Requesting advice on Jail technique.

Malachi de Ælfweald malachid at gmail.com
Tue Sep 13 06:55:50 PDT 2005 

I have been getting ready to do one-jail per domain myself. The key though 
is that if you want to support any port (and specifically things like ssh) 
they have to have a public IP address (or 1:1 NAT)... ie: if the ssh server 
is running under each jail, you need to know my IP address which one to log 
into it.

You could probably get away with not doing that if they had to ssh into 1 
public IP address; and have a login script that auto-ssh's to a different ip 
on the local network from there ... but that will take a lot more work.

For security, I would say you want multiple jails -- since any one logging 
in can screw the rest -- but that is going to be dependant on how many IPs 
you want to purchase.

Malachi

On 9/13/05, Elliot Crosby-McCullough <freebsd at xianshi.org> wrote:
> 
> Dear all,
> 
> I will shortly be creating a public service on a private box that will
> include shell access to untrusted users and would like your opinion on
> the best way to go about this.
> 
> Obviously jails are a good start, but my main concern is whether to go
> for one large jail for all the restricted users or one small jail per 
> user.
> 
> I do not have a wealth of real IPs at my disposal but accountability
> and security is paramount, therefore I would like to use local IPs
> through NAT (within the one box) whilst retaining the translation logs.
> I would like to use one local IP per user in order to keep track of
> activity. I can afford a few real IPs for the purpose.
> 
> The accounts themselves will be supremely limited. No root access,
> just basics such as ssh, perhaps telnet, mutt etc. I do not want the
> users to have the ability to run any scripts, so perl etc is out, but I
> suppose the NAT firewall will be a fallback if any compiled programs are
> uploaded.
> 
> Each user account is likely to have email/gpg etc but I'm happy to
> control that from the host system with virtual users and simply deliver
> into the jail. It is not necessary for the jails to run any services,
> except the ability to SSH in.
> 
> As you can see there are factors pulling in both directions, what would
> you recommend as the best direction to go?
> 
> Sincerely,
> Elliot Crosby-McCullough
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list