From owner-freebsd-security@FreeBSD.ORG Mon Jul 7 11:02:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3750637B401 for ; Mon, 7 Jul 2003 11:02:55 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF20443FBD for ; Mon, 7 Jul 2003 11:02:54 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h67I2sUp034198 for ; Mon, 7 Jul 2003 11:02:54 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h67I2smZ034192 for security@freebsd.org; Mon, 7 Jul 2003 11:02:54 -0700 (PDT) Date: Mon, 7 Jul 2003 11:02:54 -0700 (PDT) Message-Id: <200307071802.h67I2smZ034192@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jul 2003 18:02:55 -0000 Current FreeBSD problem reports No matches to your query From owner-freebsd-security@FreeBSD.ORG Tue Jul 8 16:18:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3391237B401 for ; Tue, 8 Jul 2003 16:18:02 -0700 (PDT) Received: from smtp.des.no (37.80-203-228.nextgentel.com [80.203.228.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE32543F85 for ; Tue, 8 Jul 2003 16:18:00 -0700 (PDT) (envelope-from des@des.no) Received: by smtp.des.no (Postfix, from userid 666) id 92BC49595C; Wed, 9 Jul 2003 01:17:59 +0200 (CEST) Received: from dwp.des.no (dwp.des.no [10.0.0.4]) by smtp.des.no (Postfix) with ESMTP id 0FBF195958; Wed, 9 Jul 2003 01:17:57 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id A03FBB811; Wed, 9 Jul 2003 01:17:56 +0200 (CEST) To: Brendan Bank References: <200306271448.h5REmfOc054525@banzai.gnarst.net> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Wed, 09 Jul 2003 01:17:56 +0200 In-Reply-To: <200306271448.h5REmfOc054525@banzai.gnarst.net> (Brendan Bank's message of "Fri, 27 Jun 2003 16:48:41 +0200") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, hits=-2.5 required=8.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_GNUS_UA version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org Subject: Re: Problems with the pam_opieaccess PAM module X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2003 23:18:02 -0000 Brendan Bank writes: > And in /etc/pam.conf I added: > > sshd auth required pam_opie.so > sshd auth requisite pam_opieaccess.so > sshd auth required /usr/lib/pam_krb5.so.1 try_first_pass f= orwardable Where in /etc/pam.conf? There are already sshd lines in pam.conf, and things may not work as you expect if you merely added your lines rather than replace what was already there. BTW, I use the following: root@flood ~# grep sshd /etc/pam.conf #sshd auth sufficient pam_skey.so sshd auth sufficient pam_opie.so no_fake_pro= mpts sshd auth requisite pam_opieaccess.so #sshd auth sufficient pam_kerberosIV.so try_first_p= ass #sshd auth sufficient pam_krb5.so try_first_p= ass sshd auth required pam_unix.so try_first_p= ass sshd account required pam_unix.so sshd password required pam_permit.so sshd session required pam_permit.so and it works perfectly. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 16:49:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DA7A37B401 for ; Thu, 10 Jul 2003 16:49:36 -0700 (PDT) Received: from falcon.mail.pas.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id D111243FD7 for ; Thu, 10 Jul 2003 16:49:35 -0700 (PDT) (envelope-from vjones62@earthlink.net) Received: from kermit.psp.pas.earthlink.net ([207.217.78.241]) by falcon.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 19alAN-0002sQ-00 for freebsd-security@freebsd.org; Thu, 10 Jul 2003 16:49:35 -0700 Received: from [207.217.78.205] by EarthlinkWAM via HTTP; Thu Jul 10 16:49:35 PDT 2003 Message-ID: <1007042.1057880975396.JavaMail.nobody@kermit.psp.pas.earthlink.net> Date: Thu, 10 Jul 2003 16:48:21 -0400 (EDT) From: "V. Jones" To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Earthlink Web Access Mail version 3.0 Subject: jail performance questions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2003 23:49:36 -0000 I'm thinking of using jails to improve security on a server I am setting up. Specifically, I would like to put Apache/PHP in a jail, but I might like to set up 2-3 different jails for different purposes. I've found several examples showing how to set the jails up. My questions involve system requirements. Assuming plenty of disk space, 1GB ram and a dual processor PIII 1.13Ghz system, how many jails can I run? Would I notice a significant performance hit if, for example, I run three jails? From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 18:19:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE5A337B404 for ; Thu, 10 Jul 2003 18:19:31 -0700 (PDT) Received: from vista.netmemetic.com (bb-203-125-41-203.singnet.com.sg [203.125.41.