Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
PostPosted: Tue Apr 28, 2009 8:29 pm 
Offline
Junior Member

Joined: Thu Apr 23, 2009 9:17 pm
Posts: 26
Website: http://www.trazoi.com
Location: Melbourne, Australia
I'm new to web server administration, and have been spending the last few days working through the basics of installing a LAMP server on Debian 5.0 with email support, as well as securing it. Currenty I've been configuring Apache, iptables, ssh and various other config files by hand. It's been slow going as there's a lot ot take in!

I've read here in older threads and in other tutorials about the Bastille Linux (or Unix) module to help beginners learn and configure their OS for security. When I installed it and tried it out, however, it seems it doesn't support Debian 5.0 - which is a bit weird given it downloaded modules marked "lenny".

I'm now not sure whether it's a good idea to try and run it in Debian 4.0 compatibility, as given my unfamiliarity with the deep guts of Debian and the changes between OS versions could do harm. Or whether I give Bastille a miss and go back to trying to fix everything by hand, which has the danger that I might miss something important. Or is there another security hardening package that is better to use with Debian 5.0?

I know I'm learning a lot by tweaking things by hand, but it would be nice to have some automated assurance I haven't done anything stupid with my iptables or left something really unsecure running by default!

_________________
David Shaw, a.k.a. "Trazoi"


Top
   
 Post subject: Wait to package update
PostPosted: Tue Apr 28, 2009 9:12 pm 
Offline
Junior Member
User avatar

Joined: Tue Apr 28, 2009 8:57 pm
Posts: 38
Location: Pale Blue Dot
Hi trazoi, I'm registering here just to answer your question because I've been tracking that bug and, finally, the solution is done already and waiting to hit Lenny's repository.

As you can read at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510884 the maintainer said:
Quote:
We believe that the bug you reported is fixed in the latest version of bastille, which is due to be installed in the Debian FTP archive.
That means that is fixed in Testing but I don't know when will arrive to Stable.

In any case, don't 'tweak this thing by hand' ;-)


Top
   
 Post subject:
PostPosted: Tue Apr 28, 2009 9:21 pm 
Offline
Junior Member

Joined: Thu Apr 23, 2009 9:17 pm
Posts: 26
Website: http://www.trazoi.com
Location: Melbourne, Australia
Thanks! It's good to know I'll be able to try it out sometime soon, although it's a bit annoying I won't be able to use it now, during the week I've dedicated to learning the basics of the server so I can work on the website next week.

I guess I'll stick to learning how to lock things down by hand for now, which I'm hoping will block the majority of what's out there.

_________________
David Shaw, a.k.a. "Trazoi"


Top
   
 Post subject: Securing Debian
PostPosted: Tue Apr 28, 2009 9:39 pm 
Offline
Junior Member
User avatar

Joined: Tue Apr 28, 2009 8:57 pm
Posts: 38
Location: Pale Blue Dot
Bastille and other similar tools are a help but nothing more than that.

While you're waiting for the package in Lenny, maybe you'll find interesting Securing Debian Manual.

That manual is a work in progress but has some fine ideas and howtos.


Top
   
 Post subject: Re: Securing Debian
PostPosted: Tue Apr 28, 2009 9:46 pm 
Offline
Junior Member

Joined: Thu Apr 23, 2009 9:17 pm
Posts: 26
Website: http://www.trazoi.com
Location: Melbourne, Australia
Quote:
Bastille and other similar tools are a help but nothing more than that.
I know, but Bastille has a whole bunch of information at each step that tells you why it's doing what it's doing. I was looking forward to a sort of interactive tutorial on security.

Thanks for the link to the security manual. I'll work through it and see what I've missed so far.

_________________
David Shaw, a.k.a. "Trazoi"


Top
   
 Post subject:
PostPosted: Tue Apr 28, 2009 10:13 pm 
Offline
Junior Member
User avatar

Joined: Tue Apr 28, 2009 8:57 pm
Posts: 38
Location: Pale Blue Dot
You're welcome.

Talking about security a little paranoia is always good. For instance, you can harden your server ports, Apache, CMS, etc and then install a beautiful theme for your CMS with malicious code inside!

http://www.tburns.com/2009/tracking-dow ... linux-box/


Top
   
 Post subject:
PostPosted: Tue Apr 28, 2009 10:59 pm 
Offline
Junior Member

Joined: Thu Apr 23, 2009 9:17 pm
Posts: 26
Website: http://www.trazoi.com
Location: Melbourne, Australia
Unfortuntely, I think I might be a bit too paranoid, especially since I'm acutely aware of how little I know about this. :)

Currently my strategy is to: 1) install what I need, 2) learn basic security (alongside step 1), 3) figure out how to monitor everything in case something goes wrong and 4) backup the system so if (when?) the server breaks I can always restart from scratch. Except for a minor point with my email step 1 was really easy, but step 2 is turning out to be a real challenge - mostly because there seems to be about ten different ways to do everything.

