best practice for locking down private jail?
Aleksandr Miroslav
alexmiroslav at gmail.com
Thu Dec 3 05:44:03 UTC 2015
So I'm setting up a server for a friend who wants to upload audio
files and have them served up via http. i.e. He uploads lecture.mp3 to
example.org, and wants people to be able to access it via
http://example.org/audio/lecture.mp3.
He's somewhat tech savvy, but I'm being super paranoid about security,
so this is what I did:
- setup a server, example.org, with a public IP, FreeBSD 10.2
- on this server, I setup a jail with a private IP
- setup a pf rdr rule so that example.org:2222 goes to
private-ip-of-jail:22, so he can only access the jail via ssh
- inside the jail, I set up sshd to only allow his user (AllowUsers
joeblow), and disabled passwords, so he can only access the machine
with an ssh key
- he will upload his files to his home directory (within the private
jail), and put it in some directory, e.g. ~joeblow/audiofiles
- from the example.org machine, outside the jail, i setup httpd to
serve files only from
/usr/jails/privatejail/usr/home/joeblow/audiofiles
I've setup everything but the last step (httpd), and I will get that
last bit working shortly.
For what I want to do, does this look like an okay setup? Is there
anything else I can do to lock this setup down? I figure in the worst
case scenario, someone steals his ssh key and the worst damage they
can do is delete the files he's uploaded (I'm taking backups so not
too worried about that), or upload files to the server that is http
accessible -- can I tell Apache to only serve up mp3 files of name
lecture-num.mp3 or something like that?
Any thoughts or suggestions appreciated.
Thanks
More information about the freebsd-questions
mailing list