Jail Servers!

Hello,

Well In this article I will be discussing jails, what they are, what are the benefits of having them and most importantly how to create/manage and use them.

Introduction

Jails are like they are called, Jail to processes running inside them, a process running inside a jail cannot have any access to the host it is running inside, which is a huge security improvement, let’s have some examples… This website is running on FreeBSD 7.0-RELEASE it has Web/Mail/MySQL servers, imagine, somehow, my WEB server ( apache ) was compromised, the attacker will have access to the WEB pages, MySQL databases and Mails… So to improve security I set up the Jail system from scratch on a clean installation, now each server (WEB, MySQL, Mail) runs in it’s virtual server, if one is compromised at least it stays that way, there is no way an attacker could access another jail.

Requirements

To deploy a server with jails, you need a recent FreeBSD release, I advise FreeBSD-6.3 and above, and you should have either a NIC that supports virtual interfaces ( most recent cards do), or multiple interface each one for a jail ( Actually since the jail is like virtual servers, each jail require it’s own IP )

Preparation

Well you should begin by installing a clean FreeBSD ( I will not cover base installation please refer to FreeBSD handbook for that ).

So first we start by pulling ports and src

  • ports:

    portsnap fetch extract

  • src:

    # Copy the example supfile to your /etc directory
cp /usr/share/examples/cvsup/standard-supfile /etc

# Use 'sed' to change the default source server
sed -i.bak "s/CHANGE_THIS/cvsup11/g" /etc/standard-supfile

# Use 'csup' to update our local /usr/src tree
csup -g -L 2 /etc/standard-supfile

Now you should install ezjails so let’s install it.

/usr/ports/sysutils/ezjail
make install clean

Now create the basejail and the newjail (template) just run ezjail-admin update and go get a cup of coffee, it’s gonna take a while…

Once that finished, you are ready to install jail now, just use ezjail-admin to create jails, it’s fast and automated all you have to do is

ezjail-admin create JAILNAME JAILIP

but Don’t run it just yet, we must have the network for our jails up and running, you can run the above command and ezjail will warn that the ip is unknown, so it’s better to make sure network exists.

A side note, in this article we will assume you are creating 3 jails.

Network

The network part is a bit tricky, if you have the server running behind a router (NAT) then you don’t need the part about pf below, otherwise you should have it!!

  • Multiple NICs

    If your server has multiple NICs then you should assign an IP for each connect NIC, add something like this to /etc/rc.conf ( assuming your NICS are vr0, vr1 and vr2, anyway check them with ifconfig -a )

    ifconfig_vr0="inet 192.168.0.1 netmask 255.255.255.0"
ifconfig_vr1="inet 192.168.0.2 netmask 255.255.255.0"
ifconfig_vr2="inet 192.168.0.2 netmask 255.255.255.0"

  • Single NIC

    In this case, your NIC should pass traffic from/to the jails, so you should add the following to your /etc/rc.conf ( also assuming your network card is vr0)

    ifconfig_vr0_alias0="inet 10.0.0.1 netmask 255.255.255.255"
ifconfig_vr0_alias1="inet 10.0.0.2 netmask 255.255.255.255"
ifconfig_vr0_alias2="inet 10.0.0.3 netmask 255.255.255.255"

Now that the network is up, we have to make sure that traffic pass through the host from/to the jails, I will cover 2 cases, server running behind a router (NAT), and server connect directly to the Internet without NAT.

  • Server Behind NAT:

If your server is behind a NAT it should be easy, just redirect each port to the Jail IP, for example redirect the port 80 to the IP you assigned for the Apache jail.

  • Server connected directly:

    You should use the freebsd pf command, edit /etc/pf.conf and add something like:

    # Interface declarations
ext_if="vr0"
all_if="{vr0, lo0}"

# Internal network subnet
int_net="10.0.0.0/32"

# Name and IP of our webserver
APACHE="10.0.0.2"
# Rule 1:
# redirect any packets requesting port 80 received on the loopback(lo0)
# device and the external card (vr0) to our jailed webserver
rdr on $all_if proto tcp from any to vr0 port 80 -> $APACHE port 80

# Rule 2:
# allow our jail to access the internet
nat on $ext_if from $APACHE to any -> vr0

    and make sure you add

    # Enable port forwarding and packet filtering
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"

    to your rc.conf!!

Jails creation

You should create the jails now, just create a jail using

ezjail-admin create JAIL JAILIP

Post Installation

Try starting the jails

/usr/local/etc/rc.d/ezjail.sh start

if all jails starts successfully then you should begin installing/configuring them to enter a jail you should first see the list of running jails, this is done by running jls, you will get a list with ID, HOSTNAME, IP and PATH, for example:

%jls
JID  IP Address      Hostname                       Path
2  10.0.0.3          MAIL                           /usr/jails/world/MAIL
1  10.0.0.2          WWW                            /usr/jails/world/WWW

Sources: dev-urandom

You can open a ticket over at my Redmine. As this is free software the response time can vary.

# Ticket Tracker Created at Status

Comments

blog comments powered by Disqus
photo of Wael Nasreddine wael.nasreddine@gmail.com
4 place de Sérbie
Rennes, Bretagne, 35200 France
+33 6 32 94 70 13
Jabber