How far to go with jailing?
illoai at gmail.com
illoai at gmail.com
Tue Feb 2 02:01:46 UTC 2010
On 1 February 2010 20:57, Jeff Mitchell <skeezix at skeleton.org> wrote:
>
> Strikes me that setting up jails for bloody-well-every-other service
> might be 'fun' ..
>
> Jail the webserver; seems a logical break, and keep you honest for
> your partitioning. No more ~/public_html to access it I suppose, but much
> mroe secure for when people attack your wordpress etc.
>
> Jail the 'email services'; use fetchmail to pull down to the jail,
> and IMAP and POP3 to serve the mail even to local clients; nice clean email
> mini-server right there in the jail?
>
> Jail SMB-serving, so if attacked it still can only serve the content
> in the very well defined area.
>
> Jail the mailing list (mailman etc) .. keep things nice and clean.
>
> But is setting up a whole stack of jails a pain? a performance
> problem? or just un-necessary overkill? Or a good idea?
>
I don't know about the performance, though given what I
[believe I] know, if your machine is already running those
serv[ice|er]s, the effect ranges from lightly noticeable to
entirely negligible. You do have to keep track of the jails
(& update when necessary), though I suppose if you can't
write scripts to do the tedious bits you might be in the w
rong business.
I think it's a good idea, frankly. Lift and separate, as "they"
said in the 1990s.
--
--
More information about the freebsd-questions
mailing list