Solved [Solved] Encryption and Jails, basic newbie questions

Hey everybody,
I hope all is well.
(FIRST - my disclaimer lol:
**NOTE - I'm a graphics designer/ animator; not a computer science graduate. So thanks in advance for understanding that I'm learning in leaps and bounds via the forums, online manual, and various google searches.
- and all of this I've done in my spare time on a 2004, 32 bit Dell with an AMD 2 ghtz processor, and 500 megs of ram using Fluxbox Windows Manager - hence the old experimental machine is running faster than it ever did running Windows XP, Lubuntu, Vector Linux, Centos, and even Manjaro light. Don't ask me how, but it does haha.)

- I've recently got an Nginx webserver up and running and now I am reading up on apps such as "Ezjail."
- I was wondering if the general opinion is that I should encrypt my root folder first, before playing around with jails. and which encryption apps do you reccomend?
And I don't mind letting the webserver share the same IP address, as this is at my personal home office and not at the studios I work at. (or is it in your opinions, to use a different ".192" address for the jails?
- I do appreciate all the great advice I've been receiving over the last few weeks; as I'm still learning all I that I can about FreeBSD and it's true power. I can honestly say, that FreeBSD is workhorse, and has made a believer out of me.
- thanks again guys. :beergrin :e
 
Re: Encryption and Jails, basic newbie questions

nate88 said:
- I've recently got an Nginx webserver up and running and now I am reading up on apps such as "Ezjail."
Jails is an implementation of operating system-level virtualization on FreeBSD. Ezjail is an application which is designed to easy the process of creating Jails. I would sincerely suggest that you look TrueOS/PCBSD (FreeBSD derivative) and its tool Warden if you are interested in Jails.

nate88 said:
- I was wondering if the general opinion is that I should encrypt my root folder first, before playing around with jails. and which encryption apps do you reccomend?
Completely unrelated things. Jails are used to isolate services like web server while encryption is designed to protect that data from the teft. The information which is sensitive should not be on the machine which runs things like a web server on the first place.

Encryptioin is a separate topics. There is a kernel level and userland level encryption. FreeBSD uses GELI for kernel level encryption IIRC (I use OpenBSD and we use softraid). scrypt is my favorite userland crypto function and is writen by Colin Parceval who is the chef security officer for FreeBSD. He is a mathematician by education (Ph.D. Oxford) and one of the most inteligent people associated with FreeBSD project. I would love to see him using OpenBSD :)

nate88 said:
And I don't mind letting the webserver share the same IP address, as this is at my personal home office and not at the studios I work at. (or is it in your opinions, to use a different ".192" address for the jails?
Jail is just like another computer and will have its own IP which will share the same physical interface with the host machine. What kind address is 192.xxx.xxx.xxx? That is not a routable address. Who is suppose to see that web site?
 
Re: Encryption and Jails, basic newbie questions

Thanks for the prompt response Oko.
you have helped me narrow my focus.
regarding:
What kind address is 192.xxx.xxx.xxx? That is not a routable address. Who is suppose to see that web site?

- Ok, thanks, I didn't realize that the jail receives its own address. I was merely commenting on the fact that my router doesn't use 10.0.1.4 type address system, and if that doesn't matter as much, then should I choose an address that is closer to my router's addresses, or do most routers have the ability to use both the 192.xxx.xxx.xx as well as the 10.xxx.xx.xxx ? and again please forgive my lack of knowledge of the appropriate abbreviation of that number system. I'm not a network tech, but again, I'm learning.
 
Re: Encryption and Jails, basic newbie questions

To elaborate a bit on what @Oko said. Encryption methods like GELI protect the data from theft only when the system has been shutdown or let's say a disk has been removed from a running system. When the system is up and running everything is available to the OS and its users in unencrypted form and only the usual file access restrictions methods are in use.
 
Last edited by a moderator:
Re: Encryption and Jails, basic newbie questions

Oko said:
What kind address is 192.xxx.xxx.xxx? That is not a routable address.
Actually the entire 192/8 range is routable. It's only the 192.168/16 range that's specifically defined by the IETF as a private range (see RFC-1918) and is not routed on the internet (you can still route it on your own network). The rest of the 192/8 range are normal IP addresses and are actually used on the internet.

169.254/16 is a real non-routable address range, and is used for IPv4 link-local addresses.
 
