# Firewall & Chroot Jail

## Centinul

I was wondering if it would  be worth my time to setup a chroot jail for my firewall box? If so how would I go about doing it and making it secure? Thanks.

----------

## wjholden

What do you want to chroot?  I've never heard of someone chrooting Shorewall and it isn't possible (AFAIK) to chroot IPTables (since it's in the kernel).

Here's the documentation on chrooting services.

----------

## Centinul

I don't have a very large understanding of chroot. I didn't know if I could just create an environment, not for a specific service, and run in that environment. I'm just aiming to try and make my firewall more secure. Is it possible to chroot SSHD? I run that so that ONLY my internal desktop can access the firewall.

----------

## sirtalon42

If you chroot SSHD your users that login (i.e. you) would be stuck in the chroot, which would defeat the purpose of having SSHD in your configuration if I'm right.  Services like dns and dhcp could be chrooted I guess.  Though if something runs as root, chrooting it would stop someone for all of half a second (its easy for root to break out of chroot).

I would just say make sure remote root logins are disabled (login as another user then su to root), and use a good password for your accounts, and try the hardened toolchain.  Also try not to run any unneccisary stuff (like ftp & telnet).

----------

## Gentree

chroot has many uses but it is not intended as a security tool.

"chroot jail" is one of those silly terms that people latch on to because they think it makes them sound smart. In fact it's dangerously misleading because it makes it sound very secure like it's surround by armed guards, barbed wire and security towers.

Like the previous poster pointed out, anyone who manages to compromise a sensibly set up linux box going to get out of his chroot jail as if he's been given a weekend pass to visit his ailing mother.

call it by it's proper name: a chroot shell , and you get a better idea where you're are.

HTH   :Cool: 

----------

## Centinul

Thanks for the tips everyone.

----------

