jails Jails: Do I need them?

[Mayhem30]

I have my own dedicated server and have long been avoiding jails, mostly due to not fully understanding their benefits. Things have changed recently - one of my websites is showing an incredible growth rate - that has me thinking more about security.

The server is a 16-core Xeon, 128GB ram and 2 x 256GB NVMe drives. The filesystem is UFS (not comfortable with ZFS yet, especially if an issue arises) and I can't afford any downtime.

The OS (14.4-RELEASE-p2) is on one partition, and /usr/opt/ is on its own partition. I've always thought that the setup gave me "good enough" protection, but apparently it's not enough?

My questions are:

1. Do I need to use a jail?
2. If so, which type?
3. Should I put Nginx, PHP-FPM, MySQL in to the same jail?
4. Does Postfix, Dovecot and OpenDKIM need to reside in a jail?

Any advice would be greatly appreciated.

 

[ShelLuser]

My questions are:

1. Do I need to use a jail?
2. If so, which type?

This isn't a question anyone can honestly answer... do you really need them? Nah. But it does depend on context, and there's also something else to consider: there are a lot of security measurements which you don't really need perse, but the moment when disaster does strike then you'll probably be happy that you did implement such measurements.

For me jails are the perfect way to isolate certain processes which could potentially be at risk because they handle direct outside connections. So... a webserver (especially if it hosts PHP driven websites made by self-proclaimed "PHP professionals"), a mail server (maybe), DNS server, etc.

As for type... I always go for a thick jail (courtesy of the *.txz packages provided by FreeBSD) because it's easier to set up. I basically download base.txz, kernel.txz ("security through obscurity") and also lib32.txz. Unpack those, and you got an insta-jail which doesn't gobble up all that much diskspace.

Anything else can always be mounted afterwards.

Hope this can give you some ideas.

 

[loveydovey]

I'm just a baby beastie, but jails are so easy to set up and provide a significant security layer - the cost-benefit analysis says use jails. Why would you want an internet connected program to have access to everything on your server if things go awry? I think ephemeral jails are so elegant - it's like constructing and putting up a thick shield on the fly. And just pure logic dictates - one application per one jail. And switch to ZFS asap with maybe even hourly snapshot backups.

 

[hedwards]

Whether you need them or not is a matter of personal circumstances. I've personally had decent luck with both Podman containers and actual FreeBSD jails. I haven't personally found either to be particularly hard to set up on the whole. I've personally been using Bastille to run my instance of Jellyfin and Nextcloud.

I'd personally recommend just setting up a basic jail for something unimportant and see how you like it. Whether the security is necessary or not really depends on your environment.

 

[Maturin]

with maybe even hourly snapshot backups.

Don't confuse snapshots with backups. Both are very recommendable to do, that's right. But they are not the same.
If snapshots are stored on the same pool (physical drive) they provide quick and easy restorage when something was messed up (#1 reason to restore from BU), but they are no security against hardware failure (#2).
When the pool/drive dies, so do the snapshots stored on it.
Backups always need to be done to another physical storage medium.

 

[rootbert]

1. Do I need to use a jail?

no, but I highly recommend it. The more packages you install the higher the likelihood something breaks with an update. So, my advice: every application in a secure, contained environment. So when you update a certain software stack and it breaks, at least the rest continues to run. After that, just roll back the jail where the updated led to a nonfunctional state using ZFS or a backup.

 

[SirDice]

mostly due to not fully understanding their benefits.

Biggest, and most important, benefit, compartmentalization.

 

[epower53]

Big newb chiming in to say that jails are the way to go. I've been using them to get all my homelab services up, sticking with a "one service gets one jail" approach. Only for the super tightly integrated LDAP+Kerberos setup did I opt for a shared jail - your circumstances will dictate how many services to cram into a single jail. I agree with ShelLuser - thick jails are conceptually and practically easiest, and with modern storage the footprint is negligible.

 

[victort]

I use a “1 application = 1 jail” approach. Meaning that something like Nextcloud goes into a single jail, database and all.

And I use mount points to ensure that my data stays if I need to rebuild the jail.

 

[cracauer@]

Mail setups are commonly put into jails. Depends on how you read the mail I suppose.

On the other hand you have to consider the increased risk from increased complexity. And you'd have multiple OSes to keep up-to-date.