Jailing FTP-Server - Asking for Advice

Zvoni

Zvoni

Hi Folks,
Up Front: I'm not asking for a "How-to-setup-a-jail"
I'm asking for advice on how to setup the following scenario:

Local Network with a Router connecting to the evil outside world.
Currently, i have two FreeBSD12.1-p2-Servers (exactly the same install).
Right now, i'm running ProFTPd directly on both of them. Those FTP-Server(s) have to be exposed via Port-Forwarding on the Router to the evil outside world (and, yes, i'm using FTPS, and using arbitrary Port-Numbers, not the standard-ports)
In the LAN, both servers expose a Samba-Share as a Gluster-Volume, which is the DefaultRoot for the FTP-Server (chroot-ing the users to that Folder).
Currently (and probably in the Future), there will be only a limited amount of Users with Access to the FTP-Server (no Anonymous!).
As the next planned step, there will be Nextcloud coming into the equation some time into the future (but i'll open that can of worms, when i have finished the FTP)

To get it more secure, i was thinking about jailing the FTP-services.
On a Test-VM i have a working ProFTPd in a Jail (that's for me to get the kinks out of the system as well as a learning experience) with the jail having its own static IP-Address in the Address-Range of the Router. It Works, i can connect to the evil outside world.

Questions:
1) i'm considering ip4.addr=inherit for the Jail's NIC (and then to PF traffic to/from the FTP-Port), since the Hosts get their IP-Address via DHCP from the Router (and on the Router it's a static Address)
2) Leave the Jail with its own IP-Address in the IP-Range, and treat the jail as if it's a separate server in the Network.
3) give the Jail a completely different address (say 172.16.0.2 or 10.0.2.15 or whatever), and NAT everything to hell and back (i'm reading up on PF right now).
4) In any way: What's the best way, to "DefaultRoot" to that Samba-Share? Mount the Share into the Jail? Symlinking?

Good Ideas? Bad Ideas?
Any advice on "Best practice"?
I'm aware that Jails are not the "Be-all-End-All" of security, but for me it's a starting point (and in our usecase we don't have the american nuclear launching codes on the servers).

Cheers!
 
I tend to keep the services that are available to public (via public ip-addresses) in a dedicated demilitarized zone.
If you have 2 ethernet interfaces on that servers, I would use one for the server/hardware-host itself (consider it management interface), and the second one for the jails (services) - so like you described in 2). I am a little paranoid and would opt for 3), so to have my service jails in an own network and have firewall rules restricting the access to the outside world and the other office network.

4) Have a look at nullfs, its made for such things. If you like the idea you can have one basejail and mount_nullfs the operating system files (/bin /usr/bin etc) to all your jails - you update the basejail and all jails are updated...
 
Thx Bert
The scenario i described is a planned infra-structure for my skydiving-club to manage the videos we produce, so nothing world-shattering there.

Regarding your advice: I only have one NIC per server (old Desktop-Computers i got for free from my employer), but i'm considering to set up a separate (physical) machine just for that purpose (FTP and NextCloud), so moving ProFTPd from those two servers to that third (dedicated) machine is not really an issue (in which case, that third host would have its own address in any case).
As for 4) Yeah, i've seen the nullfs, but wasn't sure if it's feasable for my scenario, but i'll take your word for it, that it was "made" just for that purpose :)

As for "thick" vs. "thin" jails: still trying to get a grip on that.
How it works is clear, just trying to figure out which folders are read-only (to symlink/mount) and which have to go "full" into the jail. Still sorting out all the websites recommending this way and that way.
 
it actually is quite simple, here is the relevant part of my /etc/jail.conf, I think its self-explaining

Code: 
    exec.prestart += "mount_nullfs -o ro /data/jails/basejail-12.1/bin /data/jails/${name}/bin";
    exec.prestart += "mount_nullfs -o ro /data/jails/basejail-12.1/sbin /data/jails/${name}/sbin";
    exec.prestart += "mount_nullfs -o ro /data/jails/basejail-12.1/usr/sbin /data/jails/${name}/usr/sbin";
    exec.prestart += "mount_nullfs -o ro /data/jails/basejail-12.1/usr/bin /data/jails/${name}/usr/bin";
    exec.prestart += "mount_nullfs -o ro /data/jails/basejail-12.1/usr/lib /data/jails/${name}/usr/lib";
    exec.prestart += "mount_nullfs -o ro /data/jails/basejail-12.1/usr/lib32 /data/jails/${name}/usr/lib32";
    exec.prestart += "mount_nullfs -o ro /data/jails/basejail-12.1/usr/include /data/jails/${name}/usr/include";
    exec.prestart += "mount_nullfs -o ro /data/jails/basejail-12.1/usr/share /data/jails/${name}/usr/share";
    exec.prestart += "mount_nullfs -o ro /data/jails/basejail-12.1/lib /data/jails/${name}/lib";
    exec.prestart += "mount_nullfs -o ro /data/jails/basejail-12.1/libexec /data/jails/${name}/libexec";
    exec.prestart += "mount_nullfs -o ro /data/jails/basejail-12.1/usr/libexec /data/jails/${name}/usr/libexec";
    exec.prestart += "mount_nullfs -o ro /data/jails/basejail-12.1/boot /data/jails/${name}/boot";
    exec.start = "/bin/sh /etc/rc";            # Start command
    exec.stop = "/bin/sh /etc/rc.shutdown";    # Stop command
    exec.poststop += "umount /data/jails/${name}/bin";
    exec.poststop += "umount /data/jails/${name}/sbin";
    exec.poststop += "umount /data/jails/${name}/usr/sbin";
    exec.poststop += "umount /data/jails/${name}/usr/bin";
    exec.poststop += "umount /data/jails/${name}/usr/lib";
    exec.poststop += "umount /data/jails/${name}/usr/lib32";
    exec.poststop += "umount /data/jails/${name}/usr/include";
    exec.poststop += "umount /data/jails/${name}/usr/share";
    exec.poststop += "umount /data/jails/${name}/lib";
    exec.poststop += "umount /data/jails/${name}/libexec";
    exec.poststop += "umount /data/jails/${name}/usr/libexec";
    exec.poststop += "umount /data/jails/${name}/boot";
 
Very nice,
thx a lot!
Going by that, it implies everything else of the basesystem has to go directly into the jail, correct?

EDIT: Come to think of it: From a purely theoretical point: /usr/src and /usr/ports would be candidates for mounts, too, correct?
Say, if i wanted to build from ports inside the jail (binary install i have found out the pkg -j ..... command..)
 
yes, you can use ports and src also, or any directory or jail you want to share information with. with the default configuration, compiling ports would write into /usr/ports, so you have to define other directories to work with if you want to mount ports read-only ... e.g. in the /etc/make.conf

Code: 
WRKDIRPREFIX=   /usr/pkg
DISTDIR=        /usr/pkg/distfiles
PACKAGES=       /usr/pkg/packages
 
You must log in or register to reply here.
Back
Top