From owner-freebsd-questions@FreeBSD.ORG Tue Sep 13 14:03:55 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02EE116A41F for ; Tue, 13 Sep 2005 14:03:55 +0000 (GMT) (envelope-from Frank.Mueller@emendis.de) Received: from mail.emendis.de (85-10-194-176.clients.your-server.de [85.10.194.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7DBBD43D46 for ; Tue, 13 Sep 2005 14:03:54 +0000 (GMT) (envelope-from Frank.Mueller@emendis.de) Received: from localhost (mail [127.0.1.4]) by mail.emendis.de (Postfix) with ESMTP id 556A160665D; Tue, 13 Sep 2005 16:03:53 +0200 (CEST) Received: from mail.emendis.de ([127.0.1.4]) by localhost (mail.emendis.de [127.0.1.4]) (amavisd-new, port 10024) with ESMTP id 66999-15; Tue, 13 Sep 2005 16:03:52 +0200 (CEST) Received: from [192.168.9.1] (dsl-084-057-127-245.arcor-ip.net [84.57.127.245]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.emendis.de (Postfix) with ESMTP id 9208A606098; Tue, 13 Sep 2005 16:03:52 +0200 (CEST) Message-ID: <4326DC58.1090806@emendis.de> Date: Tue, 13 Sep 2005 16:04:08 +0200 From: Frank Mueller - emendis GmbH Organization: emendis GmbH User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050829) X-Accept-Language: de-DE, de, en-us, en MIME-Version: 1.0 To: Elliot Crosby-McCullough References: <4326D764.1040402@xianshi.org> In-Reply-To: <4326D764.1040402@xianshi.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: SPAM/Virenfilter at emendis.de Cc: freebsd-questions@freebsd.org Subject: Re: Requesting advice on Jail technique. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Frank.Mueller@emendis.de List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Sep 2005 14:03:55 -0000 Hi there, if you have enough system resources I would recommend using seperate jails for every user. All u have to keep in mind is that you won't be able to provide some services (SMTP, POP, IMAP, usw.) more than once for the whole system because they need a predefined port (25, 110, 443, usw.). Some other services, like ssh u can manage through port forwarding, http through virtual hosting, etc. Separate jails make it much easier to keep track of activities. It all depends on what applications the user should be able to use. Greetz, Ice Elliot Crosby-McCullough schrieb: > Dear all, > > I will shortly be creating a public service on a private box that > will include shell access to untrusted users and would like your opinion > on the best way to go about this. > > Obviously jails are a good start, but my main concern is whether to > go for one large jail for all the restricted users or one small jail per > user. > > I do not have a wealth of real IPs at my disposal but accountability > and security is paramount, therefore I would like to use local IPs > through NAT (within the one box) whilst retaining the translation logs. > I would like to use one local IP per user in order to keep track of > activity. I can afford a few real IPs for the purpose. > > The accounts themselves will be supremely limited. No root access, > just basics such as ssh, perhaps telnet, mutt etc. I do not want the > users to have the ability to run any scripts, so perl etc is out, but I > suppose the NAT firewall will be a fallback if any compiled programs are > uploaded. > > Each user account is likely to have email/gpg etc but I'm happy to > control that from the host system with virtual users and simply deliver > into the jail. It is not necessary for the jails to run any services, > except the ability to SSH in. > > As you can see there are factors pulling in both directions, what > would you recommend as the best direction to go? > > Sincerely, > Elliot Crosby-McCullough > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" -- Frank Mueller eMail: Frank.Mueller@emendis.de Mobil: +49.177.6858655 Fax: +49.951.3039342 emendis GmbH Hofmannstr. 89, 91052 Erlangen, Germany Fon: +49.9131.817361 Fax: +49.9131.817386 Geschaeftsfuehrer: Gunter Kroeber, Volker Wiesinger Sitz Erlangen, Amtsgericht Fuerth HRB 10116