I run a skimpy linux vps hosting cluster in canada and would like to create a jail on the host server to run several touchy services. Does anyone know how to do this in FreeBSD?
Those well-known with Java recognize the security concept of a sandbox. For those that aren't, it's the concept that everyone gets a one of a kind, well-equipped sandbox to play in, and a person in one sandbox isn't allowed into anyone else's sandbox, not even to quota anything with anyone else. On FreeBSD, jails implement this concept — they keep processes in their own part of the system, denying access to anything else. A stir requires its own dedicated IP address, though, which can make life difficult for those with limited speak space. If this presents you with a hardship, consider at least using chroot. It won't afford you as much custodianship, but it does help.
How does this help security? Take, for example, a box with an external FTP server and the concern extranet. An exploit for the server is discovered, and a cracker manages to gain rhizomorph radically access through the FTP daemon. If the FTP server is not run in a sandbox or jail, the cracker will have access to everything on the implement, including sensitive information destined for the company's partners through the extranet. If, however, the FTP server is run in a lock-up, the cracker will only have access to the FTP files.
There are, of course, still potential risks. If you run at secure up 0, the cracker can simply access the raw disk device and read information from there. The solution is obvious — on a box sensitive enough to require jails, use appropriate tight levels as well. This will eliminate a cracker's ability to read from or write to raw disk devices. Configuring a Big house
Configuring a jail is pleasantly simple.
First, ensure that your system environment is jail-kind-hearted. Because each jail requires its own IP address, the services on your box must be configured to listen to specific addresses, not impartial every available address. For example, if the box's addresses are 199.232.41.26 (main) and 199.232.41.27 (nick), to get inetd to listen only on 199.232.41.26, add inetd_flags="-wW -a 199.232.41.26" to /etc/rc.conf. If you be found lacking to do this, conflicts may occur over the aliased IP address.
For some daemons, this is not an easy process — sendmail and rpcbind are two examples. If you're using these services on your box, you might over simply running them inside of a jail of their own. After configuring all of the non-jailed daemons to lend an ear to to a specific address, reboot the machine. This will put everything into a known state, eliminating any hidden for confusion.
With the proper host environment in place, create the directory that will lineage the jail. In this example, it's /usr/jail/ftp. Now go to /usr/src and run:
# cd /usr/src
# make world DESTDIR=/usr/jail/ftp
# cd etc
# walk away distribution DESTDIR=/usr/jail/ftp
# cd /usr/jail/ftp/dev
# sh
# MAKEDEV jail
# cd ..
# ln -sf /dev/null centre
These commands build the jail and populate it with all of the tools that your processes will need to run. Indeed, they put in a lot more than just what your processes will need. For example, perl, gcc, and sendmail will all be installed, but you very likely don't need them in your jail. Keep in mind, though, that it's a lot easier to take stuff out until something breaks than it is to put stuff back in until everything works.
To configure the Nautical brig environment, you might want to copy /stand/sysinstall into /usr/jail/ftp/stand, to offer you with an easy configuration interface. I'll show you how to use it in just a second.
With the system rebooted, you're now ready to configure the quod environment. Start the jail for the first time by running:
This will put you at a shell prompt in your jail environment. From here, you can run /stand/sysinstall (verbatim, since / now refers to the jail's root directory, not the system's.)
There are several configuration tasks to perform, such as mise en scene the root password (don't make it the same as the main system root password!), adding purchaser accounts, and configuring /etc/resolv.conf. Read man 8 jail for more configuration tasks that you'll necessary to perform. Keep in mind that you want to be able to log in to the environment, so consider running an SSH daemon in prison the jail.
Once you're done configuring the jail environment, exit the shell and the jail will be fastened down.
You're almost ready to start the jail "for real." First, add the appropriate IP apply oneself to alias. For our example, this is done via:
ifconfig fxp0 inet alias 199.232.41.27 255.255.255.255
You can configure this in /etc/rc.conf to be done automatically at boot.
Now, let's start the prison! This is done with two commands:
You'll see some warning messages scroll by, but don't worry about them. You can now see all the daemons management inside the jail, as indicated by the J flag shown in the ps output. If you enabled SSH within the can, you can ssh to
markobaja01 | Feb 25, 2009
How do you setup transparent bridging with FreeBSD and PF?
Feb 25, 2009 by jobaji001 | Posted in Other - Internet
I run a linux vps hosting croft die and would like to establish a transparent firewall between them and the world. I heard that you can do this with 3 NIC's , FreeBSD + PF (Packet separate). Does anyone know how?
Pf as a see-through bridging firewall on FreeBSD 6 and 7
The Goal:
A way to transparently protect a set of servers as well as monitor the inbound and outbound transportation to said servers.
Solution:
The end solution was to install FreeBSD 6.2 or 7.0 Freedom on a server and utilize packet filter (pf) as a transparent bridge to meet the IP addressing requirements.
