# Only wheel group can log in with ssh.



## bryn1u (Mar 28, 2011)

Hi.

I have locked myself by using *chmod*. Only users who are added to wheel group can log in with ssh to server. And I don't know which option of *chmod* is responsible for log in to ssh. Someone can help?


----------



## Nightweaver (Mar 28, 2011)

And what exactly did you do prior to locking yourself?


----------



## bryn1u (Mar 28, 2011)

I use this little script  


```
chmod o= /etc/fstab   
chmod o= /etc/ftpusers   
chmod o= /etc/group   
chmod o= /etc/hosts   
chmod o= /etc/hosts.allow   
chmod o= /etc/hosts.equiv
chmod o= /etc/hosts.lpd 
chmod o= /etc/inetd.conf   
chmod o= /etc/login.access   
chmod o= /etc/login.conf 
chmod o= /etc/newsyslog.conf 
chmod o= /etc/rc.conf   
chmod o= /etc/ssh/sshd_config
chmod o= /etc/sysctl.conf 
chmod o= /etc/syslog.conf
chmod o= /etc/ttys

chmod o= /usr/bin/users
chmod o= /usr/bin/w
chmod o= /usr/bin/who
chmod o= /usr/bin/lastcomm
chmod o= /usr/sbin/jls
chmod o= /usr/bin/last
chmod o= /usr/sbin/lastlogin

chmod ugo= /usr/bin/rlogin
chmod ugo= /usr/bin/rsh

chmod o= /usr/local/bin/nmap
chmod o= /usr/local/bin/nessus

echo "root" > /var/cron/allow
echo "root" > /var/at/at.allow

chmod o= /etc/crontab
chmod o= /usr/bin/crontab
chmod o= /usr/bin/at
chmod o= /usr/bin/atq
chmod o= /usr/bin/atrm
chmod o= /usr/bin/batch

chmod 700 /root
chmod 751 /
chmod 751 /home/
chmod 700 /home/*
chmod 650 /etc/rc.*
chmod 600 /etc/master.passwd
ï»¿chmod o= /var/log

chflags schg /bin/*
chflags schg /sbin/*
chflags schg /usr/sbin/*


echo 'kern_securelevel_enable="YES"' >> /etc/rc.conf
echo 'kern_securelevel="3"' >> /etc/rc.conf

echo 'icmp_drop_redirect="YES"' >> /etc/rc.conf
echo 'icmp_log_redirect="YES"' >> /etc/rc.conf
echo 'tcp_drop_synfin=â€YESâ€' >> /etc/rc.conf

echo 'log_in_vain="YES"' >> /etc/rc.conf

echo 'nfs_server_enable="NO"' >> /etc/rc.conf
echo 'nfs_client_enable="NO"' >> /etc/rc.conf
echo 'portmap_enable="NO"' >> /etc/rc.conf

echo 'icmp_bmcastecho="NO"' >>/etc/rc.conf
echo 'icmp_bandlim="YES"' >> /etc/rc.conf

echo 'sendmail_enable="NO"' >> /etc/rc.conf
echo 'sendmail_submit_enable="NO"' >> /etc/rc.conf
echo 'sendmail_outbound_enable="NO"' >> /etc/rc.conf
echo 'sendmail_msp_queue_enable="NO"' >> /etc/rc.conf
echo 'sendmail_enable="NO"' >> /etc/rc.conf

echo 'syslogd_enable="YES"' >> /etc/rc.conf
echo 'syslogd_flags="-ss"' >> /etc/rc.conf

echo 'update_motd="NO"' >> /etc/rc.conf
echo 'accounting_enable="YES"' >> /etc/rc.conf
echo 'clear_tmp_enable="YES"' >> /etc/rc.conf
echo 'net.inet.udp.blackhole=1' >> /etc/sysctl.conf
echo 'net.inet.tcp.blackhole=2' >> /etc/sysctl.conf

echo 'net.inet.tcp.log_in_vain=1' >> /etc/sysctl.conf
echo 'net.inet.udp.log_in_vain=1' >> /etc/sysctl.conf

echo 'net.inet.ip.check_interface=1' >> /etc/sysctl.conf
echo 'net.inet.tcp.recvspace=65535' >> /etc/sysctl.conf
echo 'net.inet.tcp.sendspace=65535' >> /etc/sysctl.conf
echo 'net.inet.ip.rtexpire=2' >> /etc/sysctl.conf
echo 'net.inet.ip.rtminexpire=2' >> /etc/sysctl.conf
echo 'net.inet.ip.rtmaxcache=256' >> /etc/sysctl.conf

echo 'security.jail.allow_raw_sockets=1' >> /etc/sysctl.conf

echo 'net.inet.ip.random_id=1' >> /etc/sysctl.conf
echo 'net.inet.tcp.syncookies=0' >> /etc/sysctl.conf
echo 'net.inet.icmp.bmcastecho=0' >> /etc/sysctl.conf
echo 'net.inet.icmp.maskrepl=0' >> /etc/sysctl.conf
echo 'net.inet.icmp.icmplim=50' >> /etc/sysctl.conf
echo 'net.inet.icmp.drop_redirect=1' >> /etc/sysctl.conf
echo 'net.inet.tcp.icmp_may_rst=0' >> /etc/sysctl.conf

echo 'kern.ipc.shmmax=134217728' >> /etc/sysctl.conf
echo 'kern.ipc.shmall=32768' >> /etc/sysctl.conf
echo 'kern.ipc.semmap=256' >> /etc/sysctl.conf
```


----------



## Matty (Mar 29, 2011)

Always smart to use a script you don't know what it does.


----------



## UNIXgod (Mar 29, 2011)

My god man you need to learn about looping!



			
				bryn1u said:
			
		

> I use this little script
> 
> 
> ```
> ...


----------



## fluca1978 (Mar 29, 2011)

Not sure of (not tried), but could it be the clearing of the o flags from the /etc/login* files?


----------



## bryn1u (Mar 29, 2011)

What kind of chmod should I change ?


----------



## mamalos (Mar 30, 2011)

What fluca1978 means is that you should: `#  chmod 644 /etc/login*`
and if it won't work, which I think it won't, reverse your script to go to your system's initial state (at least as far as *chmod* commands are concerned) and then run each command of your script one-by-one to see after which the loging-in procedure through *ssh* becomes unavailable. For binaries (all */bin/*) I would use: `#  chmod o+rx /path/to/binaries` and to do it faster I would just do:`#  chmod o+rx /usr/bin/* /usr/sbin/* /usr/local/bin/* /usr/local/sbin/* /bin/* /sbin/*` and: `# chmod o+r /path/to/file`
for all other files (non executable ones).


----------



## gkontos (Mar 30, 2011)

Reinstall and let that be a lesson. Don't just run things that you find in the net if you don't understand what they do.


----------

