[FreeBSD] Jail Tips - Printable Version +- nixers (https://nixers.net) +-- Forum: Operating Systems & Administration (https://nixers.net/Forum-Operating-Systems-Administration) +--- Forum: BSD (https://nixers.net/Forum-BSD) +--- Thread: [FreeBSD] Jail Tips (/Thread-FreeBSD-Jail-Tips) |
[FreeBSD] Jail Tips - yrmt - 22-07-2012 Securing the jail ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ 1) Using jexec is not safe, use ssh to access the jail. Add sshd_enable="YES" in your jail's rc.conf \_ Make sure to add: ListenAddress <yourhostsip> in /etc/sshd/sshd_config. 2) Your jail will look almost identical to a FreeBSD system but if you want attackers to believe they're not in a jail, but you can fake it with: "ln -sf /dev/null kernel" 3) Sysctl values related to jails: Code: security.jail.enforce_statfs: 2 -> 0,1,2 amount of details on file system informations. 2 is the least. 4) Disable the port mapper: /etc/rc.conf: rpcbind_enable="NO" 5) run: chflags -R noschg <jaildir>. So you won't be able to make changes from the host. You never know. 6) Put your jail on external disk, or create image disk partitions with mdconfig. ( like .dmg's on Mac OS X ) \_ Example: mdconfig -a -t vnode -f /path/to/image.{iso;img} -u 1 mount -t cd9660 /dev/md1 /mnt/cdrom 7) you can change sysctl's kern.securelevel. The defaults is already secure. 8) Run the command "limit" in your jail and you will see a few values that can be chaged to protect yourself against fork bombs, ... \__ You should not let them have 'infinity' values. See kern.max* sysctl values. See login.conf to set some of these values. 9) You can set specific devfs rules in jail's /etc/devfs.rules. 4. Jail Tools ¯¯¯¯¯¯¯¯¯¯¯¯¯ Code: -> ezjail is a tool to create and manage jails easily. -> jail: built-in tool to manage jails. Best way to start them. To start a jail with the jail command: ( see jail(8) man page ) -> jail -c path=/usr/jail0 host.hostname=home.beastiejail.bsd \ ip4.addr=192.168.1.10 command=/bin/sh \_ you will have to mount procfs and devfs manually: ( not if procfs is already in the jail's fstab ) \_mount -t procfs proc /usr/jail/proc \_mount -t devfs devfs /usr/jail0/dev -> To show and then kill processes in jail number 3 use the following commands: pgrep -lfj 3 pkill -j 3 or: killall -j 3 You will find other jail tools in the ports. Tips ¯¯¯¯ 1) I've been told that when running more than 10+ jails, it's a good idea to start them with the "jail" utility instead of the rc scripts. 2) More information can be found on man pages. jail(8) and security(7) in particular. This is the end of this tutorial, I hope you enjoyed it. Make sure to read the man pages of the different tools I talked about today. I |