Little help with chroot etc for locking down permission on vps

Hey guys. I currently have a vps that im using for ssh tunneling.

No extra programs, just basic ssh. I have a couple users connected so i want to make this thing as secure as possible.

I was wondering if anyone knew any commands which can basically lock out all possible read/write/execute for all users except root.

Right now im not using groups, so maybe that might be a good alternative too, to help clean it up a little.

Just trying to add a little more security to this system, but still a noob

A little more background info on what im exactly doing with this incase you need it. I want the users to connect to my SSH just so they can mask their IP. Just by establishing a connection i just want to route their information through vps. They don’t need access to read write or execture anything as far as im concerned, just connect so information can be routed and they can have a masked IP.

Well, I imagine they’d need to be able to execute ssh to their actual destination. Otherwise they just log in and get dumped out and stop.

You can do a lot with sshd_config Match statements. You can limit permissions for a group with Match. You may want to look into Forcecommand in openssh as well! openssh Match commands have a lot of great ways to jail/limit permissions in the newer version.

pretty much what we want to do is

allow a user to connect to our server via ssh and establish and maintain a connection so they can use it as a tunnel for skype.

as far as user permissions go, we want to make it so users are unable to do ANYTHING else. we don’t want them being able to use netstat, wget, mkdir, read/write/execute files or anything pretty much. it has to be completely locked down so all they’re able to do is login on putty, be greeted by our MOTD and then be able to use the connection they’ve established via putty and allow their skype to tunnel through it (not sure if i even worded that correctly)

we don’t know anything about linux to be honest

if you need a better idea, we can provide you with a login so you can see how we’ve got it setup so far. its far from perfect but it should provide a general idea as to what we want to do.

I see. Okay, then here’s the best way I’m thinking. Just a little user management. I don’t know how your user situation is (is everyone given an account, is everyone just logging in through the same guest?)

Either way, you want to set their shell to something like /bin/false and that keeps them from actually being able to log-in to the server at all. SSH will authenticate, and then immediately die.

But wait, we need to keep the tunnel open! Well, good news.

ssh -N

the -N argument for SSH:
-N Do not execute a remote command. This is useful for just for- warding ports (protocol version 2 only).

So basically their ssh window will launch and do nothing but be open, no shell, no commands allowed, but as long as that window is open, it’ll remain a tunnel.

So then you have to set up the SOCK5 tunneling through SSH, the ports on your server, etc etc.

Now it gets a little trickier depending on how they connect to your server. Using putty? Well, you can’t put arguments into the putty login screen. You can start putty on the command line, and pass it -ssh as an argument, I haven’t tested whether you can pass that further arguments. But worry not!

In the putty GUI you can go to SSH > and select "do not open a shell or execute a command" then go to SSH > Tunnels > and set up the tunnel and tunnel ports.

When you open the ssh connection and input the username and password, the screen will just be a blank empty screen, but the connection will be established. Then you/they have to setup your skype to tunnel through the SOCK.

This is entirely untested by me, but should totally work. This is actually a pretty fun idea, I may test this later at night when I’m on my windows machine, and do a little write-up about it later.

sounds like a real good idea theleman. i’ll test it out and see how it goes.

<3

also to add, we are using seperate login accounts for each user and they’re connecting via putty.

do you happen to have any experience with Squid by any chance?

we’ve heard thats an alternative to what we want to do that will eliminate the need for our users to have putty open at all times by just being able to create a SOCKS5 proxy for them with their own login or whatever

I’ve never used Squid, but I’m just a junior linux nerd. When I was talking about tunneling today with my boss, he mentioned squid. I’ll ask him tomorrow, and do a bit of reading. I’ll let you know what I find out.

Why not just use a vpn client like openvpn? it’s free, and exactly what you need already without dealing with ssh clients