From owner-freebsd-questions@FreeBSD.ORG Tue Feb 2 12:20:10 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0986B10656B1 for ; Tue, 2 Feb 2010 12:20:10 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from mail.potentialtech.com (internet.potentialtech.com [66.167.251.6]) by mx1.freebsd.org (Postfix) with ESMTP id CFE528FC12 for ; Tue, 2 Feb 2010 12:20:09 +0000 (UTC) Received: from new-host.home (pool-74-109-205-9.pitbpa.ftas.verizon.net [74.109.205.9]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.potentialtech.com (Postfix) with ESMTPSA id C4619F7419; Tue, 2 Feb 2010 07:20:08 -0500 (EST) Message-ID: <4B681879.6080606@potentialtech.com> Date: Tue, 02 Feb 2010 07:20:09 -0500 From: Bill Moran User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 MIME-Version: 1.0 To: Jeff Mitchell References: <20100201205427.T36480@fw.skeleton.org> In-Reply-To: <20100201205427.T36480@fw.skeleton.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: How far to go with jailing? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Feb 2010 12:20:10 -0000 On 2/1/10 8:57 PM, Jeff Mitchell wrote: > > Strikes me that setting up jails for bloody-well-every-other service > might be 'fun' .. > > Jail the webserver; seems a logical break, and keep you honest for your > partitioning. No more ~/public_html to access it I suppose, but much > mroe secure for when people attack your wordpress etc. > > Jail the 'email services'; use fetchmail to pull down to the jail, and > IMAP and POP3 to serve the mail even to local clients; nice clean email > mini-server right there in the jail? > > Jail SMB-serving, so if attacked it still can only serve the content in > the very well defined area. > > Jail the mailing list (mailman etc) .. keep things nice and clean. > > But is setting up a whole stack of jails a pain? a performance problem? > or just un-necessary overkill? Or a good idea? It is a pain. We've never had a performance problem. I think it's a good idea. Others would argue that it's unnecessary. The real answer depends on how security conscious you need to be. It will take more time to set up. It will use a whole bunch more IP addresses. Is it worth it for you? Some advantages that you haven't considered: when your hardware starts to near overload, it's much easier to tar up a jail and move it to another server than it is to move that one service when it's not jailed. In the end, you've got to weight the extra work vs. the benefits. In our case, we're very security conscious, so it was a no brainer for us. -Bill