Re: Encryption and Jails, basic newbie questions

thanks Kpa.
and thanks SirDice.( your advice is always appreciated.)
I am already using a dns similar to no-ip.com.
And I suppose on my router, I'm just gonna have to port forward my new jail address that i'll get/ or choose for the new html ports.
I appreciate the information my friends. thanks. I'll keep you posted as to my success on this experiment.
 
Re: Encryption and Jails, basic newbie questions

Hi @nate88, let me just jump in to say that jails in FreeBSD are awesome and well worth the learning investment. I would also highly recommend sysutils/ezjail as it makes the initial jail configuration and maintenance much more straightforward at the cost of only a little flexibility.
 
Last edited by a moderator:
Re: Encryption and Jails, basic newbie questions

Thanks asteriskRoss, I am reading up on ezjail at the moment.
The main thing that I'm gonna need to get correct, is the new ip address for my website.
If ezjail doesn't automatically spin one up like VirtualBox does, then I'm gonna have to dwell deeper into the advie from Kpa and SirDice regarding a good routing number to use, that won't confuse my DSL router.
I think the DSL router/ modem combo I am using here at my home office; (the phone company installed it) will allow me to manually type in the jailed IP address via the firmware it uses. That's really the only issue I think I'll have..
... Since the website already has the chmod 755 settings on it, the jail shouldn't influence any of those parameters it seems, THUS my next step SHOULD just be a matter of me making the router and jail IP address talk to each other.
...and I probably shouldn't bother to encrypt any thing on this particular machine right? since for all purposes and points I'm experimenting with a dedicated webserver right? - Just curious.
 
Re: Encryption and Jails, basic newbie questions

@nate88, you mentioned port forwarding, so it sounds like your home router does Network Address Translation (NAT), such that your router has a public IP address and then the computers on your network have private IP addresses that look something like 192.168.x.x. Often, home routers offer a Dynamic Host Configuration Protocol (DHCP) server, such that computers on the network can be assigned an IP address automatically. However, it is not possible for a jail to obtain an IP address via DHCP; you must specify it.

You're totally right about the port forwarding. You should configure your router to forward your chosen ports (80 and 443 for a web server would be typical) to the IP address of your jail. A reasonable IP address to choose for your jail would be one similar (on the same subnet) as the one you use for the host machine. So if your host machine is 192.168.1.10, choosing 192.168.1.11 is likely to work. Ideally, you should configure the router's DHCP server (if you're using one) so that the address of your jail is outside the range of addresses it gives to machines on the network. So you could, for example, for example, configure your router to offer addresses 192.168.1.100 to 192.168.1.254. If your router offers DHCP there will be a page on the configuration interface where you can set this up.

As @kpa said, encrypting disk contents helps protect data when the computer is switched off, so if someone steals the computer, or you throw away your computer without wiping the hard disk, nobody can look at your files. For you, running a web server, somebody breaking in to your house is probably a lower risk than somebody launching a network-based attack your server from the other side of the world. Whilst teaching yourself about encrypting file systems and files is certainly worthwhile, it might be more useful to you immediately to learn about tools that will help you control network access to your web server, like firewalls.
 
Last edited by a moderator:
Re: Encryption and Jails, basic newbie questions

Thanks again AsteriskRoss.
- that answer was the exact knowlege required to set my next steps into motion.
 
Re: Encryption and Jails, basic newbie questions

You're very welcome, @nate88 :) After I posted, I realised I should have mentioned two other things that would be sensible to look at as next steps in addition to firewalls that are part of FreeBSD:
  • Securing NGINX itself. I see there is some documentation on access control and monitoring. You mentioned you had already looked at securing file permissions.
  • Configuring your home network so that if your web server is compromised, the rest of your network won't be accessible from it. How easy and thorough this is will depend on the capabilities of your home router. Simple, port-based Virtual LANs (VLAN) in conjunction with configuring any firewall built-in to your router would be a step in the right direction. It should be possible to disable Universal Plug-n-Play (UPnP) to prevent the router's firewall being reconfigured from a device on your network. It may even be possible to disable the administrative access to the router from the web server (or the network segment it is on) and if not it would certainly be possible to set a strong password so that if someone compromised the server s/he couldn't easily reconfigure your router.
I'm sure that is enough to be getting on with. Beware of the technology rabbit hole you're going down as it just goes deeper and deeper. Before you know it you'll stop telling people that you're a graphics designer who knows a bit about computers and start telling them that you're a computer and network engineer who knows a bit about graphic design :)
 
Last edited by a moderator:
Re: Encryption and Jails, basic newbie questions

Thanks again. Sorry, It took me a couple of days to get back to the server. I'm building the jail now. I'll let you know what problems I may encounter. ( I am using ezjail.)

