From owner-freebsd-questions@FreeBSD.ORG Sat Jan 3 10:13:03 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A13BA16A4CE for ; Sat, 3 Jan 2004 10:13:03 -0800 (PST) Received: from be-well.no-ip.com (lowellg.ne.client2.attbi.com [66.30.200.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 46DCB43D31 for ; Sat, 3 Jan 2004 10:13:02 -0800 (PST) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: by be-well.no-ip.com (Postfix, from userid 1147) id E649DF; Sat, 3 Jan 2004 13:13:01 -0500 (EST) Sender: lowell@be-well.ilk.org To: "Chris" References: <200401020729330294.07EE5925@coolarrow.com> From: Lowell Gilbert Date: 03 Jan 2004 13:13:01 -0500 In-Reply-To: <200401020729330294.07EE5925@coolarrow.com> Message-ID: <44ekugj3yq.fsf@be-well.ilk.org> Lines: 50 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-questions@freebsd.org Subject: Re: Jails for websites X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Jan 2004 18:13:03 -0000 "Chris" writes: > 5.1 Not generally advised for production use, but I'll assume you've read the release notes and so forth, and have reasons for using it. > I have a server with 5 public IP addresses, so I'm thinking I'll set > it up with one IP for the server (as a host) and the other 4 > assigned to 4 jails. The jails are for websites... > > From a security standpoint, wouldn't it be better to run four > instances of ftpd (one in each jail), as opposed to one instance on > the host server? Typically, yes. There may be situations where that's not the case. If you can use something more secure than FTP, you'll probably be safer, but that may not be a selling point for your customers. > And from a security standpoint, should I run apache from the host > server, where I can configure mod_security the way I want, or just > run individual apaches inside each jail and let the website owners > configure it the way they want? If you take the former option, the jails aren't gaining you as much as in the latter option. Again, though, it'll mostly come down to the deal between you and your customers. > I like the idea of running things inside the jail, and recognize > that if the webmaster of the site configures it wrong, it's their > problem not mine, but is the jail secure enough to allow them that > much access? Unless you configure it wrong. :-) Note that as the "owner" of the IP addresses, you will still have to deal with some complaints. > I have heard of hosting sites selling "virtual dedicated servers" by > giving someone root access to a jail, so I'm thinking jails are > fairly secure. Anyone with experience in this that can give me > advice? I don't have that sort of experience, but I know I've seen postings on this topic on this and other FreeBSD mailing lists. -- Lowell Gilbert, embedded/networking software engineer, Boston area: resume/CV at http://be-well.ilk.org:8088/~lowell/resume/ username/password "public"