Bastille on Debian squeeze

Discussion in 'Installation/Configuration' started by Davide, Apr 7, 2012.

  1. Davide

    Davide New Member HowtoForge Supporter

    Hi, list

    There is not bastille package in debian stable (squeeze). My installation is an update from lenny to squeeze, so I've only realised when I had to deinstall it trying to make bastille start with system

    I have installed bastille from lenny, and it seems to work OK now, but I don't like the idea of having lenny packages in squeeze

    Is there any other recommended way to install bastille in squeeze?
    Why is bastille not mentioned in anyone of all Perfect setup for debian squeeze?

    Thank you
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Bastille comes with ISPConfig, so you don't need to install it.
     
  3. Davide

    Davide New Member HowtoForge Supporter

    I've tried to update ispconfig3 after deinstalling bastille with no sucess. Bastille was not mentioned at all.

    With lenny package, ispconfig 3 is updating /etc/Bastille/bastille-firewall.cfg.

    How could I reactivate ISPConfig3 included bastille?
     
  4. Davide

    Davide New Member HowtoForge Supporter

    Anyone?

    I think I have found the origin of my mistake. My initial installation was following this perfect setup.
    I suppose I've trusted this comment so I installed Lenny's bastille.

    Is reinstalling ispconfig the only solution for bringing back bastille after deinstalling debian package?
     
  5. falko

    falko Super Moderator ISPConfig Developer

    I'm not sure what is wrong with your system right now, but you can simply try an ISPConfig upgrade. Download the latest version, go to the install dir and run
    Code:
    php update.php
     
  6. Davide

    Davide New Member HowtoForge Supporter

    I'll try to explain:

    This was my actual situation (lenny's bastille installed):

    Code:
    # apt-cache policy bastille
    bastille:
      Instalados: 1:2.1.1-13
      Candidato:  1:2.1.1-13
      Tabla de versión:
     *** 1:2.1.1-13 0
            100 /var/lib/dpkg/status
    # /etc/init.d/bastille-firewall restart                                                                                                                                
    Setting up IP spoofing protection... done.                                                                                                                                    
    Allowing traffic from trusted interfaces... done.                                                                                                                             
    Setting up chains for public/internal interface traffic... done.                                                                                                              
    Setting up general rules... done.                                                                                                                                             
    Setting up outbound rules... done.
    # iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    DROP       tcp  --  anywhere             loopback/8          
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    ACCEPT     all  --  anywhere             anywhere            
    DROP       all  --  base-address.mcast.net/4  anywhere            
    PUB_IN     all  --  anywhere             anywhere            
    PUB_IN     all  --  anywhere             anywhere            
    PUB_IN     all  --  anywhere             anywhere            
    PUB_IN     all  --  anywhere             anywhere            
    PUB_IN     all  --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    DROP       all  --  anywhere             anywhere            
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    PUB_OUT    all  --  anywhere             anywhere            
    PUB_OUT    all  --  anywhere             anywhere            
    PUB_OUT    all  --  anywhere             anywhere            
    PUB_OUT    all  --  anywhere             anywhere            
    PUB_OUT    all  --  anywhere             anywhere            
    
    Chain INT_IN (0 references)
    target     prot opt source               destination         
    ACCEPT     icmp --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            
    
    Chain INT_OUT (0 references)
    target     prot opt source               destination         
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    
    Chain PAROLE (14 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    
    Chain PUB_IN (5 references)
    target     prot opt source               destination         
    ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply 
    ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp-data 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:smtp 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:domain 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:www 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:pop3 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:imap2 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:submission 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:imaps 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:pop3s 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:mysql 
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:webmin 
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:mysql 
    DROP       icmp --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            
    
    Chain PUB_OUT (5 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    
    Chain fail2ban-courierimap (0 references)
    target     prot opt source               destination         
    
    Chain fail2ban-courierpop3 (0 references)
    target     prot opt source               destination         
    RETURN     all  --  anywhere             anywhere            
    
    Chain fail2ban-courierpop3s (0 references)
    target     prot opt source               destination         
    
    Chain fail2ban-pureftpd (0 references)
    target     prot opt source               destination         
    
    Chain fail2ban-sasl (0 references)
    target     prot opt source               destination         
    
    Chain fail2ban-ssh (0 references)
    target     prot opt source               destination
    
    As you can see, Bastille is working.

