User Tools

Site Tools


appserverwithezjail

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

appserverwithezjail [2014/10/02 14:18] (current)
admin created
Line 1: Line 1:
 +This guide only applies if you are using a non internet routable ip for a jail. If you have a routable ip you can simply alias that to your network interface.
 +
 +The following uses ezjail to set things up but it's not required. You can apply the network settings to any jail you setup. Following these instructions you should be able to get up and running in 5 - 10 minutes. I've included what to add to your config files but you can configure and start everything from the shell without a reboot. Even though this guide uses ezjail I highly recommend reading the handbook section on jails so you have a solid understanding of what's going on.
 +
 +**External Resources**
 +  *http://​www.freebsd.org/​doc/​handbook/​jails.html
 +  *http://​www.freebsd.org/​cgi/​man.cgi?​query=jail&​sektion=8
 +  *http://​erdgeist.org/​arts/​software/​ezjail/​
 +
 +====== Installing Ezjail ======
 +
 +<​code>​
 +cd /​usr/​ports/​sysutils/​ezjail/​ && make install clean
 +man ezjail-admin at the shell prompt to get a basic understanding of the commands
 +</​code>​
 +
 +Now we're going to install the basejail that all jails you create will use.
 +<​code>​
 +ezjail-admin install
 +</​code>​
 +
 +You can add a -P flag to have the ports collection installed in the basejail for all your jails to use. You can add the ports collection to the basejail at a later time also. The -P flag will also later update the ports collection of the basejail using portsnap.
 +
 +====== Creating a Jail ======
 +Next we'll create the jail for our webserver.
 +
 +<​code>​
 +ezjail-admin create WEBSERVER 10.1.1.1
 +</​code>​
 +====== System Startup ======
 +Add the following to your hosts rc.conf.
 +
 +<box 100% round blue|/​etc/​rc.conf>​
 +<​code>​
 +#Setup interface all jails will use
 +#Make sure this netmask is unique in your rc.conf
 +cloned_interfaces="​lo1"​
 +ifconfig_lo1="​inet 10.1.1.1 netmask 255.255.255.0"​
 +
 +#Future jails can look like the following, aliases should always use 255.255.255.255 netmask
 +#​ifconfig_lo1_alias0="​inet 10.1.1.2 netmask 255.255.255.255"​
 +
 +# Enable port forwarding and packet filtering
 +pf_enable="​YES"​
 +pf_rules="/​etc/​pf.conf"​
 +
 +# Jails
 +ezjail_enable="​YES"​
 +</​code>​
 +</​box>​
 +
 +To add your jails IP to a cloned loopback device via the shell enter the following at the shell prompt (this is not required if you plan on rebooting after all your configuration files are setup). Also unless you have your rc.conf setup this will not persist through a reboot.
 +
 +<​code>​
 +ifconfig lo1 create
 +ifconfig lo1 inet 10.1.1.1 netmask 255.255.255.0
 +</​code>​
 +
 +====== PF Firewall ======
 +Setup PF NAT, change ext_if to reflect what your interface is (check via ifconfig).
 +
 +<box 100% round blue|/​etc/​rc.conf>​
 +<​code>​
 +#INTERFACES
 +ext_if="​em0"​
 +int_if = "​lo1"​
 +jailnet = $int_if:​network
 +
 +# NAT
 +nat on $ext_if from $jailnet to any -> ($ext_if)
 +</​code>​
 +</​box>​
 +
 +Some useful PF commands to check to make sure everything is working and setup correctly:
 +<​code>​
 +pfctl -e                 Enable PF
 +pfctl -vnf /​etc/​pf.conf Check /​etc/​pf.conf for errors, but do not load ruleset
 +pfctl -F all -f /​etc/​pf.conf Flush all rules (nat, filter, state, table, etc.) and reload from the file /​etc/​pf.conf
 +</​code>​
 +
 +If you haven'​t setup your network device via the shell prompt you now need to reboot so FreeBSD can load all your changed configuration files.
 +
 +====== Setting Up The Jail ======
 +Once all the proceeding is running we can enter the jail.
 +
 +<​code>​
 +ezjail-admin console WEBSERVER
 +</​code>​
 +
 +Setup the jails resolv.conf (you can use different nameservers here). Your hosts /​etc/​resolv.conf can be copied to your jail if you don't want to use the google nameservers.
 +
 +<box 100% round blue|/​etc/​resolv.conf (inside the jail, note resolv doesn'​t have a trailing "​e"​)>​
 +<​code>​
 +# google nameservers
 +nameserver 8.8.8.8
 +nameserver 8.8.4.4
 +</​code>​
 +</​box>​
 +
 +Your jail should have network access now. If not type exit to return to the hosts shell and make sure your NAT rules are loaded.
 +<​code>​
 +pfctl -s nat
 +</​code>​
 +
 +If no rules are displayed it means that either PF isn't enabled or there is an error in your pf.conf. At the shell prompt type "pfctl -vnf  /​etc/​pf.conf"​ to check your pf.conf for errors. If there are no errors make sure PF is enabled "pfctl -e". You should also remove any blocking rules from your pf.conf to ensure that isn't causing a problem.
