HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   Bastille on Debian squeeze (http://www.howtoforge.com/forums/showthread.php?t=56810)

Davide 7th April 2012 03:59

Bastille on Debian squeeze
 
Hi, list

There is not bastille package in debian stable (squeeze). My installation is an update from lenny to squeeze, so I've only realised when I had to deinstall it trying to make bastille start with system

I have installed bastille from lenny, and it seems to work OK now, but I don't like the idea of having lenny packages in squeeze

Is there any other recommended way to install bastille in squeeze?
Why is bastille not mentioned in anyone of all Perfect setup for debian squeeze?

Thank you

falko 7th April 2012 10:47

Bastille comes with ISPConfig, so you don't need to install it.

Davide 8th April 2012 00:14

I've tried to update ispconfig3 after deinstalling bastille with no sucess. Bastille was not mentioned at all.

With lenny package, ispconfig 3 is updating /etc/Bastille/bastille-firewall.cfg.

How could I reactivate ISPConfig3 included bastille?

Davide 10th April 2012 00:53

Anyone?

I think I have found the origin of my mistake. My initial installation was following this perfect setup.
I suppose I've trusted this comment so I installed Lenny's bastille.

Is reinstalling ispconfig the only solution for bringing back bastille after deinstalling debian package?

falko 10th April 2012 21:02

I'm not sure what is wrong with your system right now, but you can simply try an ISPConfig upgrade. Download the latest version, go to the install dir and run
Code:

php update.php

Davide 11th April 2012 00:40

I'll try to explain:

This was my actual situation (lenny's bastille installed):

Code:

# apt-cache policy bastille
bastille:
  Instalados: 1:2.1.1-13
  Candidato:  1:2.1.1-13
  Tabla de versión:
 *** 1:2.1.1-13 0
        100 /var/lib/dpkg/status
# /etc/init.d/bastille-firewall restart                                                                                                                               
Setting up IP spoofing protection... done.                                                                                                                                   
Allowing traffic from trusted interfaces... done.                                                                                                                           
Setting up chains for public/internal interface traffic... done.                                                                                                             
Setting up general rules... done.                                                                                                                                           
Setting up outbound rules... done.
# iptables -L
Chain INPUT (policy DROP)
target    prot opt source              destination       
DROP      tcp  --  anywhere            loopback/8         
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    all  --  anywhere            anywhere           
DROP      all  --  base-address.mcast.net/4  anywhere           
PUB_IN    all  --  anywhere            anywhere           
PUB_IN    all  --  anywhere            anywhere           
PUB_IN    all  --  anywhere            anywhere           
PUB_IN    all  --  anywhere            anywhere           
PUB_IN    all  --  anywhere            anywhere           
DROP      all  --  anywhere            anywhere           

Chain FORWARD (policy DROP)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
DROP      all  --  anywhere            anywhere           

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       
PUB_OUT    all  --  anywhere            anywhere           
PUB_OUT    all  --  anywhere            anywhere           
PUB_OUT    all  --  anywhere            anywhere           
PUB_OUT    all  --  anywhere            anywhere           
PUB_OUT    all  --  anywhere            anywhere           

Chain INT_IN (0 references)
target    prot opt source              destination       
ACCEPT    icmp --  anywhere            anywhere           
DROP      all  --  anywhere            anywhere           

Chain INT_OUT (0 references)
target    prot opt source              destination       
ACCEPT    icmp --  anywhere            anywhere           
ACCEPT    all  --  anywhere            anywhere           

Chain PAROLE (14 references)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere           

