Date: Wed, 2 Dec 2015 21:44:01 -0800 From: Aleksandr Miroslav <alexmiroslav@gmail.com> To: freebsd-questions@freebsd.org Subject: best practice for locking down private jail? Message-ID: <CACcSE1yQO8AjW9rpY%2Bd2p1-ArPbO4qKV0zcaCMyRhYEWLOpQGA@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
So I'm setting up a server for a friend who wants to upload audio files and have them served up via http. i.e. He uploads lecture.mp3 to example.org, and wants people to be able to access it via http://example.org/audio/lecture.mp3. He's somewhat tech savvy, but I'm being super paranoid about security, so this is what I did: - setup a server, example.org, with a public IP, FreeBSD 10.2 - on this server, I setup a jail with a private IP - setup a pf rdr rule so that example.org:2222 goes to private-ip-of-jail:22, so he can only access the jail via ssh - inside the jail, I set up sshd to only allow his user (AllowUsers joeblow), and disabled passwords, so he can only access the machine with an ssh key - he will upload his files to his home directory (within the private jail), and put it in some directory, e.g. ~joeblow/audiofiles - from the example.org machine, outside the jail, i setup httpd to serve files only from /usr/jails/privatejail/usr/home/joeblow/audiofiles I've setup everything but the last step (httpd), and I will get that last bit working shortly. For what I want to do, does this look like an okay setup? Is there anything else I can do to lock this setup down? I figure in the worst case scenario, someone steals his ssh key and the worst damage they can do is delete the files he's uploaded (I'm taking backups so not too worried about that), or upload files to the server that is http accessible -- can I tell Apache to only serve up mp3 files of name lecture-num.mp3 or something like that? Any thoughts or suggestions appreciated. Thanks
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACcSE1yQO8AjW9rpY%2Bd2p1-ArPbO4qKV0zcaCMyRhYEWLOpQGA>