Linked by Thom Holwerda on Wed 25th Apr 2007 10:15 UTC, submitted by FreeRhino
"Jailing is a mechanism to virtually change a system's root directory. By employing this method, administrators can isolate services so that they cannot access the real filesystem structure. You should run unsecured and sensitive network services in a chroot jail, because if a hacker can break into a vulnerable service he could exploit your whole system. If a service is jailed, the intruder will be able to see only what you want him to see - that is, nothing useful. Some of the most frequent targets of attack, which therefore should be jailed, are BIND, Apache, FTP, and SSH. SSHjail is a patch for the OpenSSH daemon. It modifies two OpenSSH files (session.c and version.h) and allows you to jail your SSH service without any need for SSH reconfiguration."
Thread beginning with comment 233856
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
Member since:
2006-05-19
With FreeBSD Jail you can have totally isolated operating system within host system and install/remove applications like in real standalone installation. You can even start multiple jails with different IP addresses for virtual hosting. This is common to have hundreds even thousands of jails running on one box and don't worry about break-in/out. One huge benefit is that you don't have virtualization overhead (emulation can take 20% of system capabilities) like with XEN/VMWare, whatever...
Unlike other fine-grained security solutions, Jail does not substantially increase the policy management requirements for the system administrator, as each Jail is a virtual FreeBSD environment permitting local policy to be independently managed, with much the same properties as the main system itself, making Jail easy to use for the administrator, and far more compatible with applications.
http://docs.freebsd.org/44doc/papers/jail/jail.html