Securing Network Services with FreeBSD Jails

In this article by Christer Edwards, we will explore FreeBSD Jails. FreeBSD Jails are a kernel-level security mechanism which allows you to safely segregate processes within a sandbox environment. Jails are commonly used to secure production network services like DNS or Email by restricting what a process can access. In the case of a malicious attack on one service, all other Jailed processes would remain secure. FreeBSD Jails securely limits, in an administratively simple way, the amount of damage an attacker can do to a server.

Introduction

Is it possible to easily run a half-dozen internet services on a single piece of hardware and make sure that if one is compromised the others will remain unharmed? Can this be done without a mountain of administrative overhead and customization? Can I configure my services the way I have grown accustomed? Absolutely! This article will outline how to achieve this, through the use of FreeBSD Jails.

Over the course of this article I will outline how to install a list of production services on a single piece of hardware, securing each one from the next, all with only one additional administrative tool: ezjail

Before we get to the ezjail tool we need to define FreeBSD Jails. What are they? What do they do? Why do I care?

FreeBSD Jails are a kernel-level security tool used widely in the FreeBSD community to segregate processes. An easy way to think of a Jail is that it is very much like a chroot environment, but much more hardened. While a standard chroot environment can often be escaped, FreeBSD has added code to their kernel which hardens the chroot environment into a “Jail”—Inescapable. Within this Jailed environment processes are unable to identify, access or otherwise communicate with processes on the outside of the Jail. Networking is limited within the Jail as well. A Jail cannot affect any underlying network configuration other than that which it has been assigned. A Jail can also be thought of in many ways like a virtualized machine in that the virtual “guest” cannot interact with the physical “host”. Jails allow us the opportunity to run processes in a secure manner separate from our host environment.

If that sounds appealing to you may be wondering how to activate and use this Jail system. That, my friend, is the focus of this article. Get settled because by the time we’re done here you will have all the tools you need to segregate processes for security, sandboxing or even create custom environments for other users.

By default the Jail system is part of the FreeBSD kernel. The kernel customizations to make the system possible have such a minimal footprint that it was decided it should be a default, always-on feature of FreeBSD. Your FreeBSD installation already has the ability to do everything described above, you just need to know how to use it. Continue

Read the whole article on setting up, configuring and running FreeBSD Jails

FreeBSD Foundation Project: FreeBSD terminal layer

The FreeBSD Foundation has announced another project that they’re funding:

Ed Schouten has been awarded a grant to write a new console driver for the FreeBSD project. We are excited to support Ed in providing a more efficient and user friendly console driver.

This project will allow Ed to add an additional abstraction layer to the kernel. This new layer, the terminal layer will be a layer that sits between the TTY layer, the kernel console (cngetc, cnputc) and the actual console driver. Right now we have a terminal emulator (libteken) that is part of Syscons. This terminal emulator will be moved into this
terminal layer.

The advantage of having such a layer, is that the console driver itself does not have to care about any TTY semantics, streams of bytes, processing escape sequences, etc. It will just receive a set of character drawing, filling and copying actions. This should also make it easier to implement Unicode.

“During this project I’m going to continue the work I did with the TTY layer, by developing a new console driver for the FreeBSD kernel,”

said Ed Schouten, FreeBSD Developer.

“By moving towards a graphics mode console driver, it will be much easier to make the boot process look nice on desktop systems (i.e. PC-BSD). It will also make it possible to support the industry-standard Unicode character sets by default.”

This project will be completed by the end of December.

FreeBSD Mall receives Best of Concord Award (2009)

The U.S. Commerce Association recently announced that the FreeBSD Mall has been selected for the 2009 Best of Concord Award in the Computer Services category by the U.S. Commerce Association (USCA).

Each year, the USCA identifies companies that they believe have achieved exceptional marketing success in their local community and business category. These are local companies that enhance the positive image of small business through service to their customers and community.

Various sources of information were gathered and analyzed to choose the winners in each category. Winners were determined based on the information gathered both internally by the USCA and data provided by third parties.

“It is an honor to be recognized for our efforts to market FreeBSD and PC-BSD products effectively, and to be selected for this prestigious award”,

says Theresa Garner, Manager, FreeBSD Mall, Inc.

“FreeBSD Mall takes its commitment to customer service very seriously, and will continue its current tradition of providing outstanding software, documentation, and support to the FreeBSD community.”

FreeBSD 8.0-BETA2 available

freebsd project logo 100x100The final stage of the FreeBSD-8.0 Release cycle continues with the second public beta release. The FreeBSD 8.0-BETA2 ISO images for Tier-1 architectures are now available for download on most of the FreeBSD mirror sites. As with the first beta release, this is not yet intended for use in a production environment. However we encourage our users to test this release and report any bugs and problems you may have found. For more information about this release and updating details please see the official announcement.

