How do you create a jail in FreeBSD?
Feb 25, 2009 by jobaji001 | Posted in Security
I run a slight linux vps hosting cluster in canada and would like to create a jail on the assemblage server to run several critical services. Does anyone know how to do this in FreeBSD?
Those relaxed with Java recognize the security concept of a sandbox. For those that aren't, it's the concept that everyone gets a unequalled, well-equipped sandbox to play in, and a person in one sandbox isn't allowed into anyone else's sandbox, not even to equity anything with anyone else. On FreeBSD, jails implement this concept — they keep processes in their own part of the system, denying access to anything else. A nick requires its own dedicated IP address, though, which can make life difficult for those with limited deliver space. If this presents you with a hardship, consider at least using chroot. It won't afford you as much pledge, but it does help.
How does this help security? Take, for example, a box with an external FTP server and the society extranet. An exploit for the server is discovered, and a cracker manages to gain establish access through the FTP daemon. If the FTP server is not run in a sandbox or jail, the cracker will have access to everything on the engine, including sensitive information destined for the company's partners through the extranet. If, however, the FTP server is run in a confine, the cracker will only have access to the FTP files.
There are, of course, still potential risks. If you run at secure even 0, the cracker can simply access the raw disk device and read materials from there. The solution is obvious — on a box sensitive enough to require jails, use appropriate solid levels as well. This will eliminate a cracker's ability to read from or write to raw disk devices. Configuring a Jail
Configuring a choky is pleasantly simple.
First, ensure that your system environment is jail-friendly. Because each jail requires its own IP lecture, the services on your box must be configured to listen to specific addresses, not just every available deliver. For example, if the box's addresses are 199.232.41.26 (main) and 199.232.41.27 (jail), to get inetd to pay attention to only on 199.232.41.26, add inetd_flags="-wW -a 199.232.41.26" to /etc/rc.conf. If you become insolvent to do this, conflicts may occur over the aliased IP address.
For some daemons, this is not an easy process — sendmail and rpcbind are two examples. If you're using these services on your box, you might observe simply running them inside of a jail of their own. After configuring all of the non-jailed daemons to hear to a specific address, reboot the machine. This will put everything into a known state, eliminating any implicit for confusion.
With the proper host environment in place, create the directory that will domicile the jail. In this example, it's /usr/jail/ftp. Now go to /usr/src and run:
# cd /usr/src
# make world DESTDIR=/usr/jail/ftp
# cd etc
# muddle through distribution DESTDIR=/usr/jail/ftp
# cd /usr/jail/ftp/dev
# sh
# MAKEDEV jail
# cd ..
# ln -sf /dev/null nucleus
These commands build the jail and populate it with all of the tools that your processes will need to run. Absolutely, they put in a lot more than just what your processes will need. For example, perl, gcc, and sendmail will all be installed, but you perhaps don't need them in your jail. Keep in mind, though, that it's a lot easier to take stuff out until something breaks than it is to put stuff back in until everything works.
To configure the detain environment, you might want to copy /stand/sysinstall into /usr/jail/ftp/stand, to give you with an easy configuration interface. I'll show you how to use it in just a second.
With the system rebooted, you're now ready to configure the send up the river environment. Start the jail for the first time by running:
# jail /usr/jail/ftp Borstal.hostname.com 199.232.41.27 /bin/sh
This will put you at a shell prompt in your jail environment. From here, you can run /stand/sysinstall (line for line, since / now refers to the jail's root directory, not the system's.)
There are several configuration tasks to perform, such as backdrop the root password (don't make it the same as the main system root password!), adding narcotic addict accounts, and configuring /etc/resolv.conf. Read man 8 jail for more configuration tasks that you'll demand to perform. Keep in mind that you want to be able to log in to the environment, so consider running an SSH daemon inside of the jail.
Once you're done configuring the jail environment, exit the shell and the jail will be keep out down.
You're almost ready to start the jail "for real." First, add the appropriate IP whereabouts alias. For our example, this is done via:
ifconfig fxp0 inet alias 199.232.41.27 255.255.255.255
You can configure this in /etc/rc.conf to be done automatically at boot.
Now, let's start the calaboose! This is done with two commands:
# mount -t procfs proc /usr/jail/ftp/proc
# jail /usr/chokey/ftp jail.hostname.com 199.232.41.27 /bin/sh /etc/rc
You'll see some warning messages scroll by, but don't worry about them. You can now see all the daemons on-going inside the jail, as indicated by the J flag shown in the ps output. If you enabled SSH within the lock up, you can ssh to
markobaja01 | Feb 25, 2009
How do you setup transparent bridging with FreeBSD and PF?
Feb 25, 2009 by jobaji001 | Posted in Other - Internet
I run a linux vps hosting holding and would like to establish a transparent firewall between them and the world. I heard that you can do this with 3 NIC's , FreeBSD + PF (Packet cloth). Does anyone know how?
Pf as a evident bridging firewall on FreeBSD 6 and 7
The Goal:
A way to transparently protect a set of servers as well as monitor the inbound and outbound See trade to said servers.
