[ubuntu] Jailing BIND



BIND is a popular application used by many to provide name services. However, it is not without certain risks. If you jail it, you can increase the security and reliability of name services.

I decided to share my experience, because I've done this on a handful of machines and have the routine down pretty well, and anybody else with the same problem set, on Ubuntu server, might find this helpful.


Stop BIND:

/etc/init.d/bind9 stop

Edit /etc/default/bind9 to make BIND run chrooted to directory /chroot/named. Change the line:

OPTIONS="-u bind"

to
OPTIONS="-u bind -t /chroot/named"

Create directories for chrooted environment:

mkdir -p /chroot/named/etc /chroot/named/dev \
/chroot/named/var/cache/bind /chroot/named/var/run/bind/run

Move the config directory:

mv /etc/bind /chroot/named/etc

Create a symlink to the new config directory from the old location:

ln -s /chroot/named/etc/bind /etc/bind

Make null and random devices, and fix permissions for directories:

mknod /chroot/named/dev/null c 1 3
mknod /chroot/named/dev/random c 1 8
chmod 666 /chroot/named/dev/null /chroot/named/dev/random
chown -R bind:bind /chroot/named/var/*
chown -R bind:bind /chroot/named/etc/bind

Edit /etc/default/syslogd to make syslogd to log important messages. Change the line:

SYSLOGD=""

to
SYSLOGD="-a /chroot/named/dev/log"

Restart syslogd:

/etc/init.d/sysklogd restart

Start up BIND, and check /var/log/syslog for errors:

/etc/init.d/bind9 start
tail -f /var/log/syslog