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2ECE343F3F for ; Thu, 10 Jul 2003 18:19:29 -0700 (PDT) (envelope-from ngps@netmemetic.com) Received: by vista.netmemetic.com (Postfix, from userid 100) id 52BC2301; Fri, 11 Jul 2003 09:22:24 +0800 (SGT) Date: Fri, 11 Jul 2003 09:22:24 +0800 From: Ng Pheng Siong To: "V. Jones" Message-ID: <20030711012224.GB920@vista.netmemetic.com> References: <1007042.1057880975396.JavaMail.nobody@kermit.psp.pas.earthlink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1007042.1057880975396.JavaMail.nobody@kermit.psp.pas.earthlink.net> User-Agent: Mutt/1.4i cc: freebsd-security@freebsd.org Subject: Re: jail performance questions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2003 01:19:32 -0000 On Thu, Jul 10, 2003 at 04:48:21PM -0400, V. Jones wrote: > I've found several examples showing how to set the jails up. > My questions involve system requirements. Assuming plenty of > disk space, 1GB ram and a dual processor PIII 1.13Ghz system, > how many jails can I run? Would I notice a significant > performance hit if, for example, I run three jails? I haven't noticed performance degradation, but my jails aren't doing much. There are several providers selling jail-based virtual servers. I didn't consult the source, but my understanding is that a jail marks individual processes, so, e.g., if a jail runs just one process, that's the (operational, I don't know about startup) overhead for that jail. -- Ng Pheng Siong http://firewall.rulemaker.net -+- Manage Your Firewall Rulebase Changes http://www.post1.com/home/ngps -+- Open Source Python Crypto & SSL From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 19:43:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 855EF37B401 for ; Thu, 10 Jul 2003 19:43:28 -0700 (PDT) Received: from mobile.hub.org (u134n133.eastlink.ca [24.224.134.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9C9943FB1 for ; Thu, 10 Jul 2003 19:43:25 -0700 (PDT) (envelope-from scrappy@hub.org) Received: by mobile.hub.org (Postfix, from userid 1001) id C20AF1D3; Thu, 10 Jul 2003 23:43:23 -0300 (ADT) Received: from localhost (localhost [127.0.0.1]) by mobile.hub.org (Postfix) with ESMTP id B34151C8; Thu, 10 Jul 2003 23:43:23 -0300 (ADT) Date: Thu, 10 Jul 2003 23:43:23 -0300 (ADT) From: The Hermit Hacker To: Ng Pheng Siong In-Reply-To: <20030711012224.GB920@vista.netmemetic.com> Message-ID: <20030710234216.G1841@hub.org> References: <1007042.1057880975396.JavaMail.nobody@kermit.psp.pas.earthlink.net> <20030711012224.GB920@vista.netmemetic.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org cc: "V. Jones" Subject: Re: jail performance questions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2003 02:43:28 -0000 At one point, we had >100 jails running on a server ... very sub-optimal, but they were all doing mail/web and they were all responsive ... On Fri, 11 Jul 2003, Ng Pheng Siong wrote: > On Thu, Jul 10, 2003 at 04:48:21PM -0400, V. Jones wrote: > > I've found several examples showing how to set the jails up. > > My questions involve system requirements. Assuming plenty of > > disk space, 1GB ram and a dual processor PIII 1.13Ghz system, > > how many jails can I run? Would I notice a significant > > performance hit if, for example, I run three jails? > > I haven't noticed performance degradation, but my jails aren't doing much. > > There are several providers selling jail-based virtual servers. > > I didn't consult the source, but my understanding is that a jail marks > individual processes, so, e.g., if a jail runs just one process, that's the > (operational, I don't know about startup) overhead for that jail. > > > -- > Ng Pheng Siong > > http://firewall.rulemaker.net -+- Manage Your Firewall Rulebase Changes > http://www.post1.com/home/ngps -+- Open Source Python Crypto & SSL > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy Systems Administrator @ hub.org primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 00:57:35 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE46D37B401 for ; Fri, 11 Jul 2003 00:57:35 -0700 (PDT) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF7FD43FBD for ; Fri, 11 Jul 2003 00:57:32 -0700 (PDT) (envelope-from gemini@geminix.org) Message-ID: <3F0E6DE6.90605@geminix.org> Date: Fri, 11 Jul 2003 09:57:26 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030701 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "V. Jones" References: <1007042.1057880975396.JavaMail.nobody@kermit.psp.pas.earthlink.net> In-Reply-To: <1007042.1057880975396.JavaMail.nobody@kermit.psp.pas.earthlink.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with asmtp (TLSv1:AES256-SHA:256) (Exim 3.36 #1) id 19asmW-000PAH-00; Fri, 11 Jul 2003 09:57:28 +0200 cc: freebsd-security@freebsd.org Subject: Re: jail performance questions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2003 07:57:36 -0000 V. Jones wrote: > I'm thinking of using jails to improve security on a server > I am setting up. Specifically, I would like to put Apache/PHP > in a jail, but I might like to set up 2-3 different jails for > different purposes. > > I've found several examples showing how to set the jails up. > My questions involve system requirements. Assuming plenty of > disk space, 1GB ram and a dual processor PIII 1.13Ghz system, > how many jails can I run? Would I notice a significant > performance hit if, for example, I run three jails? Running processes in a jail just marks them as belonging to the respective jail, so they are restricted in what they can do to resources outside the scope of that jail. If you have 100 jails with one process each it is basically the same as if you had 100 processes running in a non-jail environment. There is, of course, the slight overhead of the jail(2) system call, but if you don't start new jails all the time you won't notice that at all. So, as to server performance, it all depends on how much processes you have, and how much work they have to do. For the server there is no difference between jailed and non-jailed environments in this regard. The load will be the same. