|
FreeBSD Security Securing FreeBSD. |
|
Thread Tools | Display Modes |
|
|||
Not clear how to build a Jail with ezjail
Hi
I use this links: http://forums.freebsd.org/showthread.php?t=16860 http://scratching.psybermonkey.net/2...gure-jail.html ------------ Step 2. Next we'll create the jail for our webserver. ezjail-admin create WEBSERVER 10.1.1.1 ------------ What is 10.1.1.1 address? ----------------------- Step 3. Add the following to your hosts rc.conf (or manually via ifconfig) ee /etc/rc.conf cloned_interfaces="lo1" ifconfig_lo1="inet 10.1.1.1 netmask 255.255.255.0" ---------------------- What is this? cloned_interfaces="lo1" Is there a simple manual for using ezjail? Thanks. I have a dedicated server with an ip address and that's it. |
|
|||
The best link I have found
http://www.packtpub.com/article/secu...-freebsd-jails
Good Book : Network Administration with FreeBSD 7 I'm searching for hours for good info. --------------------------- To create persistent network aliases (aliases that will persist across reboots) you would add the following to your /etc/rc.conf file (replacing your IP as needed): ifconfig_hme0_alias0="inet 192.168.0.100/32" ifconfig_hme0_alias1="inet 192.168.0.101/32" ifconfig_hme0_alias2="inet 192.168.0.102/32" --------------------------- What is the network alias? Do I have to create it on a stand alone dedicated server? Thanks. |
|
|||
Is it really necessary ?
Is it a good idea to use jail or not?
To protect Nginx inside Freebsd? I'm getting a headache. |
|
|||
|
|
||||
Quote:
Web servers that run "server side" programs, such as CGI or PHP, may have errors in those programs which allow an attacker to submit and execute their own code -- an injection. That injected code can do anything the web server could do. This is a reason one might choose a "jail" -- a successful attacker would be limited to accessing only those files and services available to the jail. However, this is not necessarily good enough. For example, the web server may be permitted to contact a database server and issue any SQL operation. A successful attacker, even in a "jail" could still reach out and read or modify the databases available to it.I can't answer jail or FreeBSD questions. But now you know why a jail may be recommended for nginx in FreeBSD. I hope your headache subsides. ---- As you came from OpenBSD, I will tell you how this is done there:
Last edited by jggimi; 10th September 2012 at 09:37 PM. Reason: added links |
|
|||
Quote:
|
|
||||
Here's a an explanation of privilege separation from a 2004 presentation. This links to slide #28 and the technology is discussed through slide #31.
http://www.openbsd.org/papers/auug04/mgp00028.html |
|
|||
I now think jail is useless
Because if attacker can still easily go to the database then everything is doomed.
Jail can protect only the main server but the web service is in deep problems. Attacker can replace the files in /var/www/html and then what? -------------------- The protection is only between the main server and the web application, not between the attacker and the web application, therefore the web application is not protected. -------------------- What do you think, my conclusion is true? Other means like DMZ maybe. Thanks. - Last edited by barti; 11th September 2012 at 07:33 AM. |
|
||||
Quote:
Code:
[web server] - [database] With this architecture... Code:
[web server] - [application server] - [database] Quote:
Quote:
Quote:
Security cannot be installed. Security is not software, nor is it hardware. Security is a process. And that is because you cannot eliminate risk. But by understanding risks, you can seek to mitigate them. In this case, risk mitigations do come from infrastructure design, and there are also mitigations from software implementation and softare tools, and also from operational best practices. |
|
|||
Openbsd jail is useless in my case
For a web hosting company it is good idea to use jails.
But for a dedicated server with apache/nginx even inside a jail it is not so big deal. ---- So, a firewall and jail does not really protecting you from the internet jungle. ---- You only feel protected. |
|
||||
Quote:
Quote:
Software tools, such as:
|
|
|||
Maybe WAF is better
https://www.owasp.org/index.php/Web_...ation_Firewall
A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified. --------------------- Maybe better to concentrate on the upper levels other then the lower levels protection. |
|
||||
If you elect to install such a packet inspecting firewall, you should consider it only one tool of many to help you manage risk.
Your quote states that, even though the tool requires customization and maintenance, and that requires considerable effort -- it does not address all possible attacks. It cannot eliminate risk. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Gnome - Clear Font in all applications | openBSDheart | OpenBSD Installation and Upgrading | 4 | 13th September 2011 04:08 PM |
FreeBSD jails and ezjail | DNAeon | FreeBSD Security | 1 | 25th January 2010 08:53 AM |
dhcpd within ezjail? | zelut | FreeBSD General | 7 | 10th February 2009 10:31 PM |
help for setting ezjail? | bgobs | FreeBSD General | 13 | 15th June 2008 10:50 AM |