_________________
David Shaw, a.k.a. "Trazoi"


Top
   
 Post subject:
PostPosted: Wed Apr 29, 2009 5:02 pm 
Offline
Senior Member

Joined: Wed Feb 13, 2008 1:40 pm
Posts: 126
Unfortunately, unless it is deemed a security fix, this change will never hit Debian Lenny. The stable version is specifically not updated except to patch security holes. You would have to build it from testing to get it on Lenny (add a deb-src for squeeze in sources.list, sudo apt-get build-dep bastille; sudo apt-get source -b -t testing bastille).


Top
   
PostPosted: Wed Apr 29, 2009 5:18 pm 
Offline
Senior Newbie

Joined: Thu Jan 01, 2009 7:49 am
Posts: 9
Hello,

I tryed to install Bastille on the new Ubuntu 9.04, but one isn't recognized by Bastille.

Any ideas, please?


TIA.


Top
   
 Post subject:
PostPosted: Wed Apr 29, 2009 5:50 pm 
Offline
Senior Member
User avatar

Joined: Sat Oct 16, 2004 11:13 am
Posts: 176
You can simply download the testing package and use it in lenny. That's what I did, and I had no problems.


Top
   
 Post subject:
PostPosted: Wed Apr 29, 2009 8:13 pm 
Offline
Junior Member

Joined: Thu Apr 23, 2009 9:17 pm
Posts: 26
Website: http://www.trazoi.com
Location: Melbourne, Australia
Quote:
Unfortunately, unless it is deemed a security fix, this change will never hit Debian Lenny. The stable version is specifically not updated except to patch security holes. You would have to build it from testing to get it on Lenny (add a deb-src for squeeze in sources.list, sudo apt-get build-dep bastille; sudo apt-get source -b -t testing bastille).
Ah yes, thanks. I should have known that - that's the reason why I picked Debian over Ubuntu in the first place; they're more conservative about what goes into stable.

I'm a bit hesitant about trying software from testing, but I might make an exception for Bastille.

_________________
David Shaw, a.k.a. "Trazoi"


Top
   
 Post subject:
PostPosted: Wed Apr 29, 2009 9:46 pm 
Offline
Junior Member
User avatar

Joined: Tue Apr 28, 2009 8:57 pm
Posts: 38
Location: Pale Blue Dot
Although it isn't available yet I presume Bastille will be as a Lenny backport package soon.

http://www.backports.org/


Top
   
 Post subject:
PostPosted: Thu Apr 30, 2009 11:07 pm 
Offline
Junior Member

Joined: Thu Apr 23, 2009 9:17 pm
Posts: 26
Website: http://www.trazoi.com
Location: Melbourne, Australia
Thanks everyone. With your help I managed to install a runnable version of Bastille. After using aptitude to install the "stable" (but unrunnable) version of Bastille to get the dependencies, I just grabbed the deb package direct from its squeeze repository webpage and used dpkg to install it.

However, although Bastille is runnable, I'm not sure if it's working. The console interface was rather flaky, and some of the key elements it installed don't appear to work - the firewall script is throwing syntax errors, for example. I think with my early tinkering I'd managed to harden down half the stuff it did anyway, and I'm not sure if Bastille decided to revert some of that. Bastille did manage to harden a few permissions and turn on some logging options that were useful, but I fear it's made a pig's breakfast out of some of the rest of the system.

Not that it matters too much, as I'm planning on rebuilding the system from scratch in a few days anyway (this is just a test run to learn the ropes). But I'm on the horns of a dlemma. On the one hand, I trust the Bastille developers to know a lot more about security than me. But on the other, while the automated system did a good job of telling me why it should make the changes, it didn't give me a clue what it was doing, and I'm uncomfortable with that. I'm thinking I might be happier relying on my much simpler hand written changes, where at least I know for sure what, why and how I made each decision I did - although I don't know if that makes me more secure.

_________________
David Shaw, a.k.a. "Trazoi"


Top
   
 Post subject:
PostPosted: Thu Apr 30, 2009 11:41 pm 
Offline
Junior Member

Joined: Thu Apr 23, 2009 9:17 pm
Posts: 26
Website: http://www.trazoi.com
Location: Melbourne, Australia
I think I might have found an acceptable compromise. The new version of Debian's Bastille has the ability to generate assessment reports (the stable one didn't). With the assessment report, I can look through the current state of my system and see what Bastille flags as a possible security risk. Bastille still doesn't tell me how to fix them myself, but with the power of Google I should be able to find that out. I can thus both secure my system and learn a bit more about the guts of what's going on.

_________________
David Shaw, a.k.a. "Trazoi"


Top
   
 Post subject: easier fix
PostPosted: Thu Jan 07, 2010 12:48 am 
Offline
Newbie

Joined: Thu Jan 07, 2010 12:45 am
Posts: 2
This is an old thread but it was the first thing that came up when I searched for it. And I found a simpler solution than what is presented above. So, I just wanted to share it.

on Debian 5 there are two files that need to be modified after installing the bastille package:

/usr/lib/Bastille/API.pm
/usr/lib/Bastille/IOLoader.pm

Search for DB4.0 and you will see it grouped with the OS compatability listings. Just add DB5.0 right after the DB4.0 and you're set. At least, it worked fine for me.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
RSS

Powered by phpBB® Forum Software © phpBB Group