SSH / chroot / user jail - vaporware?

Do you have installatron on that server? If not, maybe you can talk to them and have a temp license for that server.

That way we could install many scripts on a domain name and see how it goes?
 
I'd toss my hat in the ring, however all my servers are RH / FC - so a FreeBSD test probably wont do me any good. I think I can ask our datacenter to throw a rh9 or fc box online for us to test for a couple weeks... I'll make the calls today.

I just hope that with all our tests that a prototype beta IS ready for testing.
 
Hi,

I am using the jail on a production server since October.
There is only one customer using it, we don't promote the jail.
In my firewall there is a rule for his IP, I don't want the whole world to abuse SSH, as there are often brute force attacks.
My customer is happy with the jail.

I also use Installatron, my customer uses the TSEP search engine and everything works like it would without the jail.

I have made some modifications to the original jail and gave feedback to John.
You can add programs that you need/like to the files.list.
 
Last edited:
interfasys said:
Do you have installatron on that server? If not, maybe you can talk to them and have a temp license for that server.
Click to expand...

Unfortunately not as it's a test server, but I can certainly contact Phil from iTron and see a test license is possible.

Do you have a site or sites you could host there?

Thanks,
Matt
 
hostpc.com said:
I'd toss my hat in the ring, however all my servers are RH / FC - so a FreeBSD test probably wont do me any good. I think I can ask our datacenter to throw a rh9 or fc box online for us to test for a couple weeks... I'll make the calls today.

I just hope that with all our tests that a prototype beta IS ready for testing.
Click to expand...

Can someone from DA confirm this - do we need a test server for each OS in order to fully test the jails?

If it's necessary, then that sounds brilliant. Otherwise it might be best to concentrate all of our efforts on one test server to begin with.

Thanks,
Matt :)
 
113345 said:
Hi,

I am using the jail on a production server since October.
There is only one customer using it, we don't promote the jail.
In my firewall there is a rule for his IP, I don't want the whole world to abuse SSH, as there are often brute force attacks.
My customer is happy with the jail.

I also use Installatron, my customer uses the TSEP search engine and everything works like it would without the jail.

I have made some modifications to the original jail and gave feedback to John.
You can add programs that you need/like to the files.list.
Click to expand...

Hi Theo,

Sounds good. Did John implement the feedback you sent? If not, could you post it so that we can keep a list of known issues?

Also, have you performed any security testing on the jail? My main concerns are two fold:

1. The jail must work as well as the existing system.
2. The jail must be as secure as possible (nothing's 100%, but as close as possible would be good ;)

Thanks,
Matt :)
 
Hi Matt,

John has implemented the feedback.
I haven't done any security testing on the jail, that's why I don't promote it. I trust the customer who is using the jail.
When you look at the code for the jail, you can see it is taken from another project, I don't know how old the code is.
The changes I have made were small, my main problem is that the .profile or .bash_profile are not executed.
Solved the path settings and TERM settings by adding them to the chrootshell.c code.
 
I have recently brought a domain and am prepared to help test while I develop my site, but if I do can you allow me to use 2 email addresses and have dns control, as I am planning to setup some vhosts on the domain.
 
I have a testbed server I'm rebuilding today as CentOS (compatible with RHEL, WBEL). I have domain names available specifically for testing.

I have an Installatron license specifically for testing.

But I don't have time to do any testing myself.

Anyone interested in working with this setup?

Jeff
 
I'm sure I have a handful of domains that I'm not doing squat with that we can use as well...right now they're just sitting in Sedo..and not doing much..lol...

(see what I started. :) ).
 
Hi thoroughfare,

I have a domain I'm willing to offer for the cause, if you're still looking for testers.

Thanks,
Andy
 
113345 said:
Hi Matt,

John has implemented the feedback.
I haven't done any security testing on the jail, that's why I don't promote it. I trust the customer who is using the jail.
When you look at the code for the jail, you can see it is taken from another project, I don't know how old the code is.
The changes I have made were small, my main problem is that the .profile or .bash_profile are not executed.
Solved the path settings and TERM settings by adding them to the chrootshell.c code.
Click to expand...

Thanks for the info 113345.

John/Mark from DA: Can you please setup a section on the forum for jail beta-testing, so we can report problems and known issues rather than putting them all in one thread? It'll be easier to address each issue that way.

Matt :)
 
Thanks to everyone who has shown interest so far. I'm still looking for more testers, so anyone is welcome.

I must stress that any domain you host on the test server must either:

1. be an actual site, so that we can achieve as real a test as possible by testing it with real-world applications
2. a site that wasn't in use before, but one you'd be willing to spend time testing, playing around with DA/SSH and PHP/Perl.

JLasman: I'm thinking that we'll need to test this on all DA platforms. Like I said, I can provide a FreeBSD test server. You can cover CentOS, what does that leave?

Matt
 
CentOS/RHEL/WBEL are functionally the same and all of them are based on RHL9.

On the other subject, it's easy enough to test well-written sites on test domains.

You just (for example) set up a site called "test.nobaloney.net", and then update the contents of the real "nobaloney.net" site to it.

DA doesn't differentiate between a site set up as a third level or second level domain, and wellwritten sites don't use the site name in any of the links, so this should work.

Jeff
 
I have a couple sites that are in development that I can put on there to test.
 
That's 7 testers so far on the list :)

Jeff - when I mean 'real' sites, I didn't necessarily mean a domain dedicated to testing - just a website that is typical of websites we'd normally host. For example, most of my customers run PHP scripts that rely on MySQL, so therefore if we had some sites like that it'd help.

Matt
 
And CGI, definately CGI :)

maybe an attempt to load an IRC bot, something that requires sessions (which currently write to /var/tmp), majordomo lists (which currently store digests in /var/tmp - on occasion). CGI is the biggest culprit of getting into /var/tmp and /tmp ... I realize a jail wont stop them, but it'll take some of the tools they need away.

With the recent CURL and WGET exploits, testing those would be a good idea too.

I think I've got an old copy of phpBB that can be installed, and then we can all try and "break" it :)
 
CGI of course.

If anyone has a collection of nasty Perl scripts to run, please feel free to get those ready. Anything we can use to test security.

Matt
 
You must log in or register to reply here.
Back
Top