Open hirokomatsui opened 4 years ago
Also can you remove gaulton as well as his home directory.
Yes and Yes. One moment.
Steps just in case becomes regular item:
useradd -s /sbin/nologin -d /frazer01/home/gaowei -g 100 gaowei
chown root: ~gaowei
mkdir ~gaowei/upload
chown gaowei: ~gaowei/upload
Remember they need to cd into "upload" now due to security enhancements in chroot sshd.
Edit /etc/ssh/sshd_config
Match User gaowei
ChrootDirectory /frazer01/home/gaowei
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
Set a password:
passwd gaowei
Wait for puppet to propagate. (Forced it) Tested upload. Emailed you password.
Oh and I made it available on both flh1 and flh2....removing gaulton
Thanks!
No prob! Just advise if issues!
We have to get him to upload the data again. So I re-created the user account. I did delete the user once:
userdel gaowei
Then add the user as you described above: useradd -s /sbin/nologin -d /frazer01/home/gaowei -g 100 gaowei chown root: ~gaowei mkdir ~gaowei/upload chown gaowei: ~gaowei/upload
But I cannot log in as him:
sftp gaowei@flh1.ucsd.edu:/upload gaowei@flh1.ucsd.edu's password: Connected to flh1.ucsd.edu. File "/upload" not found.
Can you check. I set the password, H4ZPYXgNxA
Try now. My umask may be more permissive than yours.
I added:
chmod 755 ~gaowei
It was 700.
To the above and appears to work. I believe as ssh drops privs it still has to be able to reference the chroot directory. 755 permissions allow that.
It works. Thanks!
Sorry, some how I never be able to create a user. I created a new user, gaulton, as the same way above, and am getting this message:
$ sftp gaulton@flh1.ucsd.edu:/upload gaulton@flh1.ucsd.edu's password: Received message too long 1416128883
The password is k0vsykQmam in the case. Thanks!
You were close. You just needed to restart sshd.
That message is a long standing "weird" SFTP output that results from login echo'ing some characters. In this case because sshd was not restarted. the attempt at login hits /sbin/nologin instead of a shell:
This account is currently not available.
Which gets turned into that crazy error ;)
sftp re-tested after sshd restarted (service sshd restart
) and works ok!
Got it, thanks!
For some reason, I've never been able to create user accounts myself. I created a user account, josh, on flh1 exactly same as before for gaulton, and cannot log in as josh.
bash-4.2$ sftp josh@flh1.ucsd.edu:/upload josh@flh1.ucsd.edu's password: packet_write_wait: Connection to 169.228.63.174 port 22: Broken pipe Couldn't read packet: Connection reset by peer
Do you have any idea? The password is viW6fGdiun
Looking
We don't allow that range....169.228.63.174 isn't in the list of subnets we support in /etc/hosts.allow. I added sshd: 169.228.63.0/25.255.255.0 : ALLOW Try again while I watch...
Wait...I've reversed the IP and the host...one sec.
Oh, are you running that command on flh1 itself? Thats its own IP ;)
Ah, the problem is due to chroot restrictions. Have we done this since we moved to USS?
Dec 15 14:36:12 fl-hn1 sshd[25738]: fatal: bad ownership or modes for chroot directory component "/frazer01/" [postauth]
drwxrwxrwx 13 nfsnobody nfsnobody 5632 Nov 30 10:31 .
That is the permissions on the root of the /frazer01 share...chroot doesn't like that.
I propose we relocate this onto the local 14TB drive on fl-hn1....
I guess that's it. I'm changing the home directory on the local drive.
Perfect. Don't forget it also needs to be done in /etc/ssh/sshd_config. We should move the old copies of items in /export to the side.
# Support Upload
Match User josh
ChrootDirectory /export/chroot/josh
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
(where chroot in above is "whatever you want" and make sure its owned by root)
Mmm, still doesn't work:
$ sftp josh@flh1.ucsd.edu:/upload ssh: connect to host flh1.ucsd.edu port 22: Connection refused Couldn't read packet: Connection reset by peer
Dec 15 14:46:31 fl-hn1 sshd[4357]: fatal: bad ownership or modes for chroot directory "/export/home/josh" [postauth]
chroot accounts have to have root ownership for the listed dir:
[root@fl-hn1 paul]# cd /export/home/josh/
[root@fl-hn1 josh]# ls -ald .
drwxr-xr-x 3 josh users 4096 Dec 15 14:41 .
^^^
[root@fl-hn1 josh]# chown root .
[root@fl-hn1 josh]# ls -ald .
drwxr-xr-x 3 root users 4096 Dec 15 14:41 .
sftp josh@localhost
josh@localhost's password:
josh@localhost's password:
Connected to localhost.
sftp> cd upload/
sftp> ls
sftp> mput foo
I can do that on flh1, but other server on campus.
What source IP? We block SSH to certain ranges....
/etc/hosts.allow contains the ranges. Those apply to any SSH use...not just chroot.
And on top of that iptables....IIRC So provide where you are trying and I'll see what I can see.
Oh, and to be more fun...fail2ban feels this system is a brute forcer now
I suspect thats you. One sec and I'll clear it and post the clearing method. (We might want to review this Wednesday)
To unban a suspected brute forcer (accident this time)
fail2ban-client set sshd unbanip 169.228.63.210
169.228.63.210
[root@fl-hn1 paul]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 12358
| - Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
- Actions
|- Currently banned: 0
|- Total banned: 104
`- Banned IP list:
We can turn off fail2ban if you want. It mattered more when we allowed "ANY" for ssh.
It should be allowed: 169.228.63.252 igm-storage2.ucsd.edu
It was blocked due to the failures by fail2ban. Try again.
fail2ban is an anti-brute forcing program to monitor ssh. All the failures caused it to feel that IP was an attacker.
I got it finally. Thank you for your help!
Can you create a restricted account like gaulton with the user name gaowei. Only on flh1 (or flh2) will be fine. Thank you!