From owner-freebsd-security@FreeBSD.ORG Tue Jul 15 00:13:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B133537B401 for ; Tue, 15 Jul 2003 00:13:34 -0700 (PDT) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4BE243FB1 for ; Tue, 15 Jul 2003 00:13:33 -0700 (PDT) (envelope-from gemini@geminix.org) Message-ID: <3F13A975.7020508@geminix.org> Date: Tue, 15 Jul 2003 09:12:53 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030701 X-Accept-Language: en-us, en MIME-Version: 1.0 Newsgroups: mlists.freebsd.security To: Pawel Jakub Dawidek References: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> <20030714211518.GD4973@garage.freebsd.pl> In-Reply-To: <20030714211518.GD4973@garage.freebsd.pl> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with asmtp (TLSv1:AES256-SHA:256) (Exim 3.36 #1) id 19cK09-0006ig-00; Tue, 15 Jul 2003 09:13:29 +0200 cc: freebsd-security@freebsd.org cc: "V. Jones" Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 07:13:35 -0000 Pawel Jakub Dawidek wrote: > On Mon, Jul 14, 2003 at 12:39:50PM -0400, V. Jones wrote: > +> >You can check my patch for multiple ips in jails which also fix > +> >sockets ordering behaviour. > +> > +> > For FreeBSD 4.x: > +> > http://garage.freebsd.pl/mijail.tbz > +> > http://garage.freebsd.pl/mijail.README > +> > For FreeBSD 5.1-CURRENT: > +> > http://garage.freebsd.pl/mijail5.tbz > +> > http://garage.freebsd.pl/mijail5.README > +> > http://garage.freebsd.pl/patches/mijail5.patch > +> > +> I have a feeling you're trying to tell me something important > +> but I'm not understanding. Is this a problem only with ssh or > +> with any server listening on a port? Does this problem occur > +> when you share an ip address between two jailed servers or does > +> it happen any time you use a jail? Would having ssh on a > +> different port on each jail avoid the problem? > > No, because an attacker is able to spoof your daemons from main host or > other jails. Even if you're binded to a valid IP (not INADDR_ANY) there > could be always a chance to DoS existing daemon and reuse its port. > > My advice is simple: every jail and main host should have its own IP address. This is certainly the best solution, if you have multiple IP addresses at your disposal. What I was trying to point out is that there is no _technical_ reason for separate IP addresses with regard to FreeBSD's jail implementation. In cases where you cannot easily get additional IP addresses, on a rented server in a data center, for instance, running multiple jails on the same IP address (with the necessary safety precautions like binding daemons to IP addresses explicitly) is still far better than no jails at all. The difference is that it takes at least some skill and insight into FreeBSD internals to compromise the system as a whole in the former case, while in the latter each and every script kiddy can take over your entire server in no time. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net