Create a JAIL environment under FreeBSD

zhaozj2021-02-16  79

Chrooted Jails is very conducive to increasing the security of programs running on your system. To use FreeBSD, it is easy to set your Jail environment.

You have to pay attention to two points. Each Jail must have its own IP address, so if you need it, you may need to add a NIC (network interface card). Also, if your system has a daemon listening to all IP, it will block Jail from start. You can use the socksta command to see which Daemons are listening. If you like this, you should reconfigure them to listen to an IP.

Nuclear option (kernel options :)

Jail requires three different SYSCTL settings:

Jail.set_hostname_allowed

Jail.socket_unixiproute_only

Jail.sysvipc_allowed

In most cases, their security level is set to 0, but this will bring a lot of trouble, so they should set them more secure!

2. We need to download the source tree (SRC TREE). In order to increase security, you will of course you want your Jail in your partition.

Below is the specific steps of establishing Chroot Jail on the / jail partition:

(1).

# make world destdir = / jaled

# make installworld destdir = / jaled

(2). Now set Jail in / etc:

# CD / USR / SRC / ETC

# made distribution destdir = / jailed no_makedev_run = yes

(3). Setting under / dev:

# cd / jailed / dev

# Sh MakeDev Jail

[Note]: Many programs will look for kecons under / kernel, so they need to fake one in your Jail.

# cd / jailed

# ln -sf dev / null kernel

(4) Set an IP for JAIL:

# ffconfig xl0 alias 192.168.1.199, and join in /etc/rc.conf:

ifconfig_xl0_alias0 = "192.168.1.199" To automatically configure it at startup.

(5) Set a procfs in Jail:

# mount -t procfs proc / jailed / proc

Now you can use the jail command to launch jail:

# Jail

#jail / jailed myjailedhost 192.168.1.199 / bin / bash

In Jail, you must also do the following steps:

a. Create a file /jailed/tc/rc.conf, the content is:

Portmap_enable = "no"

Network_interfaces = "" "

SSHD_ENABLE = "YES"

b. # Touch / etc / fstab

c. If you are running Sendmail, you need: #Newaliases

d. Set the root password for Jail: # Passwd

Everything is now set, but when you quit the shell, Jail will take it out, so it is necessary to set him to run, write files /us/local/etc/rc.d/jail.sh

Stop Jail:

# / bin / sh/usr/local/etc/rc.d/jail.sh stop # / bin / sh /etc/rc.shutdown

# kill -15 -1 (DONT DO this ON A NON JAILED Server = P)

转载请注明原文地址:https://www.9cbs.com/read-12770.html

New Post(0)