Chain PUB_IN (5 references)
target    prot opt source              destination       
ACCEPT    icmp --  anywhere            anywhere            icmp destination-unreachable
ACCEPT    icmp --  anywhere            anywhere            icmp echo-reply
ACCEPT    icmp --  anywhere            anywhere            icmp time-exceeded
ACCEPT    icmp --  anywhere            anywhere            icmp echo-request
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:ftp-data
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:ftp
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:ssh
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:smtp
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:domain
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:www
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:pop3
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:imap2
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:https
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:submission
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:imaps
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:pop3s
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:mysql
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:webmin
ACCEPT    udp  --  anywhere            anywhere            udp dpt:domain
ACCEPT    udp  --  anywhere            anywhere            udp dpt:mysql
DROP      icmp --  anywhere            anywhere           
DROP      all  --  anywhere            anywhere           

Chain PUB_OUT (5 references)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere           

Chain fail2ban-courierimap (0 references)
target    prot opt source              destination       

Chain fail2ban-courierpop3 (0 references)
target    prot opt source              destination       
RETURN    all  --  anywhere            anywhere           

Chain fail2ban-courierpop3s (0 references)
target    prot opt source              destination       

Chain fail2ban-pureftpd (0 references)
target    prot opt source              destination       

Chain fail2ban-sasl (0 references)
target    prot opt source              destination       

Chain fail2ban-ssh (0 references)
target    prot opt source              destination

As you can see, Bastille is working.

So, I'm going to deinstall lenny's bastille:
Code:

apt-get remove --purge bastille
Leyendo lista de paquetes... Hecho
Creando árbol de dependencias     
Leyendo la información de estado... Hecho
El paquete indicado a continuación se instaló de forma automática y ya no es necesarios.
  libcurses-perl
Utilice «apt-get autoremove» para eliminarlos.
Los siguientes paquetes se ELIMINARÁN:
  bastille*
0 actualizados, 0 se instalarán, 1 para eliminar y 0 no actualizados.
Se liberarán 1544 kB después de esta operación.
¿Desea continuar [S/n]?
(Leyendo la base de datos ... 56812 ficheros o directorios instalados actualmente.)
Desinstalando bastille ...
Stopping Bastille firewall..
WARNING: reverting to default settings (dropping firewall)
disabling IP forwarding... done.
unloading masquerading modules... done.
resetting default input rules to accept... done.
resetting default output rule to accept... done.
resetting default forward rule to accept... done.
flushing INPUT rules... done.
flushing OUTPUT rules... done.
flushing FORWARD rules... done.
removing user-defined chains... done.
done.
Purgando ficheros de configuración de bastille ...
insserv: warning: script 'K01jailkit' missing LSB tags and overrides
insserv: warning: script 'jailkit' missing LSB tags and overrides
Procesando disparadores para man-db ...

so I have not firewall now:
Code:

# iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       

Chain fail2ban-courierimap (0 references)
target    prot opt source              destination       

Chain fail2ban-courierimaps (0 references)
target    prot opt source              destination       
RETURN    all  --  anywhere            anywhere           

Chain fail2ban-courierpop3 (0 references)
target    prot opt source              destination       
RETURN    all  --  anywhere            anywhere           

Chain fail2ban-courierpop3s (0 references)
target    prot opt source              destination       
RETURN    all  --  anywhere            anywhere           

Chain fail2ban-pureftpd (0 references)
target    prot opt source              destination       
RETURN    all  --  anywhere            anywhere           

Chain fail2ban-ssh (0 references)
target    prot opt source              destination

So I'm going to update ispconfig. I'm going to do a REAL update from 3.0.4.3 to 3.0.4.4:
Code:


# ispconfig_update.sh


--------------------------------------------------------------------------------
 _____ ___________  _____              __ _     
|_  _/  ___| ___ \ /  __ \            / _(_)     
  | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _
  | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |
 _| |_/\__/ / |    | \__/\ (_) | | | | | | | (_| |
 \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, |
                                              __/ |
                                            |___/
--------------------------------------------------------------------------------


>> Update 

Please choose the update method. For production systems select 'stable'.
The update from svn is only for development systems and may break your current setup.
Note: Update all slave server, before you update master server.

