Need urgent help regarding security

Chad Leigh -- Shire.Net LLC chad at shire.net
Thu Nov 17 05:16:19 GMT 2005


On Nov 16, 2005, at 9:38 PM, Will Maier wrote:

> OP has some asset that is being threatened or diminished by this
> attack, be it his bandwith, CPU cycles, host/network integrity or
> self confidence. He needs to identify that asset and work quickly to
> protect it. In most cases, this will mean immediately removing the
> box and preparing to rebuild the machine;

One thing I have done to minimize the threat of crackers is to have  
my machines built thus:

I install FreeBSD and activate only SSH and only SSH with  
certificates -- no passwords allowed.  I then build a master jail  
hierarchy but I don't actually run a jail in it.

I create file backed md devices for most jails to be their root  
filesystems.   Some jails I don't do this with but most of them I do.

I then create one or more jails that use nullfs to READ ONLY mount  
specific parts of the master hierarchy into the jail.

namely

/bin
/lib
/libexex
/sbin
/usr

For example:

# df -h | grep myjail
/dev/md1410                                                290M     
108M    171M    39%    /local/jails/myjail
/local/jails/master/bin                                     66G      
28G     33G    46%    /local/jails/myjail/bin
/local/jails/master/lib                                     66G      
28G     33G    46%    /local/jails/myjail/lib
/local/jails/master/libexec                                 66G      
28G     33G    46%    /local/jails/myjail/libexec
/local/jails/master/sbin                                    66G      
28G     33G    46%    /local/jails/myjail/sbin
/local/jails/master/usr                                     66G      
28G     33G    46%    /local/jails/myjail/usr
procfs                                                     4.0K     
4.0K      0B   100%    /local/jails/myjail/proc
devfs                                                      1.0K     
1.0K      0B   100%    /local/jails/myjail/dev

/etc
/var

are native to each jail in their own filesystem

and /usr/local is set up so that the master has a symlink that  
resolves to something inside of each separate jails local filesystem  
so that they can have a RW /usr/local.

Any and all other services run inside of one or more jails.

You can set up other md devices if you want separate log / tmp /  
whatever partitions inside your jail...

Unless there is a breach in SSH, it is highly unlikely that the root  
machine itself will be cracked as the ONLY port open is the SSH one  
and it is restricted to certificate logins only.  You can use your  
firewalls to only allow logins to SSH from certain IP ranges etc if  
you have that luxury.

If someone cracks one of the jails, it is harder for him to screw up  
the jail system since most of the important system executables are  
actually mounted read only and they cannot replace system binaries,  
for example.  And  if a jail does become compromised, it is much  
easier to rebuild a jail inside of a good machine than to rebuild  
your whole native machine...

And if one jail gets compromised, I can easily shut it down, rename  
the root file that is used for the md device (ie, every jail uses an  
image for it fs) and save it for forensic study later.

best
Chad

---
Chad Leigh -- Shire.Net LLC
Your Web App and Email hosting provider
chad at shire.net




More information about the freebsd-questions mailing list