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 07:23:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC98837B401 for ; Fri, 11 Jul 2003 07:23:21 -0700 (PDT) Received: from blue.gerhardt-it.com (gw.gerhardt-it.com [204.83.38.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id C90CC43FB1 for ; Fri, 11 Jul 2003 07:23:20 -0700 (PDT) (envelope-from scott@g-it.ca) Received: from [24.78.101.202] (h24-78-101-202.ss.shawcable.net [24.78.101.202]) by blue.gerhardt-it.com (Postfix) with ESMTP id AB823FDC9 for ; Fri, 11 Jul 2003 08:23:19 -0600 (CST) User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Fri, 11 Jul 2003 08:23:18 -0600 From: Scott Gerhardt To: Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Subject: Login.Access X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2003 14:23:22 -0000 Login seems to be ignoring my /etc/login.access settings. I have the following entries (see below) in my login.access, yet any new user (not in the wheel group) is still allowed to login. What am I missing? # $FreeBSD: src/etc/login.access,v 1.3 1999/08/27 23:23:42 peter Exp $ # -:ALL EXCEPT wheel:console -:ALL EXCEPT wheel:ALL Thanks, -- Scott Gerhardt, P.Geo. Gerhardt Information Technologies [G-IT] From owner-freebsd-security@FreeBSD.ORG Sat Jul 12 09:34:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7A7637B401 for ; Sat, 12 Jul 2003 09:34:02 -0700 (PDT) Received: from pyroxene.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 24E5043F93 for ; Sat, 12 Jul 2003 09:34:02 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by pyroxene.sentex.ca (8.12.9/8.12.8) with ESMTP id h6CGY08D060991; Sat, 12 Jul 2003 12:34:00 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030712123406.04558440@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Sat, 12 Jul 2003 12:35:13 -0400 To: Scott Gerhardt , From: Mike Tancsa In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Subject: Re: Login.Access X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2003 16:34:03 -0000 I am not sure if sshd out of the box honours it or not. Do you have UseLogin yes or no ? ---Mike At 08:23 AM 11/07/2003 -0600, Scott Gerhardt wrote: >Login seems to be ignoring my /etc/login.access settings. > >I have the following entries (see below) in my login.access, yet any new >user (not in the wheel group) is still allowed to login. What am I missing? > > ># $FreeBSD: src/etc/login.access,v 1.3 1999/08/27 23:23:42 peter Exp $ ># >-:ALL EXCEPT wheel:console >-:ALL EXCEPT wheel:ALL > > >Thanks, > > >-- >Scott Gerhardt, P.Geo. >Gerhardt Information Technologies [G-IT] > > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Sat Jul 12 09:56:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFA4337B404 for ; Sat, 12 Jul 2003 09:56:25 -0700 (PDT) Received: from blue.gerhardt-it.com (gw.gerhardt-it.com [204.83.38.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A1D143FB1 for ; Sat, 12 Jul 2003 09:56:20 -0700 (PDT) (envelope-from scott@g-it.ca) Received: from [24.78.101.202] (h24-78-101-202.ss.shawcable.net [24.78.101.202]) by blue.gerhardt-it.com (Postfix) with ESMTP id 16EFEFDC9; Sat, 12 Jul 2003 10:56:19 -0600 (CST) User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Sat, 12 Jul 2003 10:56:18 -0600 From: Scott Gerhardt To: Mike Tancsa , Message-ID: In-Reply-To: <5.2.0.9.0.20030712123406.04558440@209.112.4.2> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Subject: Re: Login.Access X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2003 16:56:26 -0000 I was using the default sshd config which has "UseLogin no". I changed it to "yes, restarted sshd and logins are now denied/allowd as defined in my /etc/login.access. Thanks! I would like to know if there any negative effect or implications of setting "UseLogin yes" in sshd_config? Cheers, -- Scott On 7/12/03 10:35 AM, "Mike Tancsa" wrote: > I am not sure if sshd out of the box honours it or not. Do you have > UseLogin yes or no ? > > ---Mike > At 08:23 AM 11/07/2003 -0600, Scott Gerhardt wrote: > >> Login seems to be ignoring my /etc/login.access settings. >> >> I have the following entries (see below) in my login.access, yet any new >> user (not in the wheel group) is still allowed to login. What am I missing? >> >> >> # $FreeBSD: src/etc/login.access,v 1.3 1999/08/27 23:23:42 peter Exp $ >> # >> -:ALL EXCEPT wheel:console >> -:ALL EXCEPT wheel:ALL >> >> >> Thanks, >> >> >> -- >> Scott Gerhardt, P.Geo. >> Gerhardt Information Technologies [G-IT] >> >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Scott Gerhardt, P.Geo. Gerhardt Information Technologies [G-IT] From owner-freebsd-security@FreeBSD.ORG Sat Jul 12 15:46:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7352837B401 for ; Sat, 12 Jul 2003 15:46:04 -0700 (PDT) Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 101FD43F85 for ; Sat, 12 Jul 2003 15:46:04 -0700 (PDT) (envelope-from vjones62@earthlink.net) Received: from scooter.psp.pas.earthlink.net ([207.217.78.185]) by hawk.