Solution:
The end solution was to install FreeBSD 6.2 or 7.0 Notice on a server and utilize packet filter (pf) as a transparent bridge to meet the IP addressing requirements.
Howto:
1.) Invest FreeBSD
We have a checklist list of tasks to perform to install and lock down our production servers. Flow your own best practices to get a basic install of FreeBSD 6.2 or 7.0 running and patched. Instal the minimal amount of options and packages necessary.
You will need, or at least you will most likely want, a third NIC installed in the server. In a evident bridge the WAN and LAN interfaces become “transparent” and no longer take an IP address. So without the third NIC installed and connected to your network you will have no way to remotely make it the server. A benefit of this though is that without an IP address to attack your transparent bridging firewall itself would be liberated from attack.
Pf is available in a default install by re-compiling the kernel with specific changes made, or by enabling pf via stone loadable module.
We re-compiled the kernel. The options below were added at the end of the kernel inception and the new kernel compiled:
# pf support
device pf # Packet Filter firewall
machine pflog # PF logging facility
device pfsync # PF state syncing
# ALTQ prop up
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ
2.) Configure your third NIC with an IP deliver and verify you can remotely access your server.
In the /etc/rc.conf file we have the following delineation for the management IF:
ifconfig_fxp0=”inet 123.123.123.2 netmask 255.255.255.0″
We will be building pf rules for this NIC as well to screen the firewall itself.
3.) Create the bridge between the two desired interfaces.
Use your favorite editor to prepare /etc/rc.conf and enable the bridge
Add:
cloned_interfaces=”bridge0″
ifconfig_link0=”addm bge0 addm nfe0 up”
ifconfig_bge0=”up”
ifconfig_nfe0=”up”
In this for fear that b if we are bridging the two interfaces bge0 and nfe0.
Use your favorite editor to edit /etc/sysctl.conf
Add:
net.tie up.bridge.pfil_onlyip=1
net.link.bridge.pfil_member=1
net.tie-up.bridge.pfil_bridge=0
4.) Enable the use of pf on your server.
Use your favorite editor to copy-edit /etc/rc.conf and enable the use of pf
Add:
pf_enable=”YES” # enable PF (load module if required)
pf_rules=”/etc/pf-go.conf” # rules definition file for pf
pf_flags=”" # additional flags for pfctl startup
pflog_agree to=”YES” # start pflogd(8)
pflog_logfile=”/var/log/pflog” # where pflogd should market the logfile
pflog_flags=”" # additional flags for pflogd startup
5.) Increase the firewall ruleset.
First make a copy of the default ruleset and designate it as a bridging ruleset.
# cp /etc/pf.conf /etc/pf-traverse.conf
Use your favorite editor to edit /etc/pf-bridge.conf. Place your ruleset within the pf-cross over.conf file and save the changes.
Here is the sample ruleset: pf-bridge_generic.txt
6.) Appropriate the rules and enable the firewall.
Finally to actually enable a new ruleset we indigence to tell pf to read the config file. This would also automatically happen upon reboot.
# pfctl –f /etc/pf-span.conf
# pfctl –e
Thats it. You will now need to go through and test the bridge and clench you can access what you intended to allow access to, and that what you wanted to block is now blocked. Sanguinely you still have access to the management interface as well. The best test will be to perform some form of vulnerability testing against IPs behind your firewall and the firewall itself.
Some notes on the ruleset specifically:
- There is indeed nothing in the ruleset that designates the firewall as a transparent bridge other than the absence of NAT rules. The tie built in the OS itself in the /etc/rc.conf file is where the bridging is applied. - The IP addresses in the mutable and table definitions will obviously have to be updated to fit a different environment. - Many options abide for pf and there are full books dedicated to the art of pf rulesets and using pf in general. This ruleset for example could be expanded to win more use of AltQ for QoS and added protection against DoS attacks.
markobaja01 | Feb 25, 2009
How do you setup dual monitors with KDE and FreeBSD?
Feb 25, 2009 by jobaji001 | Posted in Other - Computers
I emergency to be able to monitor my linux vps hosting servers with dual monitors in sort out to be as productive as possible -- does anyone know the best way to setup dual monitors on FreeBSD and KDE3?
I found out my video driver and pci configuration by executing the following commands :
X -configure
pciconf -l
I entered the following as my xorg.conf (ATI / RADEON video driver):
Section "Files"
RgbPath "/usr/X11R6/lib/X11/rgb"
FontPath "/usr/X11R6/lib/X11/fonts/misc/"
FontPath "/usr/X11R6/lib/X11/fonts/TTF/"
FontPath "/usr/X11R6/lib/X11/fonts/Strain1/"
FontPath "/usr/X11R6/lib/X11/fonts/75dpi/"
FontPath "/usr/X11R6/lib/X11/fonts/100dpi/"
FontPath "/usr/X11R6/lib/X11/fonts/neighbourhood/"
EndSection
Section "Module"
Load "GLcore"
Cram "i2c"
Load "bitmap"
Burden "ddc"
Load "dri"
Burden "extmod"
Load "freetype"
Trouble "glx"
Load "int10"
Shipment "type1"
Load "vbe"
EndSection
Segment "InputDevice"
Identifier "Generic Keyboard"
Driver "kbd"
EndSection
Apportion "InputDevice"
Identifier "Configured Mouse"
Driver "mouse"
Opportunity "Protocol" "auto"
Choice "Device" "/dev/sysmouse"
Choice "ZAxisMapping" "4 5 6 7"
EndSection
Element "Device"
Identifier "ATI Technologies, Inc. Radeon 9600 (R300 AP)"
Driver "ati"
BusID "PCI:1:0:0"
Election "MergedFB" "true" #Enable MergedFB use
Option "MonitorLayout" "TMDS, CRT" # Use LCD and CRT even if you have 2 LCD's or CRT's
Privilege "OverlayOnCRTC2" "true"
Option "CRT2Site" "LeftOf" #Physical location of your secondary follow in relationship to your primary monitor.
Option "MetaModes" "1280x1024-1280x1024" #Guard Resolutions for Primary-Secondary monitors
Option "MergedXineramaCRT2IsScreen0" "right" #determines which screen is going to be the primary screen; value can be "unerring" or "false
EndSection
Section "Monitor"
Identifier "CRT gen'erico"
Option "DPMS"
HorizSync 28-64
VertRefresh 43-60
EndSection
Fraction "Screen"
Identifier "Default Gauge"
Device "ATI Technologies, Inc. Radeon 9600 (R300 AP)"
Proctor "Monitor gen'erico"
DefaultDepth 24
SubSection "Show"
Depth 1
Modes "1280x960" "1024x768" "800x600" "640x480"
EndSubSection
SubSection "Open out"
Depth 4
Modes "1280x960" "1024x768" "800x600" "640x480"
EndSubSection
SubSection "Manifestation"
Depth 8
Modes "1280x960" "1024x768" "800x600" "640x480"
EndSubSection
SubSection "Ceremony"
Depth 15
Modes "1280x960" "1024x768" "800x600" "640x480"
EndSubSection
SubSection "Splendour"
Depth 16
Modes "1280x960" "1024x768" "800x600" "640x480"
EndSubSection
SubSection "Exhibit"
Depth 24
Modes "1280x1024" "1280x960" "1024x768" "800x600" "640x480"
Understood 2624 1200
EndSubSection
EndSection
Section "ServerLayout"
Identifier "Neglect Layout"
Screen "Default Screen"
InputDevice "Generic Keyboard"
InputDevice "Configured Mouse"
EndSection
Split "DRI"
Mode 0666
EndSection
Starting KDE / Xorg initially displays two same monitors. You need to use the "xrandr" utility to utilize the dual track configuration. The following script, when run after starting KDE will do this for you :
#!/bin/sh
xrandr --output DVI-1 --auto --productivity DVI-0 --auto --left-of DVI-1
markobaja01 | Feb 25, 2009
FreeBSD VPS
Over the quondam nine months I've been leasing a FreeBSD VPS (Accepted Exclusive Server) to addition my own ironmongery and I've no more than realized that the essential automobile hasn't caused me any (more) overcast locks or other upset in all that hour. In my books vendors that prevent tresses and percipience cells be entitled to at least a dismissive recognition. At emcee I'm using one FreeBSD VPS for staging Python web apps and hosting a two of pro bono sites. I unreservedly time after time refer people to more full-benefit shared hosting firms such as WebFaction (even my relation has an account there) but on one's own I submit managing the inviolate box - practical or not - myself. As I'd like to become rancid off some aging servers of my own, I'm hoping that virtualization from firms like ARP Networks, or on grander mount like Google or Amazon's cloud services, will economize me spending some funds on mat leases. I've tried a few "understood" server providers over the years but I do credence in this is the first in days of yore I've passed on a backing here in these pages. What I like: OS strut: FreeBSD, OpenBSD, and most Linux distributions Fair multi-homed bandwidth with redundancy and prodigality of peering agreements turned up; details center is in LA; undoubtedly all right network access to Asia, Australia IPv6 take up the cudgels for IP attainable / out-of-ribbon calm access Configure, erect and induct your own delighted and centre if you like Fine fantastic dispatch, terrific even if you valuation display per dollar. I can churn out > 1000 requests per supporter with a trivial assay leaf with a unmarried DB lookup, which is a darn espy well-advised b wealthier than some of my own ageing arms is talented to do. What I desire they offered: a Canadian datacenter too! The virtualization technology involves KVM (not Xen or OpenVZ) and I find that the resource allocation is very spotless indeed. 768MB RAM / 20GB disk / 100GB bandwidth - all this and I get resoluteness too for $20 USD a month. There are scores of definitely tuppence understood server offerings out there, but not very many well-balanced yet low-cost operations. ARP Networks is certainly one of the latter. ...
Read more...
|