The second of the BETA builds for the FreeBSD-8.0 release cycle is now available. There are still a few things being finished up so a couple more moderately large commits are coming but we seem to be making good progress. The target date for the last of the things still being worked on is BETA3. In the meantime we appreciate the feedback we have received from people who have started testing and some of those problems have been fixed as well.

As was the case with BETA1, BETA2 is still a little bit “rough around the edges” and we still have various debugging tools enabled that cause the system to perform worse than it will when those debugging tools get disabled. We don’t know of any issues that will “eat your data” or anything like that so in that regard it’s safe but we don’t recommend it for production use quite yet. If you notice problems you can report them through the normal Gnats PR system or on the freebsd-current mailing list. Sorry for not specifying that in the BETA1 announcement. With the X.0 releases I make the announcements of how the release is
progressing on both freebsd-current and freebsd-stable because what’s being released is “about to become a stable branch” so some people who only read freebsd-stable might be interested. But when it comes to
watching for discussions about the release the developer community tends to pay more attention to the freebsd-current mailing list.

ISO images for all supported architectures are available on the FTP sites, and a “memory stick” image is available for amd64/i386 architectures. For amd64/i386 architectures the DVD and memstick images include the documentation packages this time but no other packages yet. None of the other images included packages. The memstick image should now work in “fixit” mode (livefs). (full message)

FreeBSD 7.2: Awesomeness of Ports

freebsd project logo 100x100ashgtx has written up his experience of his now successfull FreeBSD installation and use of the FreeBSD ports:

The elusive *nix. Nobody knows about it yet it is one of the most widely used server operating systems. The wikipedia entry mentions it as the unknown giant of the internet. Huge internet portals like Yahoo! run on it. Why is it that no one knows about this widely used OS?

Please remember that I am no *nix guru. I have used a lot of Linux distributions (mostly Debian based) in the past two and a half years. I don’t know anything about programming but I don’t mind messing around at the command line. In fact I am a medical student whose main hobby is Linux. Weird but true.

I have tried at least three times before to get FreeBSD installed on my laptop (a three year old Think Pad R60) but failed spectacularly all three times. I didn’t like the ncurses like installation interface nor did I like the unfriendly options I had to select through. But this time I did it. OK, it’s in a Virtual Box environment but still, come on, I’ve got a working FreeBSD 7.2 install.


I like FreeBSD now. I have fell in love with Ports. Compiling from source has its own advantages as you can specify several compile time options and the compiled program is better optimized for your particular system. And it feels so damn geeky! I love it.

I’ve been running FreeBSD for more than 10 hrs now and I haven’t had a single crash other than the initial trouble with getting GNOME to work.

There are several features in FreeBSD which make it a server guy’s best friend (like jails and stuff) but this is just the beginning for me. I hope I learn more about this great operating system which has stood the test of time and M$.

I’m looking forward to a great experience from FreeBSD. Kudos to the FreeBSD team for creating Ports. :)

Read whole post

FreeBSD 8.0 BETA1 Released

The first public test build of the FreeBSD 8.0-RELEASE test cycle is now available, 8.0-BETA1.  Through the next week or so more information about the release will be posted but here is the current target schedule for the other ‘major events’:

  • BETA2: July 13, 2009
  • BETA3: July 20, 2009
  • RC1: July 27, 2009
  • RC2: August 17, 2009
  • RELEASE:August 31, 2009

People with the resources to do so (test machines…) are encouraged to give 8.0-BETA1 a try.  At this point it is not quite ready for production systems but mostly because there is still some ongoing work in a few areas that may cause some changes in things like ABI/API. Debugging support (WITNESS, malloc debugging, etc.) are also still turned on and those tend to cause a performance hit.  As far as we know there are no known issues that would cause data corruption or anything like that, just the issues with performance and potential for changes caused by ongoing work.  If you find problems they can be reported through the normal Gnats based PR system or posted to the mailing lists.

More details van MD5 checksums can be found on the release statement

The future release dates of FreeBSD 8.0 can be found on the BSD Calender on bsdevents.net

Released: FreeBSD 8.0 – Beta1

freebsd_logo-100x100Ken Smith announced the availability of the first beta release of FreeBSD 8.0:

“The first public test build of the FreeBSD 8.0-RELEASE test cycle is now available, 8.0-BETA1. Through the next week or so more information about the release will be posted but here is the current target schedule for the other ‘major events’: BETA2 July 13, 2009; BETA3 July 20, 2009; RC1 July 27, 2009; RC2 August 17, 2009; RELEASE August 31, 2009. At this point it is not quite ready for production systems but mostly because there is still some ongoing work in a few areas that may cause some changes in things like ABI/API. Debugging supports (WITNESS, malloc debugging, etc.) are also still turned on and those tend to cause a performance hit. As far as we know there are no known issues that would cause data corruption or anything like that, just the issues with performance and potential for changes caused by ongoing work.”

Read the complete release announcement for further details.

Download: