Liens :
https://bastillebsd.org/getting-started/
https://hackacad.net/freebsd/2021/01/18/easy-freebsd-jail-management-bastille.html
[util01@station66 ~]$ sudo su
Password:
You have mail.
root@station66:/usr/home/util01 # root@station66:/usr/home/util01 # pkg install bastilleroot@station66:/usr/home/util01 # sysrc bastille_enable=YES
bastille_enable: -> YES
root@station66:/usr/home/util01 # Ouvrir :
/usr/local/etc/bastille/bastille.confChercher :
bastille_tzdata=""Remplacer par :
bastille_tzdata="Europe/Paris" Chercher :
bastille_zfs_enable=""Rempalcer par :
bastille_zfs_enable=YESChercher :
bastille_zfs_zpool=""Remplacer par :
A vérifier avec : zpool listbastille_zfs_zpool=zrootroot@station66:/usr/home/util01 # sysrc cloned_interfaces+=lo2
cloned_interfaces: lo1 -> lo1 lo2
root@station66:/usr/home/util01 # root@station66:/usr/home/util01 # sysrc ifconfig_lo2_name="bastille0"
ifconfig_lo2_name: -> bastille0
root@station66:/usr/home/util01 # root@station66:/usr/home/util01 # service netif cloneup
Created clone interfaces: lo2.
root@station66:/usr/home/util01 # root@station66:/usr/home/util01 # cat /etc/rc.conf
...
ifconfig_msk0="inet 192.168.1.66 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
cloned_interfaces="lo1 lo2"
jail_enable="YES"
jail_list="web.reseau01.local"
bastille_enable="YES"
ifconfig_lo2_name="bastille0"
root@station66:/usr/home/util01 #Créer :
/etc/pf.confAjouter :
ext_if est le nom de l'interface réseau externeext_if="msk0"
set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo
table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if)
## Enable dynamic rdr (see below) bastille 0.7+
rdr-anchor "rdr/*"
block in all
pass out quick keep state
antispoof for $ext_if inet #disable for VNET
pass in inet proto tcp from any to any port ssh flags S/SA keep stateroot@station66:/usr/home/util01 # sysrc pf_enable=YES
pf_enable: NO -> YESroot@station66:/usr/home/util01 # service pf start
Enabling pf.root@station66:/usr/home/util01 # bastille bootstrap 13.1-RELEASE update
Bootstrapping FreeBSD distfiles...
/usr/local/bastille/cache/13.1-RELEASE/MANIFES 1046 B 9038 kBps 00s
...
Bootstrap successful.
...
Scanning /usr/local/bastille/releases/13.1-RELEASE/usr/share/certs/trusted for certificates...
done.
root@station66:/usr/home/util01 # root@station66:/usr/home/util01 # bastille create alcatraz 13.1-RELEASE 192.168.1.221
Valid: (192.168.1.221).
Creating a thinjail...
[alcatraz]:
alcatraz: created
[alcatraz]:
Applying template: default/thin...
[alcatraz]:
Applying template: default/base...
[alcatraz]:
[alcatraz]: 0
[alcatraz]:
syslogd_flags: -s -> -ss
[alcatraz]:
sendmail_enable: NO -> NO
[alcatraz]:
sendmail_submit_enable: YES -> NO
[alcatraz]:
sendmail_outbound_enable: YES -> NO
[alcatraz]:
sendmail_msp_queue_enable: YES -> NO
[alcatraz]:
cron_flags: -> -J 60
[alcatraz]:
/etc/resolv.conf -> /usr/local/bastille/jails/alcatraz/root/etc/resolv.conf
Template applied: default/base
Template applied: default/thin
[alcatraz]:
alcatraz: removed
[alcatraz]:
alcatraz: created
root@station66:/usr/home/util01 # root@station66:/usr/home/util01 # bastille list
JID IP Address Hostname Path
web_reseau01_local 127.0.1.11 web.reseau01.local /jail/web.reseau01.local
alcatraz 192.168.1.221 alcatraz /usr/local/bastille/jails/alcatraz/root
root@station66:/usr/home/util01 # root@station66:/usr/home/util01 # bastille console alcatraz
[alcatraz]:
root@alcatraz:~ # root@station66:/usr/home/util01 # bastille sysrc alcatraz sshd_enable=YES
[alcatraz]:
sshd_enable: NO -> YES
root@station66:/usr/home/util01 # root@station66:/usr/home/util01 # bastille service alcatraz sshd start
[alcatraz]:
Generating RSA host key.
