From owner-freebsd-questions@FreeBSD.ORG Tue Feb 2 02:49:53 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 173651065672 for ; Tue, 2 Feb 2010 02:49:53 +0000 (UTC) (envelope-from steve@ibctech.ca) Received: from smtp.ibctech.ca (v6.ibctech.ca [IPv6:2607:f118::b6]) by mx1.freebsd.org (Postfix) with SMTP id 79C6D8FC19 for ; Tue, 2 Feb 2010 02:49:52 +0000 (UTC) Received: (qmail 34511 invoked by uid 89); 2 Feb 2010 02:51:52 -0000 Received: from unknown (HELO ?192.168.1.114?) (steve@ibctech.ca@::ffff:208.70.104.100) by ::ffff:208.70.104.210 with ESMTPA; 2 Feb 2010 02:51:52 -0000 Message-ID: <4B6792D9.90409@ibctech.ca> Date: Mon, 01 Feb 2010 21:50:01 -0500 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Jeff Mitchell References: <20100201205427.T36480@fw.skeleton.org> In-Reply-To: <20100201205427.T36480@fw.skeleton.org> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: How far to go with jailing? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Feb 2010 02:49:53 -0000 Jeff Mitchell wrote: > > Strikes me that setting up jails for bloody-well-every-other service > might be 'fun' .. ... > Jail the webserver; seems a logical break, and keep you honest for > your partitioning. No more ~/public_html to access it I suppose, but > much mroe secure for when people attack your wordpress etc. To us, ~/public_html is important, and needs to be considered for our primary domain. This is legacy, going back to 1995. > Jail the 'email services'; use fetchmail to pull down to the jail, > and IMAP and POP3 to serve the mail even to local clients; nice clean > email mini-server right there in the jail? On a home system, sounds great! > Jail SMB-serving, so if attacked it still can only serve the content > in the very well defined area. ...should be separated physically, IMHO, unless it's a home server. > Jail the mailing list (mailman etc) .. keep things nice and clean. > > But is setting up a whole stack of jails a pain? a performance > problem? or just un-necessary overkill? Or a good idea? Its a management pain. In a production ISP/hosting environment, you still have to treat each jail as if its a server. The more servers you have, the more maintenance and management you have. I don't think that there is an easy answer to what you're asking. Personally, I use jails to segregate top-level functions that I want to put into development and possibly further into production. - DNS - SMTP, IMAP, POP3 - authentication (RADIUS etc) - HTTP etc - software devel, web - software devel, non-web - devel software implementation, testing - "" "" inline with production - build processes (testing new features of FBSD) - stage area of test builds, prior to implementation - protocol testing (ie. IPv6) ...after that, I've always chosen to put each core critical function onto a separate physical server, and then replicate it to another physical server. However, I have been toying/researching the idea of replicating 'jails' across the network to separate physical hardware, as it would save physical space, hydro, network drops etc for each box that we have. Other than knowing what hardware we have in our PoPs, I use SSH to communicate with every device that I have, so if someone else set it up for me, I wouldn't know that it's a jail. Use jails to define boundaries. Don't get overzealous. I don't see the need to put each web hosting client within their own jail, unless you determine the risk warrants such. Same for email. If risk is that high, then that particular client should pay for collocation anyway ;) It comes down to what you can consider as your risk assessment. If you are just playing along at home, set up as many as you can, and test for yourself. Performance hit is dependent on the hardware that you are running. I don't notice any difference on a standard box with a couple of jails over one that doesn't have any... Steve