Darren David
Explorer
- Joined
- Feb 27, 2014
- Messages
- 54
Hi all-
I did some searching and couldn't find anything specifically targeted to this, but please feel free to point me in the right direction if this exists already.
I'm using FreeNAS 11.3x for a whole host of things - file server, plugins, manually-created jails, remote backup, vSphere storage container host (FreeNAS is running under vSphere with direct access to the storage subsystem) - the works. I had this box at home, but now it's living in a colo and I connect to some services over VPN (like the main dashboard, Samba, et al) and others via nginx. It's a friendly colo, but it does feel a bit more exposed now that it's not at home (it's still behind pfSense, but I don't have snort or anything running at this time).
I understand that the goal of FreeBSD jails is to prevent processes from gaining access to the root system. TI've been storing all of my data in a dataset off the root and mounting various directories in these root datasets into jails, some of which have r/w access (resilio is a good example). In my mind, that's good but not great. Technically speaking, a malicious individual could harm my system by compromising the jailed service and then wiping out data in the mounted share and/or filling the disk with crap (or probably worse -- I'm security-conscious but not deeply experienced).
My question is this - are there best practices for setting up a multi-function system like this? I guess I'm wondering whether or not I should move all of my data to a jail of its own and then sharing out the jailed directories with the other jails to keep all of that i/o out of the root. Or perhaps its more complicated that that.
Appreciate any insight here are I true this system up for long-term security.
I did some searching and couldn't find anything specifically targeted to this, but please feel free to point me in the right direction if this exists already.
I'm using FreeNAS 11.3x for a whole host of things - file server, plugins, manually-created jails, remote backup, vSphere storage container host (FreeNAS is running under vSphere with direct access to the storage subsystem) - the works. I had this box at home, but now it's living in a colo and I connect to some services over VPN (like the main dashboard, Samba, et al) and others via nginx. It's a friendly colo, but it does feel a bit more exposed now that it's not at home (it's still behind pfSense, but I don't have snort or anything running at this time).
I understand that the goal of FreeBSD jails is to prevent processes from gaining access to the root system. TI've been storing all of my data in a dataset off the root and mounting various directories in these root datasets into jails, some of which have r/w access (resilio is a good example). In my mind, that's good but not great. Technically speaking, a malicious individual could harm my system by compromising the jailed service and then wiping out data in the mounted share and/or filling the disk with crap (or probably worse -- I'm security-conscious but not deeply experienced).
My question is this - are there best practices for setting up a multi-function system like this? I guess I'm wondering whether or not I should move all of my data to a jail of its own and then sharing out the jailed directories with the other jails to keep all of that i/o out of the root. Or perhaps its more complicated that that.
Appreciate any insight here are I true this system up for long-term security.
