From owner-freebsd-questions@FreeBSD.ORG Tue Feb 2 02:01:46 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4C70F106566C for ; Tue, 2 Feb 2010 02:01:46 +0000 (UTC) (envelope-from illoai@gmail.com) Received: from mail-gx0-f218.google.com (mail-gx0-f218.google.com [209.85.217.218]) by mx1.freebsd.org (Postfix) with ESMTP id C9D588FC13 for ; Tue, 2 Feb 2010 02:01:45 +0000 (UTC) Received: by gxk10 with SMTP id 10so4347166gxk.3 for ; Mon, 01 Feb 2010 18:01:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=frX89R8DWR1AfBAl27t1oKRWarUoy11FxVXKVq5xlXE=; b=aSrrrog/yT5RKzRZKWQEWk0kqB5U6Bc6dU6C81xUr51LBG5qCS8Sg1GmERpFy7QCx8 xFp4g/YWnJCHDbC9KuyC2BYhXdnPaCWezg/sXT7uTWkJDHWb+xiP8KhgEkbjlTQnm6Uu ys92way2YBq5Ui7SVxgH9r7Z39r1rTDWmW27M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=P8R1GIJM3YWEux/z/8xU6229mk1d2KQIRIVNiyyloaKildFcrGC0TbjSc4b3hvLOn2 bgv7fiaPZczPj1lpac+iMbUWQ83To/K9ro04+1p3FuK3OBkSBMfZbjKtkJ6QrzPHfCZU O6w62gO/iGS2eJDaIvjQLK8lQsn55X6/SGngY= MIME-Version: 1.0 Received: by 10.90.13.27 with SMTP id 27mr4786510agm.28.1265076103569; Mon, 01 Feb 2010 18:01:43 -0800 (PST) In-Reply-To: <20100201205427.T36480@fw.skeleton.org> References: <20100201205427.T36480@fw.skeleton.org> Date: Mon, 1 Feb 2010 21:01:43 -0500 Message-ID: From: "illoai@gmail.com" To: Jeff Mitchell Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: How far to go with jailing? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Feb 2010 02:01:46 -0000 On 1 February 2010 20:57, Jeff Mitchell wrote: > > =A0 =A0 =A0 =A0Strikes me that setting up jails for bloody-well-every-oth= er service > might be 'fun' .. > > =A0 =A0 =A0 =A0Jail the webserver; seems a logical break, and keep you ho= nest for > your partitioning. No more ~/public_html to access it I suppose, but much > mroe secure for when people attack your wordpress etc. > > =A0 =A0 =A0 =A0Jail the 'email services'; use fetchmail to pull down to t= he jail, > and IMAP and POP3 to serve the mail even to local clients; nice clean ema= il > mini-server right there in the jail? > > =A0 =A0 =A0 =A0Jail SMB-serving, so if attacked it still can only serve t= he content > in the very well defined area. > > =A0 =A0 =A0 =A0Jail the mailing list (mailman etc) .. keep things nice an= d clean. > > =A0 =A0 =A0 =A0But is setting up a whole stack of jails a pain? a perform= ance > problem? or just un-necessary overkill? Or a good idea? > I don't know about the performance, though given what I [believe I] know, if your machine is already running those serv[ice|er]s, the effect ranges from lightly noticeable to entirely negligible. You do have to keep track of the jails (& update when necessary), though I suppose if you can't write scripts to do the tedious bits you might be in the w rong business. I think it's a good idea, frankly. Lift and separate, as "they" said in the 1990s. --=20 --