[FreeBSD] Jail Tips - BSD

Users browsing this thread: 1 Guest(s)
Grey Hair Nixers
Securing the jail

1) Using jexec is not safe, use ssh to access the jail. Add sshd_enable="YES" in your jail's rc.conf
\_ Make sure to add: ListenAddress <yourhostsip> in /etc/sshd/sshd_config.

2) Your jail will look almost identical to a FreeBSD system but if you want attackers to believe they're not in a jail,
but you can fake it with: "ln -sf /dev/null kernel"

3) Sysctl values related to jails:

security.jail.enforce_statfs: 2    -> 0,1,2 amount of details on file system informations. 2 is the least.
   security.jail.mount_allowed: 0  -> allows to mount filesystems in jail if set to 1.
   security.jail.chflags_allowed: 0  -> allow to change immutable flags values if set to 1.
   security.jail.allow_raw_sockets: 0  -> set to one if you want to use tools like ping.
   security.jail.sysvipc_allowed: 0  -> set to one if you need postgresql.
   security.jail.socket_unixiproute_only: 1  -> jails are limited to accessing network protocols that are known to support jail containment.
   security.jail.set_hostname_allowed: 0  -> Allows user to change hostname if set to 1. Can be a problem.
   security.jail.jailed: 0    -> tells whether you are jailed or not. Make sure it's set to 0.
   security.jail.jail_max_af_ips: 255  -> defines how much IP's a jail may have. Default is 255.

   To set sysctl values, simply write them in jail's /etc/sysctl.conf

4) Disable the port mapper: /etc/rc.conf: rpcbind_enable="NO"

5) run: chflags -R noschg <jaildir>. So you won't be able to make changes from the host. You never know.

6) Put your jail on external disk, or create image disk partitions with mdconfig. ( like .dmg's on Mac OS X )
\_ Example: mdconfig -a -t vnode -f /path/to/image.{iso;img} -u 1
mount -t cd9660 /dev/md1 /mnt/cdrom

7) you can change sysctl's kern.securelevel. The defaults is already secure.

8) Run the command "limit" in your jail and you will see a few values that can be chaged to protect yourself against fork bombs, ...
\__ You should not let them have 'infinity' values. See kern.max* sysctl values. See login.conf to set some of these values.

9) You can set specific devfs rules in jail's /etc/devfs.rules.

4. Jail Tools

-> ezjail is a tool to create and manage jails easily.
    ( /usr/ports/sysutils/ezjail )
-> jexec    = execute a command inside an existing jail.
-> jtop  = wrapper to top(1) that maps pids to jails.
-> jls  = jail listing with hostname, JID, path and IP address.
-> jps  = wrapper to ps(1) that maps pids to jails.
-> jid  = jid + hostname; lists the jail's id given the hostname.
-> jails    = lists the jails.
-> jstart   = utility to start jails.
-> injail   = determine if a process is running in a jail.
    ( see /usr/ports/sysutils/jailutils )

-> jail: built-in tool to manage jails. Best way to start them. To start a jail with the jail command:
( see jail(8) man page )

-> jail -c path=/usr/jail0 host.hostname=home.beastiejail.bsd \
ip4.addr= command=/bin/sh
\_ you will have to mount procfs and devfs manually: ( not if procfs is already in the jail's fstab )
\_mount -t procfs proc /usr/jail/proc
\_mount -t devfs devfs /usr/jail0/dev

-> To show and then kill processes in jail number 3 use the following commands:

pgrep -lfj 3
pkill -j 3

killall -j 3

You will find other jail tools in the ports.


1) I've been told that when running more than 10+ jails, it's a good idea to start them with the "jail" utility instead of the rc scripts.

2) More information can be found on man pages. jail(8) and security(7) in particular.

This is the end of this tutorial, I hope you enjoyed it. Make sure to read the man pages of the different tools I talked about today. I