Select update method (stable,svn) [stable]:

--2012-04-10 22:29:49--  http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
Resolviendo www.ispconfig.org... 78.46.59.59
Connecting to www.ispconfig.org|78.46.59.59|:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 2697357 (2,6M) [application/x-gzip]
Saving to: `ISPConfig-3-stable.tar.gz'

100%[====================================================================================================================================>] 2.697.357  5,49M/s  in 0,5s   

2012-04-10 22:29:49 (5,49 MB/s) - `ISPConfig-3-stable.tar.gz' saved [2697357/2697357]

ispconfig3_install/
ispconfig3_install/server/
ispconfig3_install/server/server.php
[..]
ispconfig3_install/helper_scripts/setup_in_openvz/recreate_ssh_and_hostname.sh
ispconfig3_install/helper_scripts/setup_in_openvz/diff_openssl.cnf


--------------------------------------------------------------------------------
 _____ ___________  _____              __ _        ____
|_  _/  ___| ___ \ /  __ \            / _(_)      /__  \
  | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
  | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |  |_ |
 _| |_/\__/ / |    | \__/\ (_) | | | | | | | (_| | ___\ \
 \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
                                              __/ |
                                            |___/
--------------------------------------------------------------------------------


>> Update 

Operating System: Debian 6.0 (Squeeze/Sid) or compatible

This application will update ISPConfig 3 on your server.

Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]:

Creating backup of "/usr/local/ispconfig" directory...
Creating backup of "/etc" directory...
Checking ISPConfig database .. OK
Starting incremental database update.
Reconfigure Permissions in master database? (yes,no) [no]:

Reconfigure Services? (yes,no) [yes]:

Configuring Postfix
Configuring Mailman
Configuring Jailkit
Configuring SASL
Configuring PAM
Configuring Courier
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring vlogger
Configuring Apps vhost
Configuring Database
Updating ISPConfig
ISPConfig Port [443]:

Create new ISPConfig SSL certificate (yes,no) [no]:

Reconfigure Crontab? (yes,no) [yes]:

Updating Crontab
Restarting services ...
Stopping MySQL database server: mysqld.
Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..
Stopping Postfix Mail Transport Agent: postfix.
Starting Postfix Mail Transport Agent: postfix.
Stopping SASL Authentication Daemon: saslauthd.
Starting SASL Authentication Daemon: saslauthd.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
Stopping ClamAV daemon: clamd.
Starting ClamAV daemon: clamd .
Stopping Courier authentication services: authdaemond.
Starting Courier authentication services: authdaemond.
Stopping Courier IMAP server: imapd.
Starting Courier IMAP server: imapd.
Stopping Courier IMAP-SSL server: imapd-ssl.
Starting Courier IMAP-SSL server: imapd-ssl.
Stopping Courier POP3 server: pop3d.
Starting Courier POP3 server: pop3d.
Stopping Courier POP3-SSL server: pop3d-ssl.
Starting Courier POP3-SSL server: pop3d-ssl.
[Tue Apr 10 22:31:01 2012] [warn] NameVirtualHost 82.98.148.78:443 has no VirtualHosts
[Tue Apr 10 22:31:01 2012] [warn] NameVirtualHost *:80 has no VirtualHosts
[Tue Apr 10 22:31:04 2012] [warn] NameVirtualHost 82.98.148.78:443 has no VirtualHosts
[Tue Apr 10 22:31:04 2012] [warn] NameVirtualHost *:80 has no VirtualHosts
Restarting web server: apache2 ... waiting ..
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -Y 1 -O clf:/var/log/pure-ftpd/transfer.log -u 1000 -H -A -b -E -8 UTF-8 -D -B
Update finished.

As you can see, there is not Bastille mention at all.

