From owner-freebsd-questions@freebsd.org Thu Dec 3 05:44:03 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 92C00A3F778 for ; Thu, 3 Dec 2015 05:44:03 +0000 (UTC) (envelope-from alexmiroslav@gmail.com) Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 30E381339 for ; Thu, 3 Dec 2015 05:44:03 +0000 (UTC) (envelope-from alexmiroslav@gmail.com) Received: by wmww144 with SMTP id w144so6655759wmw.1 for ; Wed, 02 Dec 2015 21:44:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=XjvLl8sR+a7k2dXJZkFVzQ/ufkeDKt3qeFjkFcbUEwI=; b=K1a9vAxsq6XIxZ0SnvMy53EH0IODXuyd16oQoCK9cdBMQf0tcb6zacOJThxs53dt/K vRMIhNhneQPVPczUaOjjSNgzVJTWdl9JotTWmInjqtJ+QQrYDODTV9m7gQmiYR3nlupI cWO4X9ep9auzpUvrLhqiXTzjmv9EYh0oZJG10ATc5NW3WEeQ/xfqU/9WL8Dxmxas0MmW CHwmWWiUkkMa5rznVcKN6m7/Q2uzEaZTJC0ZfDnvB0DVsvlVFNVwna60GvFHzIYmXoPj 2GMViaaWgxTKaSfUpBP158jRoQ+TngyW2PylJc9WZdFg9X0g4nQM3LwzH8/MvTACLOsU JfAQ== MIME-Version: 1.0 X-Received: by 10.28.223.212 with SMTP id w203mr50893737wmg.88.1449121441705; Wed, 02 Dec 2015 21:44:01 -0800 (PST) Received: by 10.28.162.16 with HTTP; Wed, 2 Dec 2015 21:44:01 -0800 (PST) Date: Wed, 2 Dec 2015 21:44:01 -0800 Message-ID: Subject: best practice for locking down private jail? From: Aleksandr Miroslav To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2015 05:44:03 -0000 So I'm setting up a server for a friend who wants to upload audio files and have them served up via http. i.e. He uploads lecture.mp3 to example.org, and wants people to be able to access it via http://example.org/audio/lecture.mp3. He's somewhat tech savvy, but I'm being super paranoid about security, so this is what I did: - setup a server, example.org, with a public IP, FreeBSD 10.2 - on this server, I setup a jail with a private IP - setup a pf rdr rule so that example.org:2222 goes to private-ip-of-jail:22, so he can only access the jail via ssh - inside the jail, I set up sshd to only allow his user (AllowUsers joeblow), and disabled passwords, so he can only access the machine with an ssh key - he will upload his files to his home directory (within the private jail), and put it in some directory, e.g. ~joeblow/audiofiles - from the example.org machine, outside the jail, i setup httpd to serve files only from /usr/jails/privatejail/usr/home/joeblow/audiofiles I've setup everything but the last step (httpd), and I will get that last bit working shortly. For what I want to do, does this look like an okay setup? Is there anything else I can do to lock this setup down? I figure in the worst case scenario, someone steals his ssh key and the worst damage they can do is delete the files he's uploaded (I'm taking backups so not too worried about that), or upload files to the server that is http accessible -- can I tell Apache to only serve up mp3 files of name lecture-num.mp3 or something like that? Any thoughts or suggestions appreciated. Thanks