All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Service isolation (BSD jails) - isolate per service? per site?
Hi
I'm setting up a server for an upcoming project and would like to use FreeBSD as an OS.
I'd like to isolate services using BSD jails, for added security. (ie if one service is compromised, the whole box isn't (until the attacker has escaped the jail, of course)).
What would be better?
Isolate each service? (1 jail for nginx / 1 jail for database, etc) -> nice for one site, probably not the best if multiple sites are installed on the server
Isolate each site? (1 jail site1.com, 1 jail site2.com each jail with httpd + db + php-fpm) -> nice as one site being compromised wouldn't cause trouble to other sites. 1 jail with a reverse proxy would be needed as a front end.
Mix between both possibilities? -> Would be possible to isolate each service and run different services for each website. Wouldn't be the most efficient ram wise and would be a hassle to keep everything up to date: would it be worth it?
Any input on this topic?
Thanks LET!
Comments
I usually just create a single jail and then put my whole webstack (nginx, php-fpm, and mariadb) in that and I run separate php-fpm pools (with different user:group) for each website. There's a ton of good posts on the FreeBSD forums with different possibilities for jail setups.
I do the 1 jail because I decided it wasn't worth it to me (and for my needs) to keep a jail running for each service.
Sidenote: I absolutely love using FreeBSD for my webservers. I moved a lot of my servers over to it from linux and I couldn't be happier.
Will check there for ideas, thanks
@bsdguy are there some 'industry standard' rules for services isolation using jails?
Yeah I enjoy it too. The port system is great (good by outdated debian packages) and so is PF and portaudit
Any software / tools you did enjoy and would recommend me to check out?
I wish it wasn't so hit-or-miss to get FBSD working on those cheap Kimsufi Atoms.
I have installed diverse BSDs, usually FreeBSD on lots of diverse machines. Xeons, core 7, atom, diverse Pentiums, Via C7, diverse amd processors and never had problems.
Is there a standard? Man, I'm not doing web servers for a living and I don't care about most standards anyway. As for FreeBSD, the standard is FGH (fucking great handbook).
As for the OP question: Depends.
One decisive factor is what you want to achieve, what your priorities are. Keeping a bunch of users, each with their site and ftp, apart and clean is quite different from, say, a hardened setup.
jails are easy and well (incl. tool) supported and efficient. Plus they are safer than the linux thingy (but not hardcore secure).
If I get you right you have an inconsistent basis logic. Someone successfully hacking a properly configured and well chosen service on FreeBSD service will hardly be stopped by a jail. Think of jails as a device to keep not violently malevolent users apart, not as of an impenetrable wall.
I personally either don't do anything (in terms of jailing and similar) or I use bhyve for completely separated virtualized machines.
For security the wisdom IMO is not in jails or bhyve but in wisely chosing what software to use and in configuring both those services and FreeBSD itself well and tight.
Well I'm more looking for a somewhat hardened setup. Trying to mitigate a too wide access to the system if a web app was compromised.
Will focus on that, thanks!