There is not bastille start script also:
Code:

# ls -la /etc/init.d/bast*
ls: cannot access /etc/init.d/bast*: No such file or directory

I'm still without firewall:
Code:

#  iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       

Chain fail2ban-courierimap (0 references)
target    prot opt source              destination       

Chain fail2ban-courierimaps (0 references)
target    prot opt source              destination       

Chain fail2ban-courierpop3 (0 references)
target    prot opt source              destination       

Chain fail2ban-courierpop3s (0 references)
target    prot opt source              destination       

Chain fail2ban-pureftpd (0 references)
target    prot opt source              destination       

Chain fail2ban-sasl (0 references)
target    prot opt source              destination       

Chain fail2ban-ssh (0 references)
target    prot opt source              destination

I've tried to reboot server, with no sucess, still no firewall.

I'm at my very end, why is not ispconfig installing bastille?

till 11th April 2012 07:33

The Bastille firewall script is part of ispconfig and gets installed when you create the first firewall record for your server. Installaing a bastille package manually can corrupt the setup and cause that ispconfig i not able to manage a firewall on your server.

Login to ISPConfig, go to System > Firewall > basic, add a firewall record for the server and press save.

Davide 11th April 2012 16:02

I've deleted existing firewall rule, and created a new one:
Code:

2012-04-11 13:30        machine.domain.com        Debug        Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock       
2012-04-11 13:30        machine.domain.com        Debug        Processed datalog_id 11860       
2012-04-11 13:30        machine.domain.com        Debug        Restarting the firewall       
2012-04-11 13:30        machine.domain.com        Debug        Writing firewall configuration /etc/Bastille/bastille-firewall.cfg       
2012-04-11 13:30        machine.domain.com        Debug        Calling function 'insert' from plugin 'firewall_plugin' raised by event 'firewall_insert'.       
2012-04-11 13:30        machine.domain.com        Debug        Found 1 changes, starting update process.       
2012-04-11 13:30        machine.domain.com        Debug        Set Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock

but still no firewall:
Code:

iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       

Chain fail2ban-courierimap (0 references)
target    prot opt source              destination       
RETURN    all  --  anywhere            anywhere           

Chain fail2ban-courierimaps (0 references)
target    prot opt source              destination       
RETURN    all  --  anywhere            anywhere           

Chain fail2ban-courierpop3 (0 references)
target    prot opt source              destination       
RETURN    all  --  anywhere            anywhere           

Chain fail2ban-courierpop3s (0 references)
target    prot opt source              destination       
RETURN    all  --  anywhere            anywhere           

Chain fail2ban-pureftpd (0 references)
target    prot opt source              destination       

Chain fail2ban-sasl (0 references)
target    prot opt source              destination       

Chain fail2ban-ssh (0 references)
target    prot opt source              destination       
RETURN    all  --  anywhere            anywhere

and no /etc trace about bastille but conf file
Code:

# ls -la /etc/Bastille/bastille-firewall.cfg
-rw-r--r-- 1 root root 14373 Apr 11 15:43 /etc/Bastille/bastille-firewall.cfg
# find /etc -name "*astill*"
./Bastille
./Bastille/bastille-firewall.cfg

It seems /etc/init.d and rc.X entries are missing because the deinstalation of lenny's bastille.

Davide 11th April 2012 16:09

Please, tell me if this I've done is correct:

Code:

cp ispconfig3_install/install/apps/bastille-netfilter /sbin
cp ispconfig3_install/install/apps/bastille-ipchains /sbin
chmod 700 /sbin/bastille-*

cp ispconfig3_install/install/apps/bastille-firewall /etc/init.d
chmod 700 /etc/init.d/bastille-firewall

Now I can start and stop bastille with
Code:

/etc/init.d/bastille-firewall [stop|start]
I suppose I have to softlink /etc/init.d/bastille-firewall to /etc/rc2.d, because there is not ispconfig start script as used to be in ispconfig2

Am I right?

Davide 11th April 2012 16:21

Does ispconfig3 installation creates symlinks in /etc/rcX.d?
Is yes, which ones?

Thank you!


All times are GMT +2. The time now is 16:37.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.