wiki.linuxonlinehelp.de
Jump to: navigation, search

SME Server Hardening with a restricted shell called rbash

If you have enabled a user to login into the SME Server with ssh / Putty Tool the root filesystem can be browsed.

To prevent this root filesystem browsing use "rbash". This works not with TMUX and SCREEN Multiplexer!!! Cause Users can break out..

Remark: rbash is not 100% secure, Server should be never reachable to Consoles from Internet!!

Howto:

1. Login as root on the SME Server to the ssh console

2. create a symlink for rbash to bash

mv /bin/bash /bin/orgbash
chmod 700 /bin/orgbash
chmod 700 /bin/sh
chmod 700 /bin/csh
$ln -s /bin/bash /bin/rbash

3. enable rbash by system setting /etc/shells

$echo '/bin/rbash' >> /etc/shells

4. set user shell to /bin/rbash

$chsh   #set user shell to /bin/rbash

5. Disable "chsh" command for users

$chmod o= /bin/chsh

6. Login as user and test linux commands or try to break out!!