cazz
(Carsten J)
January 16, 2022, 12:37pm
1
I have see some old topic here about the question and I just wonder if that have make it simple to create a secure file server with nethserver.
I was thinking SFTP with chrooted jail environment and fail2ban.
Just wonder is that is still template and script or is it more easy now with GUI?
mrmarkuz
(Markus Neuberger)
January 16, 2022, 9:05pm
2
You still need a custom template for the chroot jail.
Fail2ban already blocks bad SSH logins and there’s also 2FA for SSH for additional security.
cazz
(Carsten J)
January 17, 2022, 3:59pm
3
Ahh ok then I going to see what I can do
Thanks
cazz
(Carsten J)
January 17, 2022, 4:37pm
4
Hi again
I did find this that did look simple
SFTP chroot howto - Howto - NethServer Community
but have not got it to work.
I have create a user and a group in GUI and it can login to SFTP but is not chroot jail
I think it have to do something about how to connect the template to the group.
Nethserver have a local LDAP that have a user and group (call chrooted) but not sure how to connect the group from LDAP to the template.
I have try with both “chrooted@mydomain.se” and “chrooted@sftp.mydomain.se” and even just “chrooted”
mrmarkuz
(Markus Neuberger)
January 17, 2022, 7:10pm
5
There’s an error in the howto.
To apply the configuration and write the config files for sshd
signal-event nethserver-openssh-save
is needed instead of
signal-event nethserver-sssd-save
You may check if /etc/ssh/sshd_config
contains the needed line for chroot:
ChrootDirectory /var/lib/nethserver/home/
cazz
(Carsten J)
January 17, 2022, 7:20pm
6
Thanks, now it works
The only think and I’m not sure if it can be done is that now the script have make so they can’t go outside home folder and they can’t access eachothers folders but they can see the name of other people homefolders. Is that possible to make them stay inside their own homefolders?
I did try to add
/var/lib/nethserver/home/%u
but then I can’t access SFTP
mrmarkuz
(Markus Neuberger)
January 17, 2022, 7:36pm
7
Yes, the home folders need to be owned by root to make chroot work.
This should work for the home folders:
ChrootDirectory %h
cazz
(Carsten J)
January 17, 2022, 7:44pm
8
if I use %h I can’t login at all.
It just say error and I have to look in the log.
But it is ok, as long it works I’m happy
mrmarkuz
(Markus Neuberger)
January 17, 2022, 7:46pm
9
Did you change owner for the user folder?
chown root: /var/lib/nethserver/home/user
cazz
(Carsten J)
January 17, 2022, 7:51pm
10
Yes I did and now user have no access to it own home folders.
mrmarkuz
(Markus Neuberger)
January 17, 2022, 7:59pm
11
Sorry, you need to set permissons too:
chmod 755 /var/lib/nethserver/home/user
Source:
1 Like
cazz
(Carsten J)
January 17, 2022, 8:04pm
12
ok have read but 755 make a user access his and his friends home folder
That they can see name of other people homefolder is ok.
1 Like
pagaille
(Matthieu Gaillet)
February 1, 2022, 8:13am
13
Thanks for correcting that @mrmarkuz . @cazz I’m happy my howto could help someone else.
1 Like