I'm setting up a server where I plan to use Jails to improve security I also have installed and am configuring ipfilter. Here are my questions: Because I'm using Jails, I will have to have multiple ip aliases on the network interface. I will use ipfilter to specify what can go to each of the addresses. (e.g., allow only incoming to port 80 on the jail running apache). Another jailed server will run mail services (pop, smtp, imap). If I want to allow users to use web based email(over ssl of course), the web server will have to communicate with the mail server. Is there a chance of "information leakage" in this type of setup? Finally, I'd like to use SSL to offer secure web connections & secure email without having to buy two certificates. Am I getting too cute if I accept ssl connections on one ip address and use stunnel to route them to the appropriate jailed server?
V. Jones wrote:> I'm setting up a server where I plan to use Jails to improve security > I also have installed and am configuring ipfilter. Here are my > questions: > > Because I'm using Jails, I will have to have multiple ip aliases on the > network interface. I will use ipfilter to specify what can go to each > of the addresses. (e.g., allow only incoming to port 80 on the jail > running apache).You don't have to have multiple IP aliases for multiple jails. Or at least there is no technical necessity for this (in FreeBSD 4.x, that is, don't kown about 5.x). If it's just about running server processes in their own jail (no port number conflicts) you can have all jails on the same IP address and do the IP filtering (if necessary at all in this scenario) based on port numbers.> Another jailed server will run mail services (pop, smtp, imap). If > I want to allow users to use web based email(over ssl of course), the > web server will have to communicate with the mail server. Is there > a chance of "information leakage" in this type of setup?Only the information you transmit will leak. That is, you define the information interchange between the jails, so pondering over the consequences is on your plate, too. Just assume that each jail has been broken into by an intruder with evil intentions and ask yourself what damage he can do with the data he can gather from the other jails. Paranoia in action, as it were. ;-)> Finally, I'd like to use SSL to offer secure web connections & secure email > without having to buy two certificates. Am I getting too cute if I accept > ssl connections on one ip address and use stunnel to route them to the > appropriate jailed server?In case of all jails on one IP address this problem goes away, too. You could define a generic domain name for the SSL stuff, for instance 'secure.domain.tld', get a certificate for that and use it for web as well as email and other purposes. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net
> You don't have to have multiple IP aliases for multiple jails. Or at > least there is no technical necessity for this (in FreeBSD 4.x, that is, > don't kown about 5.x). If it's just about running server processes in > their own jail (no port number conflicts) you can have all jails on the > same IP address and do the IP filtering (if necessary at all in this > scenario) based on port numbers. >Okay, I didn't realize I could run more than one jail on one ip address. I guess if I needed ssh on each jailed server I could just make sure the port number is unique.> > Finally, I'd like to use SSL to offer secure web connections & secure > email > > without having to buy two certificates. Am I getting too cute if I > accept > > ssl connections on one ip address and use stunnel to route them tothe> > appropriate jailed server? > > In case of all jails on one IP address this problem goes away, too. You > could define a generic domain name for the SSL stuff, for instance > 'secure.domain.tld', get a certificate for that and use it for web as > well as email and other purposes. > > Uwe >This counfuses me - doesn't the host name have to match the certificate? Can two jails have the same host name too? -- Valen Jones>
