Jailing psyBNC, inetd and identd on FreeBSD

Jani Reinikainen,

I'm a firm believer in jailing services for some added security. I did this on FreeBSD 5.3-RELEASE. I'm not sure how well this works on other operating systems.

First, setup the jail. I use a small shell script for the task.

Next, add a user for the psyBNC daemon and setup networking in the jailcell.

Next, jail yourself to the newly created jail and download and install psyBNC. Include oidentd support in psyBNC.

psyBNC is now compiled and installed. Let's modify the jailcell's /etc/inetd.conf, so that identd can be run. Add a line such as this:

auth stream tcp nowait root internal auth -r -F -n -o UNIX -t 30

Note that some IRC daemons require a valid operating system string from the ident daemon, and that's exactly why I'm using "UNIX" here (i.e. "UNKNOWN" won't work in some cases). Identd is pretty useless really, but some IRC daemons require a valid ident response when connecting. If you have a tilde (~) in front of your username, the IRC daemon did NOT recieve a valid ident response.

Remember to open up port 113 in any possible firewalls.

As psyBNC always runs as the user it's started with (i.e. "psybnc" in this case - never run it as root!), we need to setup ident spoofing. The identd that ships with FreeBSD supports ~/.fakeid files, but psyBNC wants a ~/.ispoof file. Luckily, the format of the files is the same, and thus the easiest solution is to create a symlink such as this:

Start psyBNC and inetd in the jailcell with the commands:

You can check that the psyBNC and inet daemons are actually running in the jailcell, by first exiting the jailcell, and the running:

You know that the daemons are jailed when you see a see a "J" in the STAT column for the processes.

The jail created by the jailsetup.sh script is a bit too large for a simple setup such as this. Once you get everything working, you can go on a deleting spree. I usually do something like this inside the jailcell: