How do you create a jail in FreeBSD?
Feb 25, 2009 by jobaji001 | Posted in Security
I run a everyday linux vps hosting cluster in canada and would like to create a jail on the proprietress server to run several critical services. Does anyone know how to do this in FreeBSD?
Those habitual with Java recognize the security concept of a sandbox. For those that aren't, it's the concept that everyone gets a unexcelled, well-equipped sandbox to play in, and a person in one sandbox isn't allowed into anyone else's sandbox, not even to split anything with anyone else. On FreeBSD, jails implement this concept — they keep processes in their own part of the system, denying access to anything else. A jail requires its own dedicated IP talk to, though, which can make life difficult for those with limited address space. If this presents you with a misfortune, consider at least using chroot. It won't afford you as much security, but it does help.
How does this assistant security? Take, for example, a box with an external FTP server and the company extranet. An exploit for the server is discovered, and a cracker manages to payment root access through the FTP daemon. If the FTP server is not run in a sandbox or jail, the cracker will have access to everything on the manufacture, including sensitive information destined for the company's partners through the extranet. If, however, the FTP server is run in a detain, the cracker will only have access to the FTP files.
There are, of course, still potential risks. If you run at secure above-board 0, the cracker can simply access the raw disk device and read information from there. The solution is obvious — on a box sensitive enough to require jails, use appropriate obvious levels as well. This will eliminate a cracker's ability to read from or write to raw disk devices. Configuring a Quod
Configuring a jail is pleasantly simple.
First, ensure that your system environment is jail-cordial. Because each jail requires its own IP address, the services on your box must be configured to listen to specific addresses, not at best every available address. For example, if the box's addresses are 199.232.41.26 (main) and 199.232.41.27 (Nautical brig), to get inetd to listen only on 199.232.41.26, add inetd_flags="-wW -a 199.232.41.26" to /etc/rc.conf. If you become insolvent to do this, conflicts may occur over the aliased IP address.
For some daemons, this is not an easy process — sendmail and rpcbind are two examples. If you're using these services on your box, you might examine simply running them inside of a jail of their own. After configuring all of the non-jailed daemons to do as one is told to a specific address, reboot the machine. This will put everything into a known state, eliminating any passive for confusion.
With the proper host environment in place, create the directory that will lineage the jail. In this example, it's /usr/jail/ftp. Now go to /usr/src and run:
# cd /usr/src
# make world DESTDIR=/usr/jail/ftp
# cd etc
# intimate distribution DESTDIR=/usr/jail/ftp
# cd /usr/jail/ftp/dev
# sh
# MAKEDEV jail
# cd ..
# ln -sf /dev/null quintessence
These commands build the jail and populate it with all of the tools that your processes will need to run. Really, they put in a lot more than just what your processes will need. For example, perl, gcc, and sendmail will all be installed, but you doubtlessly don't need them in your jail. Keep in mind, though, that it's a lot easier to take stuff out until something breaks than it is to put stuff back in until everything works.
To configure the gaol environment, you might want to copy /stand/sysinstall into /usr/jail/ftp/stand, to cater you with an easy configuration interface. I'll show you how to use it in just a second.
With the system rebooted, you're now ready to configure the send up the river environment. Start the jail for the first time by running:
# jail /usr/jail/ftp prison.hostname.com 199.232.41.27 /bin/sh
This will put you at a shell prompt in your jail environment. From here, you can run /stand/sysinstall (sic, since / now refers to the jail's root directory, not the system's.)
There are several configuration tasks to perform, such as locale the root password (don't make it the same as the main system root password!), adding operator accounts, and configuring /etc/resolv.conf. Read man 8 jail for more configuration tasks that you'll shortage to perform. Keep in mind that you want to be able to log in to the environment, so consider running an SSH daemon advantageous the jail.
Once you're done configuring the jail environment, exit the shell and the jail will be switch down.
You're almost ready to start the jail "for real." First, add the appropriate IP lecture alias. For our example, this is done via:
ifconfig fxp0 inet alias 199.232.41.27 255.255.255.255
You can configure this in /etc/rc.conf to be done automatically at boot.
Now, let's start the incarcerate! This is done with two commands:
# mount -t procfs proc /usr/jail/ftp/proc
# jail /usr/gaol/ftp jail.hostname.com 199.232.41.27 /bin/sh /etc/rc
You'll see some warning messages scroll by, but don't worry about them. You can now see all the daemons continuous inside the jail, as indicated by the J flag shown in the ps output. If you enabled SSH within the pen, you can ssh to
markobaja01 | Feb 25, 2009
How do you setup transparent bridging with FreeBSD and PF?
Feb 25, 2009 by jobaji001 | Posted in Other - Internet
I run a linux vps hosting let out and would like to establish a transparent firewall between them and the world. I heard that you can do this with 3 NIC's , FreeBSD + PF (Packet refine). Does anyone know how?
Pf as a transpicuous bridging firewall on FreeBSD 6 and 7
The Goal:
A way to transparently protect a set of servers as well as monitor the inbound and outbound See trade to said servers.
Solution:
The end solution was to install FreeBSD 6.2 or 7.0 Rescuing on a server and utilize packet filter (pf) as a transparent bridge to meet the IP addressing requirements.
Howto:
1.) Put FreeBSD
We have a checklist list of tasks to perform to install and lock down our production servers. Ensure your own best practices to get a basic install of FreeBSD 6.2 or 7.0 running and patched. Put the minimal amount of options and packages necessary.
You will need, or at least you will most likely want, a third NIC installed in the server. In a crystal clear bridge the WAN and LAN interfaces become “transparent” and no longer take an IP address. So without the third NIC installed and connected to your network you will have no way to remotely take care of the server. A benefit of this though is that without an IP address to attack your transparent bridging firewall itself would be generous from attack.
Pf is available in a default install by re-compiling the kernel with specific changes made, or by enabling pf via nucleus loadable module.
We re-compiled the kernel. The options below were added at the end of the kernel outset and the new kernel compiled:
# pf support
device pf # Packet Filter firewall
desire pflog # PF logging facility
device pfsync # PF state syncing
# ALTQ bolster
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ
2.) Configure your third NIC with an IP speech and verify you can remotely access your server.
In the /etc/rc.conf file we have the following clarification for the management IF:
ifconfig_fxp0=”inet 123.123.123.2 netmask 255.255.255.0″
We will be building pf rules for this NIC as well to take under one's wing the firewall itself.
3.) Create the bridge between the two desired interfaces.
Use your favorite editor to expurgate /etc/rc.conf and enable the bridge
Add:
cloned_interfaces=”bridge0″
ifconfig_connection0=”addm bge0 addm nfe0 up”
ifconfig_bge0=”up”
ifconfig_nfe0=”up”
In this suit we are bridging the two interfaces bge0 and nfe0.
Use your favorite editor to edit /etc/sysctl.conf
Add:
net.tie-up.bridge.pfil_onlyip=1
net.link.bridge.pfil_member=1
net.connector.bridge.pfil_bridge=0
4.) Enable the use of pf on your server.
Use your favorite editor to adapt /etc/rc.conf and enable the use of pf
Add:
pf_enable=”YES” # enable PF (load module if required)
pf_rules=”/etc/pf-join.conf” # rules definition file for pf
pf_flags=”" # additional flags for pfctl startup
pflog_aid=”YES” # start pflogd(8)
pflog_logfile=”/var/log/pflog” # where pflogd should cache the logfile
pflog_flags=”" # additional flags for pflogd startup
5.) Base the firewall ruleset.
First make a copy of the default ruleset and designate it as a bridging ruleset.
# cp /etc/pf.conf /etc/pf-span.conf
Use your favorite editor to edit /etc/pf-bridge.conf. Place your ruleset within the pf-cross over.conf file and save the changes.
Here is the sample ruleset: pf-bridge_generic.txt
6.) Focus the rules and enable the firewall.
Finally to actually enable a new ruleset we trouble to tell pf to read the config file. This would also automatically happen upon reboot.
# pfctl –f /etc/pf-connection.conf
# pfctl –e
Thats it. You will now need to go through and test the bridge and substantiate you can access what you intended to allow access to, and that what you wanted to block is now blocked. Optimistically you still have access to the management interface as well. The best test will be to perform some form of vulnerability testing against IPs behind your firewall and the firewall itself.
Some notes on the ruleset specifically:
- There is unusually nothing in the ruleset that designates the firewall as a transparent bridge other than the absence of NAT rules. The span built in the OS itself in the /etc/rc.conf file is where the bridging is applied. - The IP addresses in the chameleonic and table definitions will obviously have to be updated to fit a different environment. - Many options along for pf and there are full books dedicated to the art of pf rulesets and using pf in general. This ruleset for example could be expanded to pilfer more use of AltQ for QoS and added protection against DoS attacks.
markobaja01 | Feb 25, 2009
How do you setup dual monitors with KDE and FreeBSD?
Feb 25, 2009 by jobaji001 | Posted in Other - Computers
I beggary to be able to monitor my linux vps hosting servers with dual monitors in in disorder b unseemly to be as productive as possible -- does anyone know the best way to setup dual monitors on FreeBSD and KDE3?
I found out my video driver and pci configuration by executing the following commands :
X -configure
pciconf -l
I entered the following as my xorg.conf (ATI / RADEON video driver):
Measure out "Files"
RgbPath "/usr/X11R6/lib/X11/rgb"
FontPath "/usr/X11R6/lib/X11/fonts/misc/"
FontPath "/usr/X11R6/lib/X11/fonts/TTF/"
FontPath "/usr/X11R6/lib/X11/fonts/Fount1/"
FontPath "/usr/X11R6/lib/X11/fonts/75dpi/"
FontPath "/usr/X11R6/lib/X11/fonts/100dpi/"
FontPath "/usr/X11R6/lib/X11/fonts/townsman/"
EndSection
Section "Module"
Load "GLcore"
Consignment "i2c"
Load "bitmap"
Anxiety "ddc"
Load "dri"
Stack "extmod"
Load "freetype"
Responsibility "glx"
Load "int10"
Cross "type1"
Load "vbe"
EndSection
Cut up "InputDevice"
Identifier "Generic Keyboard"
Driver "kbd"
EndSection
Part "InputDevice"
Identifier "Configured Mouse"
Driver "mouse"
Choice "Protocol" "auto"
Chance "Device" "/dev/sysmouse"
Selection "ZAxisMapping" "4 5 6 7"
EndSection
Subdivision "Device"
Identifier "ATI Technologies, Inc. Radeon 9600 (R300 AP)"
Driver "ati"
BusID "PCI:1:0:0"
Chance "MergedFB" "true" #Enable MergedFB aim
Option "MonitorLayout" "TMDS, CRT" # Use LCD and CRT even if you have 2 LCD's or CRT's
Choice "OverlayOnCRTC2" "true"
Option "CRT2Stance" "LeftOf" #Physical location of your secondary CRT in relationship to your primary monitor.
Option "MetaModes" "1280x1024-1280x1024" #Custodian Resolutions for Primary-Secondary monitors
Option "MergedXineramaCRT2IsScreen0" "valid" #determines which screen is going to be the primary screen; value can be "realistic" or "false
EndSection
Section "Monitor"
Identifier "Keep track of gen'erico"
Option "DPMS"
HorizSync 28-64
VertRefresh 43-60
EndSection
Divide up "Screen"
Identifier "Default Vet"
Device "ATI Technologies, Inc. Radeon 9600 (R300 AP)"
Guardian "Monitor gen'erico"
DefaultDepth 24
SubSection "Disclose"
Depth 1
Modes "1280x960" "1024x768" "800x600" "640x480"
EndSubSection
SubSection "Unfold"
Depth 4
Modes "1280x960" "1024x768" "800x600" "640x480"
EndSubSection
SubSection "Flaunt"
Depth 8
Modes "1280x960" "1024x768" "800x600" "640x480"
EndSubSection
SubSection "Reveal"
Depth 15
Modes "1280x960" "1024x768" "800x600" "640x480"
EndSubSection
SubSection "Spread"
Depth 16
Modes "1280x960" "1024x768" "800x600" "640x480"
EndSubSection
SubSection "Parade"
Depth 24
Modes "1280x1024" "1280x960" "1024x768" "800x600" "640x480"
Understood 2624 1200
EndSubSection
EndSection
Section "ServerLayout"
Identifier "Failure Layout"
Screen "Default Screen"
InputDevice "Generic Keyboard"
InputDevice "Configured Mouse"
EndSection
Segment "DRI"
Mode 0666
EndSection
Starting KDE / Xorg initially displays two alike monitors. You need to use the "xrandr" utility to utilize the dual keep track of configuration. The following script, when run after starting KDE will do this for you :
#!/bin/sh
xrandr --output DVI-1 --auto --achievement DVI-0 --auto --left-of DVI-1
markobaja01 | Feb 25, 2009
PhotonVPS – Enterprise VPS Starting @ $5.48 (OpenVZ,Xen,Windows ...
by PhotonVPS-Jim
You are currently viewing our boards as a caller which gives you restricted access to see most discussions and access our other features. By joining our parole community you will have access to pale topics, be in privately with other members (PM), retort be responsive to to polls, upload purport and access many other exceptional features. Registration is rapid, elementary and utterly outspoken so please, connect our community today !
Source: PhotonVPS – Enterprise VPS Starting @ $5.48 (OpenVZ,Xen,Windows ...
|