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 19bT7x-0001Kh-00 for freebsd-security@freebsd.org; Sat, 12 Jul 2003 15:46:01 -0700 Received: from [207.217.78.11] by EarthlinkWAM via HTTP; Sat Jul 12 15:46:01 PDT 2003 Message-ID: <3083978.1058049961635.JavaMail.nobody@scooter.psp.pas.earthlink.net> Date: Sat, 12 Jul 2003 18:43:26 -0700 (PDT) From: "V. Jones" To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Earthlink Web Access Mail version 3.0 Subject: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2003 22:46:04 -0000 I'm setting up a server where I plan to use Jails to improve security I also have installed and am configuring ipfilter. Here are my questions: Because I'm using Jails, I will have to have multiple ip aliases on the network interface. I will use ipfilter to specify what can go to each of the addresses. (e.g., allow only incoming to port 80 on the jail running apache). Another jailed server will run mail services (pop, smtp, imap). If I want to allow users to use web based email(over ssl of course), the web server will have to communicate with the mail server. Is there a chance of "information leakage" in this type of setup? Finally, I'd like to use SSL to offer secure web connections & secure email without having to buy two certificates. Am I getting too cute if I accept ssl connections on one ip address and use stunnel to route them to the appropriate jailed server? From owner-freebsd-security@FreeBSD.ORG Sat Jul 12 23:56:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2C4B37B401 for ; Sat, 12 Jul 2003 23:56:23 -0700 (PDT) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id B986C43F75 for ; Sat, 12 Jul 2003 23:56:22 -0700 (PDT) (envelope-from gemini@geminix.org) Message-ID: <3F110290.5060902@geminix.org> Date: Sun, 13 Jul 2003 08:56:16 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030701 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "V. Jones" References: <3083978.1058049961635.JavaMail.nobody@scooter.psp.pas.earthlink.net> In-Reply-To: <3083978.1058049961635.JavaMail.nobody@scooter.psp.pas.earthlink.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with asmtp (TLSv1:AES256-SHA:256) (Exim 3.36 #1) id 19bamQ-00027h-00; Sun, 13 Jul 2003 08:56:19 +0200 cc: freebsd-security@freebsd.org Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2003 06:56:23 -0000 V. Jones wrote: > I'm setting up a server where I plan to use Jails to improve security > I also have installed and am configuring ipfilter. Here are my > questions: > > Because I'm using Jails, I will have to have multiple ip aliases on the > network interface. I will use ipfilter to specify what can go to each > of the addresses. (e.g., allow only incoming to port 80 on the jail > running apache). You don't have to have multiple IP aliases for multiple jails. Or at least there is no technical necessity for this (in FreeBSD 4.x, that is, don't kown about 5.x). If it's just about running server processes in their own jail (no port number conflicts) you can have all jails on the same IP address and do the IP filtering (if necessary at all in this scenario) based on port numbers. > Another jailed server will run mail services (pop, smtp, imap). If > I want to allow users to use web based email(over ssl of course), the > web server will have to communicate with the mail server. Is there > a chance of "information leakage" in this type of setup? Only the information you transmit will leak. That is, you define the information interchange between the jails, so pondering over the consequences is on your plate, too. Just assume that each jail has been broken into by an intruder with evil intentions and ask yourself what damage he can do with the data he can gather from the other jails. Paranoia in action, as it were. ;-) > Finally, I'd like to use SSL to offer secure web connections & secure email > without having to buy two certificates. Am I getting too cute if I accept > ssl connections on one ip address and use stunnel to route them to the > appropriate jailed server? In case of all jails on one IP address this problem goes away, too. You could define a generic domain name for the SSL stuff, for instance 'secure.domain.tld', get a certificate for that and use it for web as well as email and other purposes. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net