3072 SHA256:ks4DnAQpkNCqLw9Z4XY827Km4oTGahX7O0QGxkDICQI root@alcatraz (RSA)
Generating ECDSA host key.
256 SHA256:B3Js9g40tsLBtOO985UTWLzEQ+WcsqEHfivw4ifyjJ0 root@alcatraz (ECDSA)
Generating ED25519 host key.
256 SHA256:N6ESBxpkvlirTyy75SCGoD0Zxp2KCxHeKV3rsX7G5gE root@alcatraz (ED25519)
Performing sanity check on sshd configuration.
Starting sshd.
root@station66:/usr/home/util01 # root@alcatraz:~ # passwd
Changing local password for root
New Password:
Retype New Password:
root@alcatraz:~ # root@alcatraz:~ # adduser
Username: util01
...
Goodbye!
root@alcatraz:~ # root@station66:/usr/home/util01 # ssh util01@192.168.1.221
Password for util01@alcatraz:
To do a fast search for a file, try
locate filename
locate uses a database that is updated every Saturday (assuming your computer
is running FreeBSD at the time) to quickly find files based on name only.
util01@alcatraz:~ $ root@alcatraz:~ # pkg install pkg
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:13:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
[alcatraz] Installing pkg-1.18.3...
[alcatraz] Extracting pkg-1.18.3: 100%
Updating FreeBSD repository catalogue...
[alcatraz] Fetching meta.conf: 100% 163 B 0.2kB/s 00:01
[alcatraz] Fetching packagesite.pkg: 100% 6 MiB 286.8kB/s 00:23
Processing entries: 100%
FreeBSD repository update completed. 31626 packages processed.
All repositories are up to date.
Updating database digests format: 100%
pkg: No packages available to install matching 'visudo' have been found in the repositories
root@alcatraz:~ # root@alcatraz:~ # pkg install sudo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
gettext-runtime: 0.21
indexinfo: 0.3.1
sudo: 1.9.11p3
Number of packages to be installed: 3
The process will require 8 MiB more space.
2 MiB to be downloaded.
Proceed with this action? [y/N]: y
[alcatraz] [1/3] Fetching indexinfo-0.3.1.pkg: 100% 6 KiB 5.7kB/s 00:01
[alcatraz] [2/3] Fetching sudo-1.9.11p3.pkg: 100% 2 MiB 264.0kB/s 00:06
[alcatraz] [3/3] Fetching gettext-runtime-0.21.pkg: 100% 166 KiB 169.9kB/s 00:01
Checking integrity... done (0 conflicting)
[alcatraz] [1/3] Installing indexinfo-0.3.1...
[alcatraz] [1/3] Extracting indexinfo-0.3.1: 100%
[alcatraz] [2/3] Installing gettext-runtime-0.21...
[alcatraz] [2/3] Extracting gettext-runtime-0.21: 100%
[alcatraz] [3/3] Installing sudo-1.9.11p3...
[alcatraz] [3/3] Extracting sudo-1.9.11p3: 100%
root@alcatraz:~ # root@alcatraz:~ # visudoChercher :
root ALL=(ALL) ALLAjouter après :
util01 ALL=(ALL) ALLroot@station66:/usr/home/util01 # ssh util01@192.168.1.221
Password for util01@alcatraz:
To search for files that match a particular name, use find(1); for example
find / -name "*GENERIC*" -ls
will search '/', and all subdirectories, for files with 'GENERIC' in the name.
-- Stephen Hilton <nospam@hiltonbsd.com>
util01@alcatraz:~ $ sudo su
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:
root@alcatraz:/usr/home/util01 #