Hello,
Who can help me with a ACL for sshd?!
How should i configure the learning mode, to get the best result?
Thanx,
^r00t^
good ACL for sshd
5 posts
• Page 1 of 1
good ACL for sshd
by ^r00t^ » Wed Oct 23, 2002 9:36 am
- ^r00t^
- Posts: 1
- Joined: Wed Oct 23, 2002 9:29 am
by Sharky » Sun Nov 03, 2002 11:08 pm
Hey Their
Here's My sshd ACL version I run an SSHD SERVER for Shell./webhosting providing.
/usr/sbin/sshd lo {
/ h
-CAP_ALL
RES_FSIZE 0 0
RES_DATA 0 0
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0
connect {
disabled
}
bind {
disabled
}
}
after about 12 hours , here's the Learn mode Generated ACL
-----------------------------------------------------------------------------------
/usr/sbin/sshd o {
/var/log
/tmp/ssh-XXmHU33n/agent.2585 w
/tmp/ssh-XXZCt281/agent.2696 w
/tmp/ssh-XXXXkxqh/agent.848 w
/tmp/ssh-XX3De1zI/agent.2026 w
/tmp w
/proc/2896/fd/0
/proc/2895/fd/8
/proc/2842/fd/0
/proc/2829/fd/7
/proc/2697/fd/0
/proc/2696/fd/8
/proc/2645/fd/0
/proc/2643/fd/7
/proc/2586/fd/0
/proc/2585/fd/8
/proc/2536/fd/0
/proc/2535/fd/7
/proc/2309/fd/0
/proc/2308/fd/7
/proc/2027/fd/0
/proc/2026/fd/8
/proc
/home/gr
/home/admin
/etc/ssh/moduli r
/etc/security/pam_env.conf r
/etc/security/limits.conf r
/etc/security/console.perms r
/etc/pam.d/system-auth r
/etc/pam.d/sshd r
/etc/pam.d/other r
/etc/pam.d
/etc r
/dev/pts/1 rw
/dev/pts/0 w
/dev/pts
/ h
/usr/sbin/sshd x
/bin/bash x
/dev/log
/dev/null rw
/dev/ptmx rw
/dev/pts/2 rw
/dev/pts/3 rw
/dev/tty rw
/etc/ld.so.cache rx
/lib/i686/libc-2.2.5.so x
/lib rx
/lib/security rx
/sbin/insmod x
/usr/lib/libcrack.so.2.7 rx
/usr/lib/libglib-1.2.so.0.0.10 rx
/usr/lib/libz.so.1.1.3 x
/var/log/lastlog rw
/var/log/wtmp w
/var/run w
/var/run/sshd.pid w
/var/run/utmp rw
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_TTY_CONFIG
RES_FSIZE 201840 201840
RES_DATA 259856 259856
RES_STACK 152552 152552
RES_RSS 0 0
RES_NPROC 45 45
RES_NOFILE 14 9
RES_MEMLOCK 0 0
RES_AS 4305184 4305184
RES_LOCKS 0 0
connect {
66.201.235.79:53 dgram udp
}
bind {
disabled
}
}
I hope this could help
Here's My sshd ACL version I run an SSHD SERVER for Shell./webhosting providing.
