How far to go with jailing?

Bill Moran wmoran at potentialtech.com
Tue Feb 2 12:20:10 UTC 2010


On 2/1/10 8:57 PM, Jeff Mitchell wrote:
>
> Strikes me that setting up jails for bloody-well-every-other service
> might be 'fun' ..
>
> Jail the webserver; seems a logical break, and keep you honest for your
> partitioning. No more ~/public_html to access it I suppose, but much
> mroe secure for when people attack your wordpress etc.
>
> Jail the 'email services'; use fetchmail to pull down to the jail, and
> IMAP and POP3 to serve the mail even to local clients; nice clean email
> mini-server right there in the jail?
>
> Jail SMB-serving, so if attacked it still can only serve the content in
> the very well defined area.
>
> Jail the mailing list (mailman etc) .. keep things nice and clean.
>
> But is setting up a whole stack of jails a pain? a performance problem?
> or just un-necessary overkill? Or a good idea?

It is a pain.

We've never had a performance problem.

I think it's a good idea.  Others would argue that it's unnecessary.
The real answer depends on how security conscious you need to be.

It will take more time to set up.  It will use a whole bunch more
IP addresses.  Is it worth it for you?

Some advantages that you haven't considered: when your hardware
starts to near overload, it's much easier to tar up a jail and
move it to another server than it is to move that one service
when it's not jailed.

In the end, you've got to weight the extra work vs. the benefits.
In our case, we're very security conscious, so it was a no
brainer for us.

-Bill


More information about the freebsd-questions mailing list