18
edits
Changes
no edit summary
directories (by default <code>/var/lib/vz/private/<CTID></code>). The reason why you should do so is that if you wish to use OpenVZ per-container disk quota, you won't be able to use usual Linux disk quotas on the same partition. Bear in mind that per-container quota in this context includes not only pure per-container quota but also usual Linux disk quota used in container, not on [[HN]].
At least try to avoid using root partition for containers because the root user of container will be able to overcome the 5% disk space barrier in some situations. If the HN root partition is completely filled, it will break the system.
OpenVZ per-container disk quota is supported only for ext2/ext3 filesystems so use one of these filesystems (ext3 is recommended) if you need per-container disk quota.
to create a first container and do some
[[basic operations in OpenVZ environment]]. Read the [[download:doc/OpenVZ-Users-Guide.pdf]], browse this wiki.
== SECURE IT ! ==
Now comes a small advice from someone who got his debian 4.0 container hacked by some script kiddies with a ssh brute-force method within a day after deployment. I believed naively that iptables was active on boot of the container as I had used webmin inside the VE to activate iptables on boot.
That is not so! Although webmin shows that iptables (Linux Firewall) is active on boot, it is not. You need to make a startup script for iptables as described further down.
Now see what rules are already configured:
iptables -L
The output will be similar to this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
This allows anyone access to anything from anywhere.
[edit]
New iptables rules
Let's tighten that up a bit by creating a test iptables file:
nano /etc/iptables.test.rules
In this file enter some basic rules:
*filter
Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allows all outbound traffic
You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
Allows SSH connections for script kiddies
THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT
Now you should read up on iptables rules and consider whether ssh access
for everyone is really desired. Most likely you will only allow access from certain IPs.
Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
That may look complicated, but look at each section at a time. You will see that it simply shuts all ports except the ones we have allowed - which in this case are ports 80 and 443 (the standard web browser ports) and the SSH port defined earlier.
Activate these new rules:
iptables-restore < /etc/iptables.test.rules
And see the difference:
iptables -L
Now the output tells us that only the ports defined above are open. All the others are closed.
Once you are happy, save the new rules to the master iptables file:
iptables-save > /etc/iptables.up.rules
To make sure the iptables rules are started on a reboot we'll create a new file:
nano /etc/network/if-pre-up.d/iptables
Add these lines to it:
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules
The file needs to be executable so change the permissions:
chmod +x /etc/network/if-pre-up.d/iptables
[[Category: HOWTO]]
[[Category: Debian]]
[[Category: Installation]]
