Jail Servers
Hello,
Well In this article I will be discussing jails, what they are, what are the benefits of having them and most importantly how to create/manage and use them.
Introduction
Jails are like they are called, Jail to processes running inside them, a process running inside a jail cannot have any access to the host it is running inside, which is a huge security improvement, let’s have some examples… This website is running on FreeBSD 7.0-RELEASE it has Web/Mail/MySQL servers, imagine, somehow, my WEB server ( apache ) was compromised, the attacker will have access to the WEB pages, MySQL databases and Mails… So to improve security I set up the Jail system from scratch on a clean installation, now each server (WEB, MySQL, Mail) runs in it’s virtual server, if one is compromised at least it stays that way, there is no way an attacker could access another jail.
Requirements
To deploy a server with jails, you need a recent FreeBSD release, I advise FreeBSD-6.3 and above, and you should have either a NIC that supports virtual interfaces ( most recent cards do), or multiple interface each one for a jail ( Actually since the jail is like virtual servers, each jail require it’s own IP )
Preparation
Well you should begin by installing a clean FreeBSD ( I will not cover base installation please refer to FreeBSD handbook for that ).
So first we start by pulling ports and src
-
ports:
portsnap fetch extract -
src:
# Copy the example supfile to your /etc directory cp /usr/share/examples/cvsup/standard-supfile /etc # Use 'sed' to change the default source server sed -i.bak "s/CHANGE_THIS/cvsup11/g" /etc/standard-supfile # Use 'csup' to update our local /usr/src tree csup -g -L 2 /etc/standard-supfile
Now you should install ezjails so let’s install it.
/usr/ports/sysutils/ezjail
make install clean
Now create the basejail and the newjail (template) just run ezjail-admin update and go get a cup of coffee, it’s gonna take a while…
Once that finished, you are ready to install jail now, just use ezjail-admin to create jails, it’s fast and automated all you have to do is
ezjail-admin create JAILNAME JAILIP
but Don’t run it just yet, we must have the network for our jails up and running, you can run the above command and ezjail will warn that the ip is unknown, so it’s better to make sure network exists.
A side note, in this article we will assume you are creating 3 jails.
Network
The network part is a bit tricky, if you have the server running behind a router (NAT) then you don’t need the part about pf below, otherwise you should have it!!
-
Multiple NICs
If your server has multiple NICs then you should assign an IP for each connect NIC, add something like this to /etc/rc.conf ( assuming your NICS are vr0, vr1 and vr2, anyway check them with ifconfig -a )
ifconfig_vr0="inet 192.168.0.1 netmask 255.255.255.0" ifconfig_vr1="inet 192.168.0.2 netmask 255.255.255.0" ifconfig_vr2="inet 192.168.0.2 netmask 255.255.255.0" -
Single NIC
In this case, your NIC should pass traffic from/to the jails, so you should add the following to your /etc/rc.conf ( also assuming your network card is vr0)
ifconfig_vr0_alias0="inet 10.0.0.1 netmask 255.255.255.255" ifconfig_vr0_alias1="inet 10.0.0.2 netmask 255.255.255.255" ifconfig_vr0_alias2="inet 10.0.0.3 netmask 255.255.255.255"
Now that the network is up, we have to make sure that traffic pass through the host from/to the jails, I will cover 2 cases, server running behind a router (NAT), and server connect directly to the Internet without NAT.
- Server Behind NAT:
If your server is behind a NAT it should be easy, just redirect each port to the Jail IP, for example redirect the port 80 to the IP you assigned for the Apache jail.
-
Server connected directly:
You should use the freebsd pf command, edit /etc/pf.conf and add something like:
# Interface declarations ext_if="vr0" all_if="{vr0, lo0}" # Internal network subnet int_net="10.0.0.0/32" # Name and IP of our webserver APACHE="10.0.0.2" # Rule 1: # redirect any packets requesting port 80 received on the loopback(lo0) # device and the external card (vr0) to our jailed webserver rdr on $all_if proto tcp from any to vr0 port 80 -> $APACHE port 80 # Rule 2: # allow our jail to access the internet nat on $ext_if from $APACHE to any -> vr0and make sure you add
# Enable port forwarding and packet filtering gateway_enable="YES" pf_enable="YES" pf_rules="/etc/pf.conf"to your rc.conf!!
Jails creation
You should create the jails now, just create a jail using
ezjail-admin create JAIL JAILIP
Post Installation
Try starting the jails
/usr/local/etc/rc.d/ezjail.sh start
if all jails starts successfully then you should begin installing/configuring them to enter a jail you should first see the list of running jails, this is done by running jls, you will get a list with ID, HOSTNAME, IP and PATH, for example:
%jls
JID IP Address Hostname Path
2 10.0.0.3 MAIL /usr/jails/world/MAIL
1 10.0.0.2 WWW /usr/jails/world/WWW
Sources: dev-urandom
About Me
Website
Twitter: @eMxyzptlk
Facebook: eMxyzptlk
GameCenter: eMxyzptlk
Stuff I Like
-
SHAttered iPod touch 4G
Those of you with Apple’s...
-
Here’s a fun weekend project! Shadow play.
Set...
-
Natural Bridge on the Moon
-
Equinox and the Iron Sun
Credit: NASA / -
videogamejunkiee asked: What is the distance of a light-year?
Exactly 9,460,730,472,580.8 kilometers
(or ...
I Follow
Copyright 2010 © Wael Nasreddine
