From owner-freebsd-security@FreeBSD.ORG Tue Jul 15 02:06:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BB8D37B401 for ; Tue, 15 Jul 2003 02:06:36 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8568B43FAF for ; Tue, 15 Jul 2003 02:06:35 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id B28883ABB4C; Tue, 15 Jul 2003 11:12:11 +0200 (CEST) Date: Tue, 15 Jul 2003 11:12:11 +0200 From: Pawel Jakub Dawidek To: Uwe Doering Message-ID: <20030715091211.GK4973@garage.freebsd.pl> References: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> <20030714211518.GD4973@garage.freebsd.pl> <3F13A975.7020508@geminix.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ETswQ+e7erZ5sQB1" Content-Disposition: inline In-Reply-To: <3F13A975.7020508@geminix.org> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org cc: "V. Jones" Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 09:06:36 -0000 --ETswQ+e7erZ5sQB1 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 15, 2003 at 09:12:53AM +0200, Uwe Doering wrote: +> >My advice is simple: every jail and main host should have its own IP=20 +> >address. +>=20 +> This is certainly the best solution, if you have multiple IP addresses= =20 +> at your disposal. What I was trying to point out is that there is no=20 +> _technical_ reason for separate IP addresses with regard to FreeBSD's=20 +> jail implementation. In cases where you cannot easily get additional IP= =20 +> addresses, on a rented server in a data center, for instance, running=20 +> multiple jails on the same IP address (with the necessary safety=20 +> precautions like binding daemons to IP addresses explicitly) is still=20 +> far better than no jails at all. The difference is that it takes at=20 +> least some skill and insight into FreeBSD internals to compromise the=20 +> system as a whole in the former case, while in the latter each and every= =20 +> script kiddy can take over your entire server in no time. IMHO security solutions that are "harder to break", aren't security solutions. There is secure method, you can always use CerbNG:) http://cerber.sourceforge.net Now you need to create such policy: if (syscall =3D=3D SYS_bind && isjailed() && (getfamily(arg[1]) =3D=3D AF_INET || getfamily(arg[1]) =3D=3D AF_INET6)= ) { permit =3D 1; port =3D getport(arg[1]); host =3D getjailhost(); if (host =3D=3D "apache" && port !=3D 80 && port !=3D 443) { permit =3D 0; } if (host =3D=3D "smtp" && port !=3D 25) { permit =3D 0; } if (host =3D=3D "pop3" && port !=3D 110 && port !=3D 995) { permit =3D 0; } if (!permit) { log(LOG_WARNING, "CerbNG: Process %s [pid=3D%u] from jail %s " "is trying to bind to port %u!", pname, pid, host, port); return EPERM; } } Now processes jailed in prison with hostname "apache" could bind only to port 80 or 443, etc. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --ETswQ+e7erZ5sQB1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPxPFaz/PhmMH/Mf1AQEDXwP9GqApjaNXuG8u5WeWIjTyjrQKjYjh6R0g g2zCwmmaVKoYLmgT6cSNPzbrLiBqtWlVuzwLKhK0F/gDhZ3LknWQtaMUWKgl3V5R aEZ/N4TavzvJnPoTDV37NHBXRkPNrOnhZTgnNqCJF7VX5v6RhGfcj67oYkfcQUO7 dvKPG5c4xgk= =rPX1 -----END PGP SIGNATURE----- --ETswQ+e7erZ5sQB1--