bsdjunkie
March 8th, 2003, 22:05
chrooted jails are great for increasing the security of programs running on your box, and FreeBSD makes it very easy to setup your own environment.
A couple things to note, each jail must have its own ip address, so you may want to throw in another nic if needed. Also, if your system has daemons that bind to all available ips on your box, it will prevent the jail from starting. You can use the sockstat(1) cmd to see what daemons are listening. You may have to reconfigure these to listen on one IP only if this is the case.
Kernel Options:
The jail needs 3 different sysctls, and in most cases these can be set to 0 safely, and will save some headaches in the future and help make it more secure.
jail.set_hostname_allowed
jail.socket_unixiproute_only
jail.sysvipc_allowed
Next, we have to download the src tree from fbsd.
You may also want your jail to be on its own partition for added security.
So, heres the steps needed to setup a chroot jail on a partition mounted under /jailed
# make world DESTDIR=/jailed
# make installworld DESTDIR=/jailed
Now we gotta setup /etc correctly in the jail.
# cd /usr/src/etc
# make distribution DESTDIR=/jailed NO_MAKEDEV_RUN=yes
And then setup /dev in it:
# cd /jailed/dev
# sh MAKEDEV jail
Note: many programs try to find your kernel in /kernel, so its good to make a fake one in your jail.
# cd /jailed
# ln -sf dev/null kernel
Now its time to setup an IP for the jail.
# ifconfig xl0 alias 192.168.1.199
and you can also add that to /etc/rc.conf to automatically setup on boot.
ifconfig_xl0_alias0="192.168.1.199"
Now we setup a procfs in the jail and are ready to go.
# mount -t procfs proc /jailed/proc
You can start the jail with the jail(8) cmd.
# jail <path to jail> <jail hostname> <jail ip> <command>
#jail /jailed myjailedhost 192.168.1.199 /bin/bash
Now the following must be done from within the jail:
create a /jailed/etc/rc.conf and add the following
portmap_enable="NO"
network_interfaces=""
sshd_enable="YES"
#touch /etc/fstab
If your running sendmail, do the following:
#newaliases
set your root pass for the jail
# passwd
Now everything is set and ready to go... Once you exit this shell, the jail will be gone, so we can do the following to keep it up forever...
Run the virtual machines /etc/rc script from within the jail by hand, or can have it start at boot by adding it to the end of your /usr/local/etc/rc.d/jail.sh script.
Killing your jail:
# /bin/sh /usr/local/etc/rc.d/jail.sh stop
# /bin/sh /etc/rc.shutdown
# kill -15 -1 (dont do this on a non jailed server =P)
:roll:
A couple things to note, each jail must have its own ip address, so you may want to throw in another nic if needed. Also, if your system has daemons that bind to all available ips on your box, it will prevent the jail from starting. You can use the sockstat(1) cmd to see what daemons are listening. You may have to reconfigure these to listen on one IP only if this is the case.
Kernel Options:
The jail needs 3 different sysctls, and in most cases these can be set to 0 safely, and will save some headaches in the future and help make it more secure.
jail.set_hostname_allowed
jail.socket_unixiproute_only
jail.sysvipc_allowed
Next, we have to download the src tree from fbsd.
You may also want your jail to be on its own partition for added security.
So, heres the steps needed to setup a chroot jail on a partition mounted under /jailed
# make world DESTDIR=/jailed
# make installworld DESTDIR=/jailed
Now we gotta setup /etc correctly in the jail.
# cd /usr/src/etc
# make distribution DESTDIR=/jailed NO_MAKEDEV_RUN=yes
And then setup /dev in it:
# cd /jailed/dev
# sh MAKEDEV jail
Note: many programs try to find your kernel in /kernel, so its good to make a fake one in your jail.
# cd /jailed
# ln -sf dev/null kernel
Now its time to setup an IP for the jail.
# ifconfig xl0 alias 192.168.1.199
and you can also add that to /etc/rc.conf to automatically setup on boot.
ifconfig_xl0_alias0="192.168.1.199"
Now we setup a procfs in the jail and are ready to go.
# mount -t procfs proc /jailed/proc
You can start the jail with the jail(8) cmd.
# jail <path to jail> <jail hostname> <jail ip> <command>
#jail /jailed myjailedhost 192.168.1.199 /bin/bash
Now the following must be done from within the jail:
create a /jailed/etc/rc.conf and add the following
portmap_enable="NO"
network_interfaces=""
sshd_enable="YES"
#touch /etc/fstab
If your running sendmail, do the following:
#newaliases
set your root pass for the jail
# passwd
Now everything is set and ready to go... Once you exit this shell, the jail will be gone, so we can do the following to keep it up forever...
Run the virtual machines /etc/rc script from within the jail by hand, or can have it start at boot by adding it to the end of your /usr/local/etc/rc.d/jail.sh script.
Killing your jail:
# /bin/sh /usr/local/etc/rc.d/jail.sh stop
# /bin/sh /etc/rc.shutdown
# kill -15 -1 (dont do this on a non jailed server =P)
:roll: