[nycbug-talk] Apache, ftp, samba, etc....

Isaac Levy ike
Sun Oct 2 18:15:27 EDT 2005 

Hi Francisco, All,

On Oct 2, 2005, at 10:11 AM, Francisco Reyes wrote:
> On Sun, 2 Oct 2005, Marc Spitzer wrote:
>>> To protect in case someone breaks into apache/ftp?
>>>
>>
>> yes.  With a script you can rebuild a jail, including saving all the
>> data(web site etc), and recover from an incident automatically.
>>
>
> Sounds like a good idea.

<snip>

>> and your tripwire( or mtree if you want to be bsdish(and who does
>> not)) should be running out of the main box that has not been
>> compromised.

That's OK, *but*, let me throw in the caveat that any process/daemon  
which runs from a master jailing box, and so much as touches files in  
a jail, is at risk of being compromised.

Not that I'm saying I know of any vuln. for tripwire in this case,  
but it's worth saying here.

> I like that idea. Specially for files one does not expect to change.
> I already have a little script to use mtree to compare directories.
>
> How about CPU overhead?
> I like the concept of a jail, but in the past I always wondered if  
> the extra complexity and CPU overhead were necessary for my needs.  
> I think a current box I am setting up is the first time I think it  
> make sense.

Re. CPU overhead, it's VERY minimal for jailed systems- by design.   
Jail is not a full-fledged virtual machine, so the resources soaked,  
are simply whatever you end up running in the jail itself- jailing is  
different than Xen or VMware in this respect, as the virtualization  
of memory and etc.. hardware interfaces, are comparatively much more  
taxing- though in the context of the applications used, it's all  
pretty moot... (3k vs. 300k is nothing on a machine with a gig of ram ;)

> I will have both confidential services/data AND at the same time  
> need to serve an app through http to the public. In an ideal world  
> I would like two machines, but given how little load I expect to  
> have on the machine it's hard to justify.

As an aside, jail(8) was used for CTF competition at DefCon this  
summer instead of many many boxen, as I understand the competition  
revolved around application-level exploits this year.  (Read: Jails  
are Secureable)

Rocket-
.ike

More information about the talk mailing list