On Nov 16, 2005, at 9:38 PM, Will Maier wrote:
OP has some asset that is being threatened or diminished by this
attack, be it his bandwith, CPU cycles, host/network integrity or
self confidence. He needs to identify that asset and work quickly to
protect it. In most cases, this will mean immediately removing the
box and preparing to rebuild the machine;
One thing I have done to minimize the threat of crackers is to have
my machines built thus:
I install FreeBSD and activate only SSH and only SSH with
certificates -- no passwords allowed. I then build a master jail
hierarchy but I don't actually run a jail in it.
I create file backed md devices for most jails to be their root
filesystems. Some jails I don't do this with but most of them I do.
I then create one or more jails that use nullfs to READ ONLY mount
specific parts of the master hierarchy into the jail.
namely
/bin
/lib
/libexex
/sbin
/usr
For example:
# df -h | grep myjail
/dev/md1410 290M
108M 171M 39% /local/jails/myjail
/local/jails/master/bin 66G
28G 33G 46% /local/jails/myjail/bin
/local/jails/master/lib 66G
28G 33G 46% /local/jails/myjail/lib
/local/jails/master/libexec 66G
28G 33G 46% /local/jails/myjail/libexec
/local/jails/master/sbin 66G
28G 33G 46% /local/jails/myjail/sbin
/local/jails/master/usr 66G
28G 33G 46% /local/jails/myjail/usr
procfs 4.0K
4.0K 0B 100% /local/jails/myjail/proc
devfs 1.0K
1.0K 0B 100% /local/jails/myjail/dev
/etc
/var
are native to each jail in their own filesystem
and /usr/local is set up so that the master has a symlink that
resolves to something inside of each separate jails local filesystem
so that they can have a RW /usr/local.
Any and all other services run inside of one or more jails.
You can set up other md devices if you want separate log / tmp /
whatever partitions inside your jail...
Unless there is a breach in SSH, it is highly unlikely that the root
machine itself will be cracked as the ONLY port open is the SSH one
and it is restricted to certificate logins only. You can use your
firewalls to only allow logins to SSH from certain IP ranges etc if
you have that luxury.
If someone cracks one of the jails, it is harder for him to screw up
the jail system since most of the important system executables are
actually mounted read only and they cannot replace system binaries,
for example. And if a jail does become compromised, it is much
easier to rebuild a jail inside of a good machine than to rebuild
your whole native machine...
And if one jail gets compromised, I can easily shut it down, rename
the root file that is used for the md device (ie, every jail uses an
image for it fs) and save it for forensic study later.
best
Chad
---
Chad Leigh -- Shire.Net LLC
Your Web App and Email hosting provider
[EMAIL PROTECTED]
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
