From owner-freebsd-questions@FreeBSD.ORG Thu Nov 17 05:16:19 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F09F916A420 for ; Thu, 17 Nov 2005 05:16:18 +0000 (GMT) (envelope-from chad@shire.net) Received: from hobbiton.shire.net (hobbiton.shire.net [166.70.252.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D25643D49 for ; Thu, 17 Nov 2005 05:16:18 +0000 (GMT) (envelope-from chad@shire.net) Received: from [67.161.222.227] (helo=[192.168.99.68]) by hobbiton.shire.net with esmtpa (Exim 4.51) id 1Ecc89-000GjY-E9 for freebsd-questions@freebsd.org; Wed, 16 Nov 2005 22:16:17 -0700 Mime-Version: 1.0 (Apple Message framework v746.2) In-Reply-To: <20051117043859.GF26954@localdomain> References: <51190.68.165.89.71.1132194943.squirrel@mail.el.net> <20051117025112.3707143D45@mx1.FreeBSD.org> <20051117043859.GF26954@localdomain> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: "Chad Leigh -- Shire.Net LLC" Date: Wed, 16 Nov 2005 22:16:16 -0700 To: Free BSD Questions list X-Mailer: Apple Mail (2.746.2) X-SA-Exim-Connect-IP: 67.161.222.227 X-SA-Exim-Mail-From: chad@shire.net X-SA-Exim-Scanned: No (on hobbiton.shire.net); SAEximRunCond expanded to false Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 05:16:19 -0000 On Nov 16, 2005, at 9:38 PM, Will Maier wrote: > OP has some asset that is being threatened or diminished by this > attack, be it his bandwith, CPU cycles, host/network integrity or > self confidence. He needs to identify that asset and work quickly to > protect it. In most cases, this will mean immediately removing the > box and preparing to rebuild the machine; One thing I have done to minimize the threat of crackers is to have my machines built thus: I install FreeBSD and activate only SSH and only SSH with certificates -- no passwords allowed. I then build a master jail hierarchy but I don't actually run a jail in it. I create file backed md devices for most jails to be their root filesystems. Some jails I don't do this with but most of them I do. I then create one or more jails that use nullfs to READ ONLY mount specific parts of the master hierarchy into the jail. namely /bin /lib /libexex /sbin /usr For example: # df -h | grep myjail /dev/md1410 290M 108M 171M 39% /local/jails/myjail /local/jails/master/bin 66G 28G 33G 46% /local/jails/myjail/bin /local/jails/master/lib 66G 28G 33G 46% /local/jails/myjail/lib /local/jails/master/libexec 66G 28G 33G 46% /local/jails/myjail/libexec /local/jails/master/sbin 66G 28G 33G 46% /local/jails/myjail/sbin /local/jails/master/usr 66G 28G 33G 46% /local/jails/myjail/usr procfs 4.0K 4.0K 0B 100% /local/jails/myjail/proc devfs 1.0K 1.0K 0B 100% /local/jails/myjail/dev /etc /var are native to each jail in their own filesystem and /usr/local is set up so that the master has a symlink that resolves to something inside of each separate jails local filesystem so that they can have a RW /usr/local. Any and all other services run inside of one or more jails. You can set up other md devices if you want separate log / tmp / whatever partitions inside your jail... Unless there is a breach in SSH, it is highly unlikely that the root machine itself will be cracked as the ONLY port open is the SSH one and it is restricted to certificate logins only. You can use your firewalls to only allow logins to SSH from certain IP ranges etc if you have that luxury. If someone cracks one of the jails, it is harder for him to screw up the jail system since most of the important system executables are actually mounted read only and they cannot replace system binaries, for example. And if a jail does become compromised, it is much easier to rebuild a jail inside of a good machine than to rebuild your whole native machine... And if one jail gets compromised, I can easily shut it down, rename the root file that is used for the md device (ie, every jail uses an image for it fs) and save it for forensic study later. best Chad --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad@shire.net