Date: Fri, 17 Sep 1999 22:18:35 +0200 From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: Warner Losh <imp@village.org> Cc: Liam Slusser <liam@tiora.net>, Kenny Drobnack <kdrobnac@mission.mvnc.edu>, "Harry M. Leitzell" <Harry_M_Leitzell@cmu.edu>, security@FreeBSD.ORG Subject: Re: BPF on in 3.3-RC GENERIC kernel Message-ID: <5082.937599515@critter.freebsd.dk> In-Reply-To: Your message of "Fri, 17 Sep 1999 14:04:10 MDT." <199909172004.OAA04763@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
There is a new kid in town if it comes to fortifying your FreeBSD box: jail(2|8) I have installed a couple of machines now where everything it does for a living happens inside a jail. One of the machines have no network services running in the "unjailed" part, you can only access it from the console. The advantage to this approach is that the *REAL* system is protected independently of any application needed specific weak points. The way I set it up: boot normally: no network configured application disks not mounted. fsck application disks. mount application disks. consistency check specified files using only tools from the un-jailed part of the system. ifconfig interfaces. Start jail(s) running on application disks optional: start sshd in unjailed part. In essence this gives you a machine "that boots before it boots", and it allows you to really close some doors. It also limits the abilities of a intruder gaining root in the jail. try it... -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5082.937599515>