Howto:
1.) Institute FreeBSD
We have a checklist list of tasks to perform to install and lock down our production servers. Reinforce your own best practices to get a basic install of FreeBSD 6.2 or 7.0 running and patched. Set up the minimal amount of options and packages necessary.
You will need, or at least you will most likely want, a third NIC installed in the server. In a straightforward bridge the WAN and LAN interfaces become “transparent” and no longer take an IP address. So without the third NIC installed and connected to your network you will have no way to remotely direct the server. A benefit of this though is that without an IP address to attack your transparent bridging firewall itself would be independent from attack.
Pf is available in a default install by re-compiling the kernel with specific changes made, or by enabling pf via nut-meat loadable module.
We re-compiled the kernel. The options below were added at the end of the kernel fountain-head and the new kernel compiled:
Use your favorite editor to polish /etc/rc.conf and enable the use of pf
Add:
pf_enable=”YES” # enable PF (load module if required)
pf_rules=”/etc/pf-bond.conf” # rules definition file for pf
pf_flags=”" # additional flags for pfctl startup
pflog_permit=”YES” # start pflogd(8)
pflog_logfile=”/var/log/pflog” # where pflogd should upon the logfile
pflog_flags=”" # additional flags for pflogd startup
5.) Establish the firewall ruleset.
First make a copy of the default ruleset and designate it as a bridging ruleset.
# cp /etc/pf.conf /etc/pf-unite.conf
Use your favorite editor to edit /etc/pf-bridge.conf. Place your ruleset within the pf-bond.conf file and save the changes.
Here is the sample ruleset: pf-bridge_generic.txt
6.) Suit the rules and enable the firewall.
Finally to actually enable a new ruleset we constraint to tell pf to read the config file. This would also automatically happen upon reboot.
# pfctl –f /etc/pf-connexion.conf
# pfctl –e
Thats it. You will now need to go through and test the bridge and back up you can access what you intended to allow access to, and that what you wanted to block is now blocked. Sanguinely you still have access to the management interface as well. The best test will be to perform some form of vulnerability testing against IPs behind your firewall and the firewall itself.
Some notes on the ruleset specifically:
- There is de facto nothing in the ruleset that designates the firewall as a transparent bridge other than the absence of NAT rules. The traverse built in the OS itself in the /etc/rc.conf file is where the bridging is applied. - The IP addresses in the vacillating and table definitions will obviously have to be updated to fit a different environment. - Many options subsist for pf and there are full books dedicated to the art of pf rulesets and using pf in general. This ruleset for example could be expanded to fetch more use of AltQ for QoS and added protection against DoS attacks.
markobaja01 | Feb 25, 2009
How do you setup dual monitors with KDE and FreeBSD?
Feb 25, 2009 by jobaji001 | Posted in Other - Computers
I sine qua non to be able to monitor my linux vps hosting servers with dual monitors in order to be as prolific as possible -- does anyone know the best way to setup dual monitors on FreeBSD and KDE3?
I found out my video driver and pci configuration by executing the following commands :
X -configure
pciconf -l
I entered the following as my xorg.conf (ATI / RADEON video driver):
Cross-section "Device"
Identifier "ATI Technologies, Inc. Radeon 9600 (R300 AP)"
Driver "ati"
BusID "PCI:1:0:0"
Way out "MergedFB" "true" #Enable MergedFB purpose
Option "MonitorLayout" "TMDS, CRT" # Use LCD and CRT even if you have 2 LCD's or CRT's
Election "OverlayOnCRTC2" "true"
Option "CRT2Predication" "LeftOf" #Physical location of your secondary watch in relationship to your primary monitor.
Option "MetaModes" "1280x1024-1280x1024" #Television screen Resolutions for Primary-Secondary monitors
Option "MergedXineramaCRT2IsScreen0" "upright" #determines which screen is going to be the primary screen; value can be "correct" or "false
EndSection
Starting KDE / Xorg initially displays two corresponding monitors. You need to use the "xrandr" utility to utilize the dual display configuration. The following script, when run after starting KDE will do this for you :
freebsd cloud hosting If you are looking for honourable and free hosting foor your Webstie or Blog check out Link in video for Conquer Free hosting ...
Most reliable hosting sites - September 2009 | FreeBSD - the ...
by Gerard
IBM: " The FreeBSD operating system is the nameless mammoth among unconstrained operating systems . Starting out from the 386BSD stick out, it is an exceptionally swift UNIX-like operating system mostly for the Intel flake and its clones. In many ways, FreeBSD has always been the operating system that GNU/Linux-based operating systems should have been. It runs on out-of-antiquated Intel machines and 64-bit AMD chips, and it serves terabytes of files a day on some of the largest categorize servers on globe.
