jails and security [was: Jails and multicore boxes]

Randy Schultz schulra at earlham.edu
Fri Nov 16 15:23:25 PST 2007


On Fri, 16 Nov 2007, Federico Lorenzi spaketh thusly:

-}> > you trying to protect? If you're worrying about getting cracked and used
-}> > as a spam bot, jails are no more secure than a non-jail system.
-}>
-}> Maybe some qualification is needed here.
-}>
-}> If your mail jail gets broken into, then it will still be used as a spambot.
-}>
-}> But your host (the machine in which your jails run in) wouldn't have been compromised, necessarily, by the fact that the jail got compromised. Having root on a jail  > (if that's what we are talking about by 'compromised' ) shouldn't affect your host machine. Unless there is some other vulnerability that can be used, of course.
-}
-}Thats true indeed, however many people are saying that jails do not necessarily,
-}make an environment more secure. I'm not really knowledable in that area,
-}but they do add another layer to the proverbial onion. I use jails, but more
-}for convenience then security, if i get a new (home) server box, I can just
-}move some jails across with a simple tar and then scp, and have them
-}work pretty much instantly.

MHO.

This depends on your definition of "secure".  

If you have a receiving MTA then you must allow inbound on port 25.  If that
MTA has a security hole that allows remote access/exploitation then it really
doesn't matter a whole lot what you're running on/under/in/with.  You're MTA
will be hijacked.

MHO - the beauty of jails is threefold.

First, important parts of the jail can be mounted read-only.  If you use the
ezjail package then this is done for you.  Set up a jail with ezjail and try
to create a file in, say, /usr/include.  Not even root(inside the jail) can do
this.  

Second, it allows 1 piece of hardware to do multiple things, all separated.
Using a slightly contrived example, let's say a company has a piece of
hardware that has plenty of power to run authentication and mail.  If you put
these on the system, and the MTA has a security hole, everything is suspect.
Now run each in a jail.  Cracking in via the MTA only allows access to mail,
not authentication.

Third, the parent can monitor the jails.  The parent is completely blocked off
from all incoming traffic except ssh from an internal net.  Somebody cracks
into a jail via port 22 or 23(or really, any port).  They gain root access and
modify the logs such that no login shows up.  You look at the ipf logs on the
parent and see tons of traffic to/from a.b.c.d on port 22, with TCP bits set
so you know there's a conversation going on there, yet no sign of login in the
jail's logs.

Just some random musings.

--
 Randy    (schulra at earlham.edu)      765.983.1283         <*>

Love with your heart, think with your head;  not the other way around.



More information about the freebsd-questions mailing list