From owner-freebsd-questions@freebsd.org Thu Dec 3 07:55:19 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7F98FA3F2B3 for ; Thu, 3 Dec 2015 07:55:19 +0000 (UTC) (envelope-from steve@sohara.org) Received: from uk1mail2513.mymailbank.co.uk (UK1MAIL2513-PERMANET.IE.mymailbank.co.uk [217.69.47.44]) by mx1.freebsd.org (Postfix) with ESMTP id F0C871BF6 for ; Thu, 3 Dec 2015 07:55:18 +0000 (UTC) (envelope-from steve@sohara.org) Received: from smtp.lan.sohara.org (UnknownHost [88.151.27.41]) by uk1mail2513-d.mymailbank.co.uk with SMTP; Thu, 3 Dec 2015 07:39:15 +0000 Received: from [192.168.63.1] (helo=steve.lan.sohara.org) by smtp.lan.sohara.org with smtp (Exim 4.85 (FreeBSD)) (envelope-from ) id 1a4OU8-0003WY-6w for freebsd-questions@freebsd.org; Thu, 03 Dec 2015 07:39:24 +0000 Date: Thu, 3 Dec 2015 07:39:23 +0000 From: Steve O'Hara-Smith To: freebsd-questions@freebsd.org Subject: Re: best practice for locking down private jail? Message-Id: <20151203073923.17dae0c41a2b5e29a5b3a3dd@sohara.org> In-Reply-To: References: X-Mailer: Sylpheed 3.4.3 (GTK+ 2.24.28; amd64-portbld-freebsd10.1) X-Clacks-Overhead: "GNU Terry Pratchett" Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2015 07:55:19 -0000 On Wed, 2 Dec 2015 21:44:01 -0800 Aleksandr Miroslav wrote: > So I'm setting up a server for a friend who wants to upload audio > files and have them served up via http. i.e. He uploads lecture.mp3 to > example.org, and wants people to be able to access it via > http://example.org/audio/lecture.mp3. > > He's somewhat tech savvy, but I'm being super paranoid about security, I'll jump in here. If you are serious about locking this down as tight as possible then don't use Apache, use a minimalist web server that can only serve static files (thttpd can be set up this way - there are others). I would set up two jails - one as the upload jail the other the web server and use a cron job on the host to move verified mp3 files (not just by name use file at least) into the directory served by the web server. Both jails stripped down so they pretty much can't do anything else. FInally I'd use pf to lock down the traffic so that nothing gets to the jails that shouldn't. I'm a firm believer that security starts by removing the capabilities that you don't need - if it's not there it can't be compromised, so ideally run applications in jails not complete system images. -- Steve O'Hara-Smith