From owner-freebsd-security@FreeBSD.ORG Mon May 8 12:11:10 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BABF16A406 for ; Mon, 8 May 2006 12:11:10 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4645143D72 for ; Mon, 8 May 2006 12:11:05 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (zsxery@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k48CAxQQ094361; Mon, 8 May 2006 14:11:04 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k48CAtMj094360; Mon, 8 May 2006 14:10:55 +0200 (CEST) (envelope-from olli) Date: Mon, 8 May 2006 14:10:55 +0200 (CEST) Message-Id: <200605081210.k48CAtMj094360@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG, nospam@mgedv.net In-Reply-To: <000101c67100$91e4fdc0$01010101@avalon.lan> X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Mon, 08 May 2006 14:11:04 +0200 (CEST) Cc: Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG, nospam@mgedv.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 12:11:15 -0000 No@SPAM@mgEDV.net wrote: > well, with your configurations i'm really concerned about the > overlapping configurations of ip-addresses on the loopback- > adapter. That's standard. It's completely normal to configure multiple IP addresses on the same interface, no matter whether those addresses are from different subnets or from the same subnet. > lo0 is originally configured with 127/8 and i'm not sure, if > there's not a chance to confuse something if you add ip's in > the same range (127.0.1.1/32). No. It's a standard configuration. There's no part of the system that "confuses something". > as far as i read on other posts > about overlapping ip's it's not recommended What other posts do you mean? I don't see any reference. > (at least by some guys). Then I guess those guys must be wrong. > ifconfig lo1 plumb > ifconfig lo1 10.10.10.1 netmask 255.255.255.252 up > ... and so on for futher jails? Now _that_ is confusing, and it doesn't increase your security. > also, the handling of 127/8 would be much clearer in the fw, > as far as my understandings are. Of course you should have appropriate packet filter rules to handle all your traffic, including traffic on 127/8. > to your security concerns about jailed processes, that are overtaken > by hackers: my primary goal is not protecting the box (yes, we > backup them ,-) ), it's more protecting the data on it. In order to protect the data on it, you have to protect the box. And a backup alone provides zero protection against attacks, and doesn't secure your data. If your data is precious, then at the very least you should use a host IDS (e.g. tripwire, or even mtree which is in the base system). > and if > i have very good and tight jails and an attacker is able to eg. > download all customer data by code injection on the http-frontend, > i guess a less tight jail is one of my last problems! > and the jail can be as tight as possible, if there's just one > php-script that fails, all the jailing/fw-rules don't help, because > the communication between ws<--->db has to work anyway. Being able to download all data is one thing. Basically, you should assume that all data on a web server is public. That's especially true when you use bug-prone stuff like PHP. However, being able to _modify_ data (e.g. "deface" a web site or change database content) is another thing. I guess you do not want that at all. You are right that jails are not the best solution for all of those problems. The main purpose of jails is to provide a way to isolate and separate services from another and from the host system, and to minimize damage in the case that an attacker is able to exploit a hole in one of the services. You are right saying that _if_ there is a hole in a PHP script, the jail won't protect the data which is accessible from within the jail. But the jail _will_ protect all other data on the same machine (provided that it is setup correctly with a reasonable plan and design). That's what jails are all about. That's why it is a good idea to make them as tight as possible. Using loopback IPs is one step (of many) that can be useful for tightening them. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "[...] one observation we can make here is that Python makes an excellent pseudocoding language, with the wonderful attribute that it can actually be executed." -- Bruce Eckel