IP address protection
Forum
  1. Forums
  2. General
  3. General Discussion
  1. Stephen Major
  2. Tuesday, 13 March 2012
  3.  Subscribe via email
I know I started a different thread on this before but I want to re-address it now that CageFS is in a stable state.

One of the great things about CageFS is it allows web hosts to give users shell account access without having to worry about security problems like seen with other operating systems.

But with this great privilege comes other downsides, one being that a user can bind processes to any IP on the system that is not assigned to them. For instance they can bind a process to the IP of your mail server or your nameserver, the servers default IP address.

Doing so they could draw unwanted attacks to IP addresses that are not assigned to them... If we need to nullroute an IP address because it is under attack we would rather it be the customers IP getting nullrouted not the mail server or servers main ip or name servers IP or another customers IP for that matter.


Most of the control panels have a way of grabbing a list of IP addresses that have been assigned to the user, we think it furthers the security of CageFS to implement a system which reads those IP addresses and denies any application being launched by the user that attempts to bind to an IP that does not belong to them.

For instance Directadmin stores the list of IP\'s that are assigned to a user in the file:
/usr/local/directadmin/data/users/<username>/user_ip.list

the <username> is the same as their shell login
Rate this post:
  1. 14.03.2012 10:03:40
  2. # 1
Peter Abraham Accepted Answer
Posts: 10
Joined: 10.08.2010
0
Votes
Undo
Good day:

While we don\'t use CageFS (my understanding is that support for CageFS on H-Sphere is not yet present), for the record....

Good idea... and H-Sphere uses /hsphere/local/network/ips

Thank you.
  1. 14.03.2012 10:03:55
  2. # 2
Igor Seletskiy Accepted Answer
Posts: 1200
Joined: 09.02.2010
0
Votes
Undo
CageFS should work with h-sphere (if I remember correctly our patches for suexec are in h-sphere\'s apache), but we just didn\'t get around creating template yet.

Regarding networking -- what we plan to do is to have ipfilters based on LVE (each network packet will be marked with LVE id, and iptables will filter packages based on that).
We will provide command line tools to easily manage it, but it should allow you to give \"slices\" of internal/external IPs/port ranges available to specific users in automatic fashion -- allowing them to run irc, memcache, jabber, etc.. in a secure way.
I still have to figure out how to prevent user from binding to IPs/ports they are not allowed to bind too.


I am still working out details -- and it will not happen for the next 2-3 months, but this is something that we are researching now.
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.