View Single Post
  #6  
Old 11th April 2012, 01:40
Davide Davide is offline
Senior Member
 
Join Date: Jul 2006
Posts: 123
Thanks: 16
Thanked 9 Times in 8 Posts
Default

I'll try to explain:

This was my actual situation (lenny's bastille installed):

Code:
# apt-cache policy bastille
bastille:
  Instalados: 1:2.1.1-13
  Candidato:  1:2.1.1-13
  Tabla de versión:
 *** 1:2.1.1-13 0
        100 /var/lib/dpkg/status
# /etc/init.d/bastille-firewall restart                                                                                                                                
Setting up IP spoofing protection... done.                                                                                                                                    
Allowing traffic from trusted interfaces... done.                                                                                                                             
Setting up chains for public/internal interface traffic... done.                                                                                                              
Setting up general rules... done.                                                                                                                                             
Setting up outbound rules... done.
# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       tcp  --  anywhere             loopback/8          
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  base-address.mcast.net/4  anywhere            
PUB_IN     all  --  anywhere             anywhere            
PUB_IN     all  --  anywhere             anywhere            
PUB_IN     all  --  anywhere             anywhere            
PUB_IN     all  --  anywhere             anywhere            
PUB_IN     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
PUB_OUT    all  --  anywhere             anywhere            
PUB_OUT    all  --  anywhere             anywhere            
PUB_OUT    all  --  anywhere             anywhere            
PUB_OUT    all  --  anywhere             anywhere            
PUB_OUT    all  --  anywhere             anywhere            

Chain INT_IN (0 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain INT_OUT (0 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain PAROLE (14 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain PUB_IN (5 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply 
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp-data 
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp 
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh 
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:smtp 
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:domain 
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:www 
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:pop3 
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:imap2 
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https 
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:submission 
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:imaps 
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:pop3s 
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:mysql 
PAROLE     tcp  --  anywhere             anywhere            tcp dpt:webmin 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:mysql 
DROP       icmp --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain PUB_OUT (5 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain fail2ban-courierimap (0 references)
target     prot opt source               destination         

Chain fail2ban-courierpop3 (0 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-courierpop3s (0 references)
target     prot opt source               destination         

Chain fail2ban-pureftpd (0 references)
target     prot opt source               destination         

Chain fail2ban-sasl (0 references)
target     prot opt source               destination         

Chain fail2ban-ssh (0 references)
target     prot opt source               destination
As you can see, Bastille is working.

So, I'm going to deinstall lenny's bastille:
Code:
apt-get remove --purge bastille
Leyendo lista de paquetes... Hecho
Creando árbol de dependencias       
Leyendo la información de estado... Hecho
El paquete indicado a continuación se instaló de forma automática y ya no es necesarios.
  libcurses-perl
Utilice «apt-get autoremove» para eliminarlos.
Los siguientes paquetes se ELIMINARÁN:
  bastille*
0 actualizados, 0 se instalarán, 1 para eliminar y 0 no actualizados.
Se liberarán 1544 kB después de esta operación.
¿Desea continuar [S/n]? 
(Leyendo la base de datos ... 56812 ficheros o directorios instalados actualmente.)
Desinstalando bastille ...
Stopping Bastille firewall..
WARNING: reverting to default settings (dropping firewall)
disabling IP forwarding... done.
unloading masquerading modules... done.
resetting default input rules to accept... done.
resetting default output rule to accept... done.
resetting default forward rule to accept... done.
flushing INPUT rules... done.
flushing OUTPUT rules... done.
flushing FORWARD rules... done.
removing user-defined chains... done.
done.
Purgando ficheros de configuración de bastille ...
insserv: warning: script 'K01jailkit' missing LSB tags and overrides
insserv: warning: script 'jailkit' missing LSB tags and overrides
Procesando disparadores para man-db ...
so I have not firewall now:
Code:
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-courierimap (0 references)
target     prot opt source               destination         

Chain fail2ban-courierimaps (0 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-courierpop3 (0 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-courierpop3s (0 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-pureftpd (0 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-ssh (0 references)
target     prot opt source               destination
So I'm going to update ispconfig. I'm going to do a REAL update from 3.0.4.3 to 3.0.4.4:
Code:
# ispconfig_update.sh 


--------------------------------------------------------------------------------
 _____ ___________   _____              __ _       
|_   _/  ___| ___ \ /  __ \            / _(_)      
  | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _ 
  | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |
 _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| |
 \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, |
                                              __/ |
                                             |___/ 
--------------------------------------------------------------------------------


>> Update  

Please choose the update method. For production systems select 'stable'. 
The update from svn is only for development systems and may break your current setup.
Note: Update all slave server, before you update master server.