If I want to check any jails I build, can I check them from an xserver graphical app like Nautilus? I freely admit, although my headless skills are getting stronger, and that installing and making overall system changes are much faster in the headless environment; I am pretty quick with a few graphics tools. Mostly I use Xterm, Roxterm, Nautilus, Leafpad, xarchiver, and little apps like that to check my work/ progress inside Fluxbox, or OpenBox when networking or animating.
 
Re: Encryption and Jails, basic newbie questions

You should certainly be able to access and edit the configuration files in your jails through a graphical file manager; by default your jails will be created in /usr/jails. From Xterm you can log in to your jails with the command ezjail-admin console <jailname> and then run whatever commands you need (such as to install ports).
 
Re: Encryption and Jails, basic newbie questions

Yeah, it's pretty neat actually haha.
I know I'm cheating a little bit, but here's how I'm pulling my experimental atrocity off thus far lol:
I type in
Code:
startx
, then start Fluxbox, THEN I type in xterm, "
Code:
roxterm
(I haven't had time to add roxterm to my fluxbox config file yet hha. I know, it's sad, but I'm doing all this in my spare time so thanks for sticking with me thus far haha.)
THEN in roxterm, I type
Code:
shift + cntrl + t
a few times to open some extra tabs, and then I type in one tab
Code:
su
then
Code:
 password
and open up Nautilus . THEN in another tab I type in
Code:
su
again and
Code:
  password
THEN I do all my headless work in the terminal while checking my progress in Nautilus.
- For what it's worth; the cool thing about Nautilus, is that the deeper you go into file folders, there is a little list of squares (on the top nautilus toolbar;) that show you the order of how deep inside the files you are. you can easily imagine how easy that is to simply think of those squares as "/" , THUS I bookmark every location in Nautilus that i need a quick access to in case i can't remember the exact "/usr/xxxx " to cd into. ...it's a fly-by-night trick, but I use nautilus to remind me of locations and check my work mostly. (did I mention that nautilus has a shameless gratuitous bookmark function?)
- NOW I just tried something a few minutes ago: I named a new jail entitled WEBSERVER2 and gave it its own IP address. Then I typed in:
Code:
cd /usr/jails/WEBSERVER2/
then once inside I type in:
Code:
pkg install nginx
I wanted to see if the install command would install inside the jail; apparently it did.
**NOTE- I copied and pasted the nginx config files and folders and the already built website pages inside the nginx folder also. THEN I added the
Code:
 chmod 755
commands, per file; that i wanted to have outside access to. Now I'm trying to figure out why I'm not seeing the website from another computer. Do I have to chmod the jail itself; or do I merely need to restart the nginx server, and then maybe restart the jail?
I know that the jail is there, and it's IP address is also there.
are there any commands other than
Code:
jls
, and
Code:
ifconfig
I need to look at?
I just used an app named "Fing" by Overlook that I installed on my Linux tower to test the network connections, and the new I.P. address didn't show up...
so I'm almost there. I think.
I think the problem may be a config line maybe in the jails needs to be "uncommented" and/ or adjusted.
 
Re: Encryption and Jails, basic newbie questions

nate88 said:
- NOW I just tried something a few minutes ago: I named a new jail entitled WEBSERVER2 and gave it its own IP address. Then I typed in:
Code:
cd /usr/jails/WEBSERVER2/
then once inside I type in:
Code:
pkg install nginx
I wanted to see if the install command would install inside the jail; apparently it did.
To work "inside" the jail, just changing to the directory on the host system isn't enough. You have three options:
  • pkg(8) provides an option to run inside a specified jail with the -j option; have a look at the pkg(8) man page.
  • With ezjail, you can log in to the jail with ezjail-admin console <jailname>. You then have a command prompt "inside" the jail and can install packages or run any other command you like
  • You can use jexec(8) to run any command within the jail; have a look at the jexec(8) man page.
You didn't mention using any of these. If you didn't, you probably installed your package into the host system and not into your jail.
 
