Is it safer to use a chroot jails, a jail shell or a combination?

security linux chroot-jail

Have you considered setting up VNC or another remote control app on a port that is not typically filtered by a firewall by rules?

An example config of this would have VNC (or other similar app) loaded on the notebook. Then have your notebook side script running to reach out to your server on a specific port that will not be filtered by the firewall to establish your return path to the system. 443 is probably the best port to use for this but others are also suitable. Then from your system you just connect to VNC either directly or replicate a port on your server to another port number and just connect to the interface on the local port and the port redirection will handle getting you to the other system on the remote end.

Hope this helps.


The chroot jail will help, but with an exploit that let someone into a shell, they'd still be able to see the process table and such, and run programs, conceivably further exploits. If you want to really be aggressive about isolating the external user, it's kind of using a howitzer on an ant, but you could set up a virtual private server for the entire ssh tunnel mechanism. Then the worst they can do is trash the VPS, barring the ability to break out of one, which is a pretty high bar.


I am a fan of a good defence in depth strategy when it comes to securing a computer system, so I would recommend that you use a low privilege account in a chrooted filesystem, and even then it is no guarantee, just look at the iPhone, it does both of these things and it still doesn't help.


Another way to skin this animal now that I am thinking about it is to tunnel x session traffic inside an SSH tunnel as an alternative to using VNC. You are already halfway there now with your current setup.

Set up the X ability on a specific port locally to that machine, then forward that port to yourself via the tunnel and then replicate it to a port on your side so you can connect to the session on the local port on your server.

Another thing I have found which is entirely handy for this sort of thing is dynamic DNS. This will allow you to set a resolvable FQDN that you can query whenever the need arises. DyDns runs as a lightweight service on the system you have it installed on and it updates the record anytime the IP address info changes.

Related

NetBSD, OpenBSD, *BSD and FreeBSD compared
Can I change my Windows 7 product key at a later date?
Linux software for creating HDR images? [closed]
Creating USB Disk from bootable CD
Partition table corrupted (USB flash drive)
Convert PowerPoint to Flash or Silverlight? [closed]
Is there a LaTeX-like font for my other documents?
Programming productivity: How to hide cursor while typing
Safe GPU temperatures
Re-downloading accidentally deleted podcasts in iTunes
What is the necessary file structure for a DVD to be playable?
Firefox: save username/password for all sub domains?