Select update method (stable,svn) [stable]: 

--2012-04-10 22:29:49--  http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
Resolviendo www.ispconfig.org... 78.46.59.59
Connecting to www.ispconfig.org|78.46.59.59|:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 2697357 (2,6M) [application/x-gzip]
Saving to: `ISPConfig-3-stable.tar.gz'

100%[====================================================================================================================================>] 2.697.357   5,49M/s   in 0,5s    

2012-04-10 22:29:49 (5,49 MB/s) - `ISPConfig-3-stable.tar.gz' saved [2697357/2697357]

ispconfig3_install/
ispconfig3_install/server/
ispconfig3_install/server/server.php
[..]
ispconfig3_install/helper_scripts/setup_in_openvz/recreate_ssh_and_hostname.sh
ispconfig3_install/helper_scripts/setup_in_openvz/diff_openssl.cnf


--------------------------------------------------------------------------------
 _____ ___________   _____              __ _         ____
|_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
  | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
  | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |  |_ |
 _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
 \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
                                              __/ |
                                             |___/ 
--------------------------------------------------------------------------------


>> Update  

Operating System: Debian 6.0 (Squeeze/Sid) or compatible

This application will update ISPConfig 3 on your server.

Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: 

Creating backup of "/usr/local/ispconfig" directory...
Creating backup of "/etc" directory...
Checking ISPConfig database .. OK
Starting incremental database update.
Reconfigure Permissions in master database? (yes,no) [no]: 

Reconfigure Services? (yes,no) [yes]: 

Configuring Postfix
Configuring Mailman
Configuring Jailkit
Configuring SASL
Configuring PAM
Configuring Courier
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring vlogger
Configuring Apps vhost
Configuring Database
Updating ISPConfig
ISPConfig Port [443]: 

Create new ISPConfig SSL certificate (yes,no) [no]: 

Reconfigure Crontab? (yes,no) [yes]: 

Updating Crontab
Restarting services ...
Stopping MySQL database server: mysqld.
Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..
Stopping Postfix Mail Transport Agent: postfix.
Starting Postfix Mail Transport Agent: postfix.
Stopping SASL Authentication Daemon: saslauthd.
Starting SASL Authentication Daemon: saslauthd.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
Stopping ClamAV daemon: clamd.
Starting ClamAV daemon: clamd .
Stopping Courier authentication services: authdaemond.
Starting Courier authentication services: authdaemond.
Stopping Courier IMAP server: imapd.
Starting Courier IMAP server: imapd.
Stopping Courier IMAP-SSL server: imapd-ssl.
Starting Courier IMAP-SSL server: imapd-ssl.
Stopping Courier POP3 server: pop3d.
Starting Courier POP3 server: pop3d.
Stopping Courier POP3-SSL server: pop3d-ssl.
Starting Courier POP3-SSL server: pop3d-ssl.
[Tue Apr 10 22:31:01 2012] [warn] NameVirtualHost 82.98.148.78:443 has no VirtualHosts
[Tue Apr 10 22:31:01 2012] [warn] NameVirtualHost *:80 has no VirtualHosts
[Tue Apr 10 22:31:04 2012] [warn] NameVirtualHost 82.98.148.78:443 has no VirtualHosts
[Tue Apr 10 22:31:04 2012] [warn] NameVirtualHost *:80 has no VirtualHosts
Restarting web server: apache2 ... waiting ..
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -Y 1 -O clf:/var/log/pure-ftpd/transfer.log -u 1000 -H -A -b -E -8 UTF-8 -D -B
Update finished.
As you can see, there is not Bastille mention at all.

There is not bastille start script also:
Code:
# ls -la /etc/init.d/bast*
ls: cannot access /etc/init.d/bast*: No such file or directory
I'm still without firewall:
Code:
#  iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-courierimap (0 references)
target     prot opt source               destination         

Chain fail2ban-courierimaps (0 references)
target     prot opt source               destination         

Chain fail2ban-courierpop3 (0 references)
target     prot opt source               destination         

Chain fail2ban-courierpop3s (0 references)
target     prot opt source               destination         

Chain fail2ban-pureftpd (0 references)
target     prot opt source               destination         

Chain fail2ban-sasl (0 references)
target     prot opt source               destination         

Chain fail2ban-ssh (0 references)
target     prot opt source               destination
I've tried to reboot server, with no sucess, still no firewall.

I'm at my very end, why is not ispconfig installing bastille?
Reply With Quote