Date: Mon, 1 Feb 2010 21:01:43 -0500 From: "illoai@gmail.com" <illoai@gmail.com> To: Jeff Mitchell <skeezix@skeleton.org> Cc: freebsd-questions@freebsd.org Subject: Re: How far to go with jailing? Message-ID: <d7195cff1002011801x50d4000dwddd39ff43b1e3468@mail.gmail.com> In-Reply-To: <20100201205427.T36480@fw.skeleton.org> References: <20100201205427.T36480@fw.skeleton.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1 February 2010 20:57, Jeff Mitchell <skeezix@skeleton.org> wrote: > > =A0 =A0 =A0 =A0Strikes me that setting up jails for bloody-well-every-oth= er service > might be 'fun' .. > > =A0 =A0 =A0 =A0Jail the webserver; seems a logical break, and keep you ho= nest for > your partitioning. No more ~/public_html to access it I suppose, but much > mroe secure for when people attack your wordpress etc. > > =A0 =A0 =A0 =A0Jail the 'email services'; use fetchmail to pull down to t= he jail, > and IMAP and POP3 to serve the mail even to local clients; nice clean ema= il > mini-server right there in the jail? > > =A0 =A0 =A0 =A0Jail SMB-serving, so if attacked it still can only serve t= he content > in the very well defined area. > > =A0 =A0 =A0 =A0Jail the mailing list (mailman etc) .. keep things nice an= d clean. > > =A0 =A0 =A0 =A0But is setting up a whole stack of jails a pain? a perform= ance > problem? or just un-necessary overkill? Or a good idea? > I don't know about the performance, though given what I [believe I] know, if your machine is already running those serv[ice|er]s, the effect ranges from lightly noticeable to entirely negligible. You do have to keep track of the jails (& update when necessary), though I suppose if you can't write scripts to do the tedious bits you might be in the w rong business. I think it's a good idea, frankly. Lift and separate, as "they" said in the 1990s. --=20 --
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d7195cff1002011801x50d4000dwddd39ff43b1e3468>