«
»






Creative Commons License
This work is licenced under a Creative Commons Licence.

Jailing psyBNC, inetd and identd on FreeBSD

I’m a firm believer in jailing services for some added security. I did
this on FreeBSD 5.3-RELEASE. I’m not sure how well this works on other
operating systems.

First, setup the jail. I use a small shell
script for the task.

# ./jailsetup.sh 10.0.0.7

Next, add a user for the psyBNC daemon and setup networking in the
jailcell.

# adduser

# cp /etc/passwd /usr/jail/10.0.0.7/etc
# cp /etc/group /usr/jail/10.0.0.7/etc
# cp /etc/resolv.conf /usr/jail/10.0.0.7/etc

Next, jail yourself to the newly created jail and download and install
psyBNC. Include oidentd support in psyBNC.

# jail /usr/jail/10.0.0.7/ psybnc 10.0.0.7 /usr/local/bin/bash
# mkdir /usr/local/psybnc
# chown psybnc:psybnc /usr/local/psybnc

# su psybnc
$ cd /usr/local
$ wget http://www.psychoid.lam3rz.de/psyBNC2.3.2-4.tar.gz
$ tar xfvz psyBNC2.3.2-4.tar.gz
$ cd /usr/local/psybnc
$ make menuconfig
$ make

psyBNC is now compiled and installed. Let’s modify the jailcell’s
/etc/inetd.conf, so that identd can be run. Add a line such as this:

auth stream tcp nowait root internal auth -r -F -n -o UNIX -t 30

Note that some IRC daemons require a valid operating system string
from the ident daemon, and that’s exactly why I’m using “UNIX” here
(i.e. “UNKNOWN” won’t work in some cases). Identd is pretty useless really,
but some IRC daemons require a valid ident response when connecting. If
you have a tilde (~) in front of your username, the IRC daemon did NOT
recieve a valid ident response.

Remember to open up port 113 in any possible firewalls.

As psyBNC always runs as the user it’s started with (i.e. “psybnc” in
this case – never run it as root!), we need to setup ident spoofing. The identd that ships with
FreeBSD supports ~/.fakeid files, but psyBNC wants a ~/.ispoof file.
Luckily, the format of the files is the same, and thus the easiest solution
is to create a symlink such as this:

$ touch ~/.fakeid

$ ln -s ~/.fakeid ~/.ispoof

Start psyBNC and inetd in the jailcell with the commands:

$ /usr/local/psybnc/psybnc
# inetd

You can check that the psyBNC and inet daemons are actually running in
the jailcell, by first exiting the jailcell, and the running:

$ ps aux | grep psybnc
$ ps aux | grep inetd

You know that the daemons are jailed when you see a see a “J” in the
STAT column for the processes.

The jail created by the jailsetup.sh script is a bit too large for a
simple setup such as this. Once you get everything working, you can go on
a deleting spree. I usually do something like this inside the jailcell:

# rm -r /usr/obj /usr/src /usr/include /usr/ports /usr/games /usr/X11R6
# rm -r /boot /mnt /proc /root /sbin

# rm -r /usr/local/bin /usr/local/include /usr/local/info /usr/local/man /usr/local/share

Tags: , , ,

This entry was posted on Saturday, October 3rd, 2009 at 11:11 and is filed under Linux/BSD Server Solutions. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Spam protection by WP Captcha-Free