 +
 +You can't ping from inside jails because raw sockets are  disabled. If dig and whois work then your jails network access is  working. If you need to use ping you can change the following setting on  your host.
 +
 +<​code>​
 +sysctl security.jail.allow_raw_sockets=1
 +</​code>​
 +
 +You will need to restart your jail for the changes to take affect. Make sure to disable raw sockets once you are done testing.
 +<​code>​
 +sysctl security.jail.allow_raw_sockets=0
 +</​code>​
 +
 +====== Redirecting Traffic To Jail ======
 +Now that all the basics are setup we can add a redirect for incoming traffic. This will redirect port 80 on the host system to the jail which is running the webserver (you can change these ports to match whatever application you are running in your jail).
 +
 +<box 100% round blue|/​etc/​pf.conf>​
 +<​code>​
 +#INTERFACES
 +ext_if="​em0"​
 +int_if = "​lo1"​
 +jailnet = $int_if:​network
 +
 +# Name and IP of jails
 +WEBSERVER="​10.1.1.1"​
 +
 +# NAT
 +nat on $ext_if from $jailnet to any -> ($ext_if)
 +
 +# Redirect any packets requesting port 80 or 443 to jailed webserver
 +rdr pass on $ext_if inet proto tcp to port http -> $WEBSERVER port http
 +rdr pass on $ext_if inet proto tcp to port https -> $WEBSERVER port https
 +</​code>​
 +</​box>​
 +
 +====== Jail Startup ======
 +With everything up and running we can further tweak the jail.  ​
 +
 +  *Create an empty /etc/fstab via touch /etc/fstab
 +  *Run newaliases to quell sendmail warnings.
 +  *Set a root password, probably different from the real host system (type passwd at the shell prompt of the jail)
 +  *Set the timezone (via tzsetup at the shell prompt of the jail)
 +
 +<box 100% round blue|/​etc/​rc.conf>​
 +<​code>​
 +network_interfaces="" ​          # Quell startup warnings about ifconfig
 +rpcbind_enable="​NO" ​            # Disable the RPC daemon
 +cron_flags="​$cron_flags -J 15" ​ # Prevent lots of jails running cron jobs at the same time
 +syslogd_flags="​-ss" ​            # Disable syslogd listening for incoming connections
 +sendmail_enable="​NONE" ​         # Completely disable sendmail
 +clear_tmp_enable="​YES" ​         # Clear /tmp at startup
 +</​code>​
 +</​box>​
 +
 +<box 100% round blue|/​etc/​crontabs Comment out the following line>
 +<​code>​
 +# Adjust the time zone if the CMOS clock keeps local time, as opposed to
 +# UTC time.  See adjkerntz(8) for details.
 +#1,31   ​0-5 ​    ​* ​      ​* ​      ​* ​      ​root ​   adjkerntz -a
 +</​code>​
 +</​box>​
 +
 +====== Jail Security ======
 +Once any software is installed on a system monitoring potential vulnerabilities in that software is very important. Portaudit provides a system to check if installed ports are listed in a database of published security vulnerabilities. Portaudit will update the security database automatically and include its reports in the output of the daily security run. The host system can easily be setup to check the installed ports inside all jails.
 +
 +**ON THE MAIN HOST SYSTEM**
 +
 +<​code>​
 +portmaster --packages-build --delete-build-only --force-config ports-mgmt/​portaudit
 +</​code>​
 +
 +Portaudit will automatically check the host system. To have each jail checked in the daily security run output create the following file.
 +
 +<box 100% round blue|/​usr/​local/​etc/​periodic/​security/​420.jailportaudit & chmod 555>
 +<​code>​
 +#!/bin/sh
 +
 +RET_VAL=""​
 +
 +get_jail_name()
 +{
 +    jid=$1
 +    RET_VAL=`jls | egrep "^ +$jid " | awk '​{print $3}'`
 +}
 +
 +check_jail()
 +{
 +    jid=$1
 +
 +    get_jail_name $jid
 +    echo "==== checking jail :: " $RET_VAL " :: ===="
 +    /​usr/​sbin/​jexec $jid pkg_info | /​usr/​bin/​awk '​{print $1}' | /​usr/​bin/​xargs /​usr/​local/​sbin/​portaudit
 +    echo
 +}
 +
 +main()
 +{
 +    param=$1 ​
 +
 +    for i in `jls | tail +2 | awk '​{print $1}'`
 +    do
 +        check_jail $i
 +    done
 +}
 +
 +
 +main $@
 +</​code>​
 +</​box>​
 +
 +====== Finishing Up ======
 +You should now be able to go back and add jails and services that you want very easily. Take a look at ezjail flavours to tailor a jails initial setup to your needs. Also once you  have things setup you can edit your hosts pf.conf to actually block certain traffic and test to make sure that works accordingly. But both of those things are beyond the scope of this HowTo though.
 +
 +I hope this helps people out.
  
appserverwithezjail.txt ยท Last modified: 2014/10/02 14:18 by admin