Date: Tue, 13 Sep 2005 06:55:44 -0700 From: =?ISO-8859-1?Q?Malachi_de_=C6lfweald?= <malachid@gmail.com> To: Elliot Crosby-McCullough <freebsd@xianshi.org> Cc: freebsd-questions@freebsd.org Subject: Re: Requesting advice on Jail technique. Message-ID: <c090347a05091306552dbfcd2f@mail.gmail.com> In-Reply-To: <4326D764.1040402@xianshi.org> References: <4326D764.1040402@xianshi.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I have been getting ready to do one-jail per domain myself. The key though= =20 is that if you want to support any port (and specifically things like ssh)= =20 they have to have a public IP address (or 1:1 NAT)... ie: if the ssh server= =20 is running under each jail, you need to know my IP address which one to log= =20 into it. You could probably get away with not doing that if they had to ssh into 1= =20 public IP address; and have a login script that auto-ssh's to a different i= p=20 on the local network from there ... but that will take a lot more work. For security, I would say you want multiple jails -- since any one logging= =20 in can screw the rest -- but that is going to be dependant on how many IPs= =20 you want to purchase. Malachi On 9/13/05, Elliot Crosby-McCullough <freebsd@xianshi.org> wrote: >=20 > Dear all, >=20 > I will shortly be creating a public service on a private box that will > include shell access to untrusted users and would like your opinion on > the best way to go about this. >=20 > Obviously jails are a good start, but my main concern is whether to go > for one large jail for all the restricted users or one small jail per=20 > user. >=20 > I do not have a wealth of real IPs at my disposal but accountability > and security is paramount, therefore I would like to use local IPs > through NAT (within the one box) whilst retaining the translation logs. > I would like to use one local IP per user in order to keep track of > activity. I can afford a few real IPs for the purpose. >=20 > The accounts themselves will be supremely limited. No root access, > just basics such as ssh, perhaps telnet, mutt etc. I do not want the > users to have the ability to run any scripts, so perl etc is out, but I > suppose the NAT firewall will be a fallback if any compiled programs are > uploaded. >=20 > Each user account is likely to have email/gpg etc but I'm happy to > control that from the host system with virtual users and simply deliver > into the jail. It is not necessary for the jails to run any services, > except the ability to SSH in. >=20 > As you can see there are factors pulling in both directions, what would > you recommend as the best direction to go? >=20 > Sincerely, > Elliot Crosby-McCullough > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c090347a05091306552dbfcd2f>