> >>You don't have to have multiple IP aliases for multiple jails. Or at > >>least there is no technical necessity for this (in FreeBSD 4.x, thatis,> >>don't kown about 5.x). If it's just about running server processes in > >>their own jail (no port number conflicts) you can have all jails onthe> >>same IP address and do the IP filtering (if necessary at all in this > >>scenario) based on port numbers. > > > > Okay, I didn't realize I could run more than one jail on one ipaddress.> I guess if I needed ssh on each jailed server I could just make surethe> port number is unique. > > True, sshd would cause a port conflict. Since you cannot inject > processes into already running jails in FreeBSD 4.x you better have an > sshd in each of them. I agree that different port numbers would be the > way to go here. > > >>>Finally, I'd like to use SSL to offer secure web connections & secure > >> > >>email > >> > >>>without having to buy two certificates. Am I getting too cute if I > >> > >>accept > >> > >>>ssl connections on one ip address and use stunnel to route them to > > > > the > > > >>>appropriate jailed server? > >> > >>In case of all jails on one IP address this problem goes away, too.You> >>could define a generic domain name for the SSL stuff, for instance > >>'secure.domain.tld', get a certificate for that and use it for web as > >>well as email and other purposes. > >> > >> Uwe > >> > > > > This counfuses me - doesn't the host name have to match thecertificate?> Can two jails have the same host name too? > > Two jails can have the same name. With > > sysctl jail.set_hostname_allowed=[01] > > you can even configure whether you can set the host names from the > inside, to whatever you want. > > Apart from this, a server's host name isn't really important for most > services and daemons. You can usually set the names under which they > are supposed to operate in their respective config files. This is > certainly true for Apache, while POP3/IMAP4 daemons usually don't care > about the host name they get contacted with. There it is just important > that you use 'secure.domain.tld' on the client side, in order to match > the certificate's domain name. And for SMTP you can point the DNS MX > records to 'secure.domain.tld'. All this has nothing to do with the > host name used for the respective jail. > > Hope this wasn't too confusing. > > Uwe >Okay, thanks. I'll have to do some experimenting and see how it works.
>No, no, no!>You first need to realize how kernel will choose listen socket. >If you bind to port 22 on main host with INADDR_ANY, you get this >INADDR_ANY, but if you bind to 22 port in jail even with INADDR_ANY >it will be translated to jail's ip. Now if there is open port outside >jail and inside some jail it is opened as well, guess which socket will >be chosen. Socket in jail, because it isn't INADDR_ANY (as I said kernel >translate them to jail's ip). So from security point of view if someone >will break into your jail, he is able to spoof your sshd (let's forget >for a moment about server keys), your mail server or anything >and get your password for example.>You can check my patch for multiple ips in jails which also fix >sockets ordering behaviour.> For FreeBSD 4.x: > http://garage.freebsd.pl/mijail.tbz > http://garage.freebsd.pl/mijail.README > For FreeBSD 5.1-CURRENT: > http://garage.freebsd.pl/mijail5.tbz > http://garage.freebsd.pl/mijail5.README > http://garage.freebsd.pl/patches/mijail5.patchI have a feeling you're trying to tell me something important but I'm not understanding. Is this a problem only with ssh or with any server listening on a port? Does this problem occur when you share an ip address between two jailed servers or does it happen any time you use a jail? Would having ssh on a different port on each jail avoid the problem?
> > > No, no, no! > > > > You first need to realize how kernel will choose listen socket. > > If you bind to port 22 on main host with INADDR_ANY, you get this > > INADDR_ANY, but if you bind to 22 port in jail even with INADDR_ANY > > it will be translated to jail's ip. Now if there is open port outside > > jail and inside some jail it is opened as well, guess which socketwill> > be chosen. Socket in jail, because it isn't INADDR_ANY (as I saidkernel> > translate them to jail's ip). So from security point of view ifsomeone> > will break into your jail, he is able to spoof your sshd (let's forget > > for a moment about server keys), your mail server or anything else > > and get your password for example. > > Good point. I forgot to mention that you should bind daemons running > outside the jails explicitly to the server's IP address. This > circumvents the problem you've pointed out. But I agree with you that > people would be less likely to shoot themselves in the foot if the > kernel took care of things in this situation. >Oh - okay. The directions I followed in "Absolute BSD" had me configure all Daemons so that they only listened on the main ip address. Is this what you guys are talking about it? Actually, the book said the jailed server wouldn't even start if this wasn't done. For example, in my /etc/ssh/sshd_config: ListenAddress x.x.x.8>