Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 8 May 2006 14:10:55 +0200 (CEST)
From:      Oliver Fromme <olli@lurza.secnetix.de>
To:        freebsd-security@FreeBSD.ORG, nospam@mgedv.net
Subject:   Re: Jails and loopback interfaces
Message-ID:  <200605081210.k48CAtMj094360@lurza.secnetix.de>
In-Reply-To: <000101c67100$91e4fdc0$01010101@avalon.lan>

next in thread | previous in thread | raw e-mail | index | archive | help
No@SPAM@mgEDV.net <nospam@mgedv.net> wrote:
 > well, with your configurations i'm really concerned about the
 > overlapping configurations of ip-addresses on the loopback-
 > adapter.

That's standard.  It's completely normal to configure
multiple IP addresses on the same interface, no matter
whether those addresses are from different subnets or
from the same subnet.

 > lo0 is originally configured with 127/8 and i'm not sure, if
 > there's not a chance to confuse something if you add ip's in
 > the same range (127.0.1.1/32).

No.  It's a standard configuration.  There's no part of
the system that "confuses something".

 > as far as i read on other posts
 > about overlapping ip's it's not recommended

What other posts do you mean?  I don't see any reference.

 > (at least by some guys).

Then I guess those guys must be wrong.

 > ifconfig lo1 plumb
 > ifconfig lo1 10.10.10.1 netmask 255.255.255.252 up
 > ... and so on for futher jails?

Now _that_ is confusing, and it doesn't increase your
security.

 > also, the handling of 127/8 would be much clearer in the fw,
 > as far as my understandings are.

Of course you should have appropriate packet filter rules
to handle all your traffic, including traffic on 127/8.

 > to your security concerns about jailed processes, that are overtaken
 > by hackers: my primary goal is not protecting the box (yes, we
 > backup them ,-) ), it's more protecting the data on it.

In order to protect the data on it, you have to protect the
box.  And a backup alone provides zero protection against
attacks, and doesn't secure your data.  If your data is
precious, then at the very least you should use a host IDS
(e.g. tripwire, or even mtree which is in the base system).

 > and if
 > i have very good and tight jails and an attacker is able to eg.
 > download all customer data by code injection on the http-frontend,
 > i guess a less tight jail is one of my last problems!
 > and the jail can be as tight as possible, if there's just one
 > php-script that fails, all the jailing/fw-rules don't help, because
 > the communication between ws<--->db has to work anyway.

Being able to download all data is one thing.  Basically,
you should assume that all data on a web server is public.
That's especially true when you use bug-prone stuff like
PHP.

However, being able to _modify_ data (e.g. "deface" a web
site or change database content) is another thing.  I guess
you do not want that at all.

You are right that jails are not the best solution for all
of those problems.  The main purpose of jails is to provide
a way to isolate and separate services from another and
from the host system, and to minimize damage in the case
that an attacker is able to exploit a hole in one of the
services.

You are right saying that _if_ there is a hole in a PHP
script, the jail won't protect the data which is accessible
from within the jail.  But the jail _will_ protect all
other data on the same machine (provided that it is setup
correctly with a reasonable plan and design).  That's what
jails are all about.  That's why it is a good idea to make
them as tight as possible.  Using loopback IPs is one step
(of many) that can be useful for tightening them.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"[...]  one observation we can make here is that Python makes
an excellent pseudocoding language, with the wonderful attribute
that it can actually be executed."  --  Bruce Eckel



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605081210.k48CAtMj094360>