/usr/sbin/sshd lo {
/ h
-CAP_ALL
RES_FSIZE 0 0
RES_DATA 0 0
RES_RSS 0 0
RES_NOFILE 0 0
RES_MEMLOCK 0 0
RES_STACK 0 0
RES_AS 0 0
RES_NPROC 0 0
RES_LOCKS 0 0
connect {
disabled
}
bind {
disabled
}
}
after about 12 hours , here's the Learn mode Generated ACL
-----------------------------------------------------------------------------------
/usr/sbin/sshd o {
/var/log
/tmp/ssh-XXmHU33n/agent.2585 w
/tmp/ssh-XXZCt281/agent.2696 w
/tmp/ssh-XXXXkxqh/agent.848 w
/tmp/ssh-XX3De1zI/agent.2026 w
/tmp w
/proc/2896/fd/0
/proc/2895/fd/8
/proc/2842/fd/0
/proc/2829/fd/7
/proc/2697/fd/0
/proc/2696/fd/8
/proc/2645/fd/0
/proc/2643/fd/7
/proc/2586/fd/0
/proc/2585/fd/8
/proc/2536/fd/0
/proc/2535/fd/7
/proc/2309/fd/0
/proc/2308/fd/7
/proc/2027/fd/0
/proc/2026/fd/8
/proc
/home/gr
/home/admin
/etc/ssh/moduli r
/etc/security/pam_env.conf r
/etc/security/limits.conf r
/etc/security/console.perms r
/etc/pam.d/system-auth r
/etc/pam.d/sshd r
/etc/pam.d/other r
/etc/pam.d
/etc r
/dev/pts/1 rw
/dev/pts/0 w
/dev/pts
/ h
/usr/sbin/sshd x
/bin/bash x
/dev/log
/dev/null rw
/dev/ptmx rw
/dev/pts/2 rw
/dev/pts/3 rw
/dev/tty rw
/etc/ld.so.cache rx
/lib/i686/libc-2.2.5.so x
/lib rx
/lib/security rx
/sbin/insmod x
/usr/lib/libcrack.so.2.7 rx
/usr/lib/libglib-1.2.so.0.0.10 rx
/usr/lib/libz.so.1.1.3 x
/var/log/lastlog rw
/var/log/wtmp w
/var/run w
/var/run/sshd.pid w
/var/run/utmp rw
-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_TTY_CONFIG
RES_FSIZE 201840 201840
RES_DATA 259856 259856
RES_STACK 152552 152552
RES_RSS 0 0
RES_NPROC 45 45
RES_NOFILE 14 9
RES_MEMLOCK 0 0
RES_AS 4305184 4305184
RES_LOCKS 0 0
connect {
66.201.235.79:53 dgram udp
}
bind {
disabled
}
}
I hope this could help
- Sharky
- Posts: 43
- Joined: Fri Nov 01, 2002 10:12 pm
by spender » Sun Nov 03, 2002 11:20 pm
you can get rid of the subdirs of /proc in the acl, and the stuff for /tmp as well. The reduced ACL handles them. The reason I don't do this automatically in the code is because it's another O(n^2) operation...i'll find a way to make it faster though, so that I can do it automatically.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
by Officerrr » Wed Feb 05, 2003 1:25 am
Slackware 9.0b OpenSSH 3.5p1:
- Code: Select all
/usr/sbin/sshd opX {
/ h
/etc r
/etc/ssh r
/etc/ld.so.cache rx
/etc/grsec h
/var/empty
/var/log
/var/log/wtmp w
/var/log/lastlog rw
/var/run/utmp rw
/var/run/sshd.pid rw
/var/run
/usr/lib rx
/usr/libexec/sftp-server
/usr/share r
/home
/lib rx
/root
/tmp rw
/proc
/dev/urandom r
/dev/tty rw
/dev/pts rw
/dev/ptmx rw
/dev/null rw
/dev/log rw
/bin/bash x
/usr/sbin/sshd x
-CAP_ALL
+CAP_CHOWN
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
+CAP_SYS_CHROOT
+CAP_DAC_OVERRIDE
+CAP_SYS_TTY_CONFIG
RES_CRASH 1 10m
connect {
127.0.0.1/32:21 stream tcp
0.0.0.0/0:53 stream tcp
0.0.0.0/0:113 stream tcp
0.0.0.0/0:53 dgram udp
}
bind {
0.0.0.0/0:22 stream tcp
}
}
/usr/libexec/sftp-server oX {
/ h
/etc/group r
/etc/grsec h
/etc/nsswitch.conf r
/etc/ld.so.cache rx
/etc/passwd r
/usr/lib rx
/usr/libexec/sftp-server x
/usr/share r
/tmp rw
/root rw
/proc
/lib rx
/home rw
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
connect {
disabled
}
bind {
disabled
}
}
- Officerrr
- Posts: 1
- Joined: Wed Feb 05, 2003 1:01 am
5 posts
• Page 1 of 1