Hardening SSH connections on pfSense (part II)

In some special situations, or not so special, you want to trace user sessions, for example in a critical server or when you find weird behaviors in your system.

In a previous entry I explained how to setup a user account just to make SSH tunnels what is preventing from opening shells in your systems when it’s not necessary, but when you need to provide an interactive shell you need, at least, to be sure that you are be able to review a log file in case you have to diagnose some problems in your infrastructure, and that is what I want to explain in this entry.

The first step in this process it’d be to setup a shell with logging activated so first of all I going to create a shell script to assign it as a custom shell to a user account, let’s create the file /bin/lsh:

 #!/usr/local/bin/bash
 # To prevent the user can't kill us by pressing Ctrl-C, Ctrl-z ...
 trap : 2
 trap : 3
 trap : 4
 export SHELL=/bin/sh
 /usr/local/bin/bash -c '/usr/local/bin/screen -m -T xterm-256color -s /usr/local/bin/bash -L -Logfile PATH_TO_LOG_FILES/${LOGNAME}_`date +%Y%m%d-%H:%M:%S`.log'

You can download the previous script from here.
Note that is needed to have installed bash on your system, so you can’t forget execute this:

 # pkg install bash

The second step will be to add our new custom shell script into /etc/shells file:

 # cat /bin/lsh >> /etc/shells

Now we are going to change user shell with this command, in this case I’m going to change the shell to “honeypot” user:

 # chsh -s /bin/lsh honeypot
 chsh: user information updated

Troubleshooting

Investigating to achieve a functional version of these settings I’ve experienced a lot of times a weird glitch when screen window shows up, my first thought was that in other sessions I haven’t this problem so I want to compare environment variables in xterm sessions with this new screen session so I play adding the following commands to /bin/lsh script:

 ...
 #env
 #sleep 10
 ...

This is the way how I found that I hadn’t set properly SHELL environment variable.

That’s all folks!

“The land belongs to its workers”
— Emiliano Zapata

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s