How far to go with jailing?

Tue Feb 2 02:49:53 UTC 2010

Jeff Mitchell wrote:
> 
>     Strikes me that setting up jails for bloody-well-every-other service
> might be 'fun' ..

...

>     Jail the webserver; seems a logical break, and keep you honest for
> your partitioning. No more ~/public_html to access it I suppose, but
> much mroe secure for when people attack your wordpress etc.

To us, ~/public_html is important, and needs to be considered for our
primary domain. This is legacy, going back to 1995.

>     Jail the 'email services'; use fetchmail to pull down to the jail,
> and IMAP and POP3 to serve the mail even to local clients; nice clean
> email mini-server right there in the jail?

On a home system, sounds great!

>     Jail SMB-serving, so if attacked it still can only serve the content
> in the very well defined area.

...should be separated physically, IMHO, unless it's a home server.

>     Jail the mailing list (mailman etc) .. keep things nice and clean.
> 
>     But is setting up a whole stack of jails a pain? a performance
> problem? or just un-necessary overkill? Or a good idea?

Its a management pain.

In a production ISP/hosting environment, you still have to treat each
jail as if its a server.

The more servers you have, the more maintenance and management you have.

I don't think that there is an easy answer to what you're asking.

Personally, I use jails to segregate top-level functions that I want to
put into development and possibly further into production.

- DNS
- SMTP, IMAP, POP3
- authentication (RADIUS etc)
- HTTP etc
- software devel, web
- software devel, non-web
- devel software implementation, testing
- "" "" inline with production
- build processes (testing new features of FBSD)
- stage area of test builds, prior to implementation
- protocol testing (ie. IPv6)

...after that, I've always chosen to put each core critical function
onto a separate physical server, and then replicate it to another
physical server.

However, I have been toying/researching the idea of replicating 'jails'
across the network to separate physical hardware, as it would save
physical space, hydro, network drops etc for each box that we have.

Other than knowing what hardware we have in our PoPs, I use SSH to
communicate with every device that I have, so if someone else set it up
for me, I wouldn't know that it's a jail.

Use jails to define boundaries. Don't get overzealous. I don't see the
need to put each web hosting client within their own jail, unless you
determine the risk warrants such. Same for email. If risk is that high,
then that particular client should pay for collocation anyway ;)

It comes down to what you can consider as your risk assessment. If you
are just playing along at home, set up as many as you can, and test for
yourself.

Performance hit is dependent on the hardware that you are running. I
don't notice any difference on a standard box with a couple of jails
over one that doesn't have any...

Steve