Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 2 Dec 2015 21:44:01 -0800
From:      Aleksandr Miroslav <alexmiroslav@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   best practice for locking down private jail?
Message-ID:  <CACcSE1yQO8AjW9rpY+d2p1-ArPbO4qKV0zcaCMyRhYEWLOpQGA@mail.gmail.com>

Next in thread | Raw E-Mail | Index | Archive | Help
So I'm setting up a server for a friend who wants to upload audio
files and have them served up via http. i.e. He uploads lecture.mp3 to
example.org, and wants people to be able to access it via
http://example.org/audio/lecture.mp3.

He's somewhat tech savvy, but I'm being super paranoid about security,
so this is what I did:

- setup a server, example.org, with a public IP, FreeBSD 10.2
- on this server, I setup a jail with a private IP
- setup a pf rdr rule so that example.org:2222 goes to
private-ip-of-jail:22, so he can only access the jail via ssh
- inside the jail, I set up sshd to only allow his user (AllowUsers
joeblow), and disabled passwords, so he can only access the machine
with an ssh key
- he will upload his files to his home directory (within the private
jail), and put it in some directory, e.g. ~joeblow/audiofiles
- from the example.org machine, outside the jail, i setup httpd to
serve files only from
/usr/jails/privatejail/usr/home/joeblow/audiofiles

I've setup everything but the last step (httpd), and I will get that
last bit working shortly.

For what I want to do, does this look like an okay setup? Is there
anything else I can do to lock this setup down? I figure in the worst
case scenario, someone steals his ssh key and the worst damage they
can do is delete the files he's uploaded (I'm taking backups so not
too worried about that), or upload files to the server that is http
accessible -- can I tell Apache to only serve up mp3 files of name
lecture-num.mp3 or something like that?

Any thoughts or suggestions appreciated.

Thanks



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CACcSE1yQO8AjW9rpY+d2p1-ArPbO4qKV0zcaCMyRhYEWLOpQGA>