Re: Encryption and Jails, basic newbie questions

Hey, thanks.
- That procedure allowed me access inside the jail; using the command:
Code:
ezjail-admin console <jailname>
Then I typed in
and then
<my password>
I knew that I was inside the jail at that point, becuase it acted like a fresh install. I received the initial fresh install messages regarding what I needed to install before I could go further. Thus, the only small issue now appears to consist of the jail's inability to actually touch the internet. So now I'm thinking that I need to alter the jail's primary config file to allow the newly created IP address to be seen by the router. Once the router and the jail IP can communicate, I should be able to load all the apps and packages into the jail. Now I realize that I'm almost done, so I'll be reading up on the jail config files. I think adjusting a few settings inside the config file is the step that I missed.
 
Re: Encryption and Jails, basic newbie questions

Ok, I created another jail by using the command ezjail-admin create WEBSERVERXX2 'fxp0/192.168.1.131' and then after it created the jail, I received this error message
Code:
Warning: IP fxp0/192.168.1.131 not configured on a local interface.
Warning: Some services already seem to be listening on all IP, (including fxp0/192.168.1.131)
This may cause some confusion, here they are:
root     Xorg       2586  1  tcp6   *:6000                *:*
root     Xorg       2586  3  tcp4   *:6000                *:*
root     sshd       1683  3  tcp6   *:22                  *:*
root     sshd       1683  4  tcp4   *:22                  *:*
www      nginx      1421  6  tcp4   *:80                  *:*
root     nginx      1419  6  tcp4   *:80                  *:*
root     amd        1243  5  udp4   *:1023                *:*
root     amd        1243  6  udp4   *:1022                *:*
root     amd        1243  7  tcp4   *:811                 *:*
root     amd        1243  8  udp4   *:765                 *:*
root     rpcbind    1233  6  udp6   *:111                 *:*
root     rpcbind    1233  7  udp6   *:719                 *:*
root     rpcbind    1233  8  tcp6   *:111                 *:*
root     rpcbind    1233  9  udp4   *:111                 *:*
root     rpcbind    1233  10 udp4   *:846                 *:*
root     rpcbind    1233  11 tcp4   *:111                 *:*
root     syslogd    1085  6  udp6   *:514                 *:*
root     syslogd    1085  7  udp4   *:514                 *:*
All the tutorials and walk-throughs I have found seem to point to the fact I may need to adjust my pf config file or adjust the /etc/resolv.conf And apparently "the /etc/rc.conf must contain the same ifconfig_xxx="DHCP" statements as used in the host to connect to the public network." - according to one internet source at: http://daemonforums.org/showthread.php?t=4692
I'm gonna going to go inside the jails and look around and see if that will work. Does anyone else think, based on what I've posted thus far, agree or disagree? I'm open minded, and at this point; I am willing to try any technique. Also, according to its primary critics; I didn't realize that ezjail seems to lack in certain documentation. I'm not arguing that point, because, obviously it works; hence, I'm simply missing a step, and then I'm finished. That much I realize.
 
Re: Encryption and Jails, basic newbie questions

nate88 said:
Ok, I created another jail by using the command ezjail-admin create WEBSERVERXX2 'fxp0/192.168.1.131'
It should be a pipe character (|) not a slash.
ezjail-admin create WEBSERVERXX2 'fxp0|192.168.1.131'
 
Re: Encryption and Jails, basic newbie questions

It should be a pipe character (|) not a slash.
Thank you Sir Dice. apparently my last issue was the mistype on my end lol. I can now see the correctly configured jails.
 
Thanks, @SirDice -- well spotted.

@nate88, to fix the cause of the warning you received about services listening on all addresses, you need to configure each of those services to listen only on the IP address(es) you are using for the host, not those assigned to the jails. For example, from the man page for sshd_config(5), referring to sshd(8)'s configuration file /etc/sshd/sshd_config:
ListenAddress
Specifies the local addresses sshd(8) should listen on. The fol-
lowing forms may be used:

ListenAddress host|IPv4_addr|IPv6_addr
ListenAddress host|IPv4_addr:port
ListenAddress [host|IPv6_addr]:port

If port is not specified, sshd will listen on the address and all
prior Port options specified. The default is to listen on all
local addresses.

For Xorg, unless you need to allow remote connections (if you don't know, then you probably don't), you should start it with the -nolisten tcp parameter as described in the XSERVER man page. If you use a graphical login manager to start Xorg, the configuration file for that is likely place to look for the configuration setting. I use x11/xdm, where the line is in the Xservers configuration file.
 
Last edited by a moderator:
Back
Top