Mr. Reinikainen

Jailing psyBNC, inetd and identd on FreeBSD

Updated: November 12th, 2011Published: February 25th, 2004
Time to read: 3 min

Article tags:

I'm a firm believer in jailing services for some added security. I did this on FreeBSD 5.0-RELEASE.

This setup is well suited for a VPS provider, such as DigitalOcean.

First, setup the jail. I use a small shell script for the task.

# ./jailsetup.sh 10.0.0.7

Next, add a user for the psyBNC daemon and setup networking in the jailcell.

# adduser
# cp /etc/passwd /usr/jail/10.0.0.7/etc
# cp /etc/group /usr/jail/10.0.0.7/etc
# cp /etc/resolv.conf /usr/jail/10.0.0.7/etc

Next, jail yourself to the newly created jail and download and install psyBNC. Include oidentd support in psyBNC.

# jail /usr/jail/10.0.0.7/ psybnc 10.0.0.7 /usr/local/bin/bash
# mkdir /usr/local/psybnc
# chown psybnc:psybnc /usr/local/psybnc
# su psybnc
$ cd /usr/local
$ wget http://www.psychoid.lam3rz.de/psyBNC2.3.1.tar.gz
$ tar xfvz psyBNC2.3.1.tar.gz
$ cd /usr/local/psybnc
$ make menuconfig
$ make

psyBNC is now compiled and installed. Let's modify the jailcell's /etc/inetd.conf, so that identd can be run. Add a line such as this:

auth stream tcp nowait root internal auth -r -F -n -o UNIX -t 30

Note that some IRC daemons require a valid operating system string from the ident daemon, and that's exactly why I'm using "UNIX" here (i.e. UNKNOWN won't work in some cases). Identd is pretty useless really, but some IRC daemons require a valid ident response when connecting. If you have a tilde (~) in front of your username, the IRC daemon did NOT receive a valid ident response.

As psyBNC always runs as the user it's started with (i.e. psybnc in this case), we need to setup ident spoofing. The identd that ships with FreeBSD supports ~/.fakeid files, but psyBNC wants a ~/.ispoof file. Luckily, the format of the files is the same, and thus the easiest solution is to create a symlink such as this:

$ touch ~/.fakeid
$ ln -s ~/.fakeid ~/.ispoof

Start psyBNC and inetd in the jailcell with the commands:

$ /usr/local/psybnc/psybnc
# inetd

You can check that the psyBNC and inet daemons are actually running in the jailcell, by first exiting the jailcell, and the running:

$ ps aux | grep psybnc
$ ps aux | grep inetd

You know that the daemons are jailed when you see a see a J in the STAT column for the processes.

The jail created by the jailsetup.sh script is a bit too large for a simple setup such as this. Once you get everything working, you can go on a deleting spree. I usually do something like this inside the jailcell:

# rm -r /usr/obj /usr/src /usr/include /usr/ports /usr/games /usr/X11R6
# rm -r /boot /mnt /proc /root /sbin
# rm -r /usr/local/bin /usr/local/include /usr/local/info /usr/local/man /usr/local/share

About the author
I'm a millennial digital nomad and a seasoned IT professional with over 20 years of cross-industry experience, ready to help you with supercharging your business. Drop me a note or read more about what I can do for you!

MY FULL CV

This website is only intended to provide a quick overview of what I do. Please drop me a line if you'd like me to send you my full CV, references, certifications or any additional information.

NEWSLETTER

Subscribe now to get notified of blog updates (no more than one email/month). No spam, promise!

Unsubscribe at any time. Signing up implies that you agree to the Terms.
NAVIGATION

Copyright © 2024 Mr. Reinikainen. Technology provided by DigitalOcean and Noviaria Ltd.

This blog contains affiliate links to third parties. By using this site you agree to the Terms.