Requesting advice on Jail technique.

Frank Mueller - emendis GmbH Frank.Mueller at emendis.de
Tue Sep 13 07:03:55 PDT 2005


Hi there,

if you have enough system resources I would recommend using seperate 
jails for every user.
All u have to keep in mind is that you won't be able to provide some 
services (SMTP, POP, IMAP, usw.) more than once for the whole system 
because they need a predefined port (25, 110, 443, usw.).
Some other services, like ssh u can manage through port forwarding, http 
through virtual hosting, etc.
Separate jails make it much easier to keep track of activities.
It all depends on what applications the user should be able to use.

Greetz,

Ice

Elliot Crosby-McCullough schrieb:
> Dear all,
> 
>     I will shortly be creating a public service on a private box that 
> will include shell access to untrusted users and would like your opinion 
> on the best way to go about this.
> 
>     Obviously jails are a good start, but my main concern is whether to 
> go for one large jail for all the restricted users or one small jail per 
> user.
> 
>     I do not have a wealth of real IPs at my disposal but accountability 
> and security is paramount, therefore I would like to use local IPs 
> through NAT (within the one box) whilst retaining the translation logs. 
>  I would like to use one local IP per user in order to keep track of 
> activity.  I can afford a few real IPs for the purpose.
> 
>     The accounts themselves will be supremely limited.  No root access, 
> just basics such as ssh, perhaps telnet, mutt etc.  I do not want the 
> users to have the ability to run any scripts, so perl etc is out, but I 
> suppose the NAT firewall will be a fallback if any compiled programs are 
> uploaded.
> 
>     Each user account is likely to have email/gpg etc but I'm happy to 
> control that from the host system with virtual users and simply deliver 
> into the jail.  It is not necessary for the jails to run any services, 
> except the ability to SSH in.
> 
>     As you can see there are factors pulling in both directions, what 
> would you recommend as the best direction to go?
> 
> Sincerely,
> Elliot Crosby-McCullough
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"

-- 
Frank Mueller
eMail: Frank.Mueller at emendis.de
Mobil: +49.177.6858655
Fax: +49.951.3039342

emendis GmbH
Hofmannstr. 89, 91052 Erlangen, Germany
Fon: +49.9131.817361
Fax: +49.9131.817386

Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger
Sitz Erlangen, Amtsgericht Fuerth HRB 10116


More information about the freebsd-questions mailing list