    So, I'm going to deinstall lenny's bastille:
    Code:
    apt-get remove --purge bastille
    Leyendo lista de paquetes... Hecho
    Creando árbol de dependencias       
    Leyendo la información de estado... Hecho
    El paquete indicado a continuación se instaló de forma automática y ya no es necesarios.
      libcurses-perl
    Utilice «apt-get autoremove» para eliminarlos.
    Los siguientes paquetes se ELIMINARÁN:
      bastille*
    0 actualizados, 0 se instalarán, 1 para eliminar y 0 no actualizados.
    Se liberarán 1544 kB después de esta operación.
    ¿Desea continuar [S/n]? 
    (Leyendo la base de datos ... 56812 ficheros o directorios instalados actualmente.)
    Desinstalando bastille ...
    Stopping Bastille firewall..
    WARNING: reverting to default settings (dropping firewall)
    disabling IP forwarding... done.
    unloading masquerading modules... done.
    resetting default input rules to accept... done.
    resetting default output rule to accept... done.
    resetting default forward rule to accept... done.
    flushing INPUT rules... done.
    flushing OUTPUT rules... done.
    flushing FORWARD rules... done.
    removing user-defined chains... done.
    done.
    Purgando ficheros de configuración de bastille ...
    insserv: warning: script 'K01jailkit' missing LSB tags and overrides
    insserv: warning: script 'jailkit' missing LSB tags and overrides
    Procesando disparadores para man-db ...
    
    so I have not firewall now:
    Code:
    # iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain fail2ban-courierimap (0 references)
    target     prot opt source               destination         
    
    Chain fail2ban-courierimaps (0 references)
    target     prot opt source               destination         
    RETURN     all  --  anywhere             anywhere            
    
    Chain fail2ban-courierpop3 (0 references)
    target     prot opt source               destination         
    RETURN     all  --  anywhere             anywhere            
    
    Chain fail2ban-courierpop3s (0 references)
    target     prot opt source               destination         
    RETURN     all  --  anywhere             anywhere            
    
    Chain fail2ban-pureftpd (0 references)
    target     prot opt source               destination         
    RETURN     all  --  anywhere             anywhere            
    
    Chain fail2ban-ssh (0 references)
    target     prot opt source               destination
    
    So I'm going to update ispconfig. I'm going to do a REAL update from 3.0.4.3 to 3.0.4.4:
    Code:
    
    # ispconfig_update.sh 
    
    
    --------------------------------------------------------------------------------
     _____ ___________   _____              __ _       
    |_   _/  ___| ___ \ /  __ \            / _(_)      
      | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _ 
      | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |
     _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| |
     \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, |
                                                  __/ |
                                                 |___/ 
    --------------------------------------------------------------------------------
    
    
    >> Update  
    
    Please choose the update method. For production systems select 'stable'. 
    The update from svn is only for development systems and may break your current setup.
    Note: Update all slave server, before you update master server.
    
    Select update method (stable,svn) [stable]: 
    
    --2012-04-10 22:29:49--  http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
    Resolviendo www.ispconfig.org... 78.46.59.59
    Connecting to www.ispconfig.org|78.46.59.59|:80... conectado.
    Petición HTTP enviada, esperando respuesta... 200 OK
    Longitud: 2697357 (2,6M) [application/x-gzip]
    Saving to: `ISPConfig-3-stable.tar.gz'
    
    100%[====================================================================================================================================>] 2.697.357   5,49M/s   in 0,5s    
    
    2012-04-10 22:29:49 (5,49 MB/s) - `ISPConfig-3-stable.tar.gz' saved [2697357/2697357]
    
    ispconfig3_install/
    ispconfig3_install/server/
    ispconfig3_install/server/server.php
    [..]
    ispconfig3_install/helper_scripts/setup_in_openvz/recreate_ssh_and_hostname.sh
    ispconfig3_install/helper_scripts/setup_in_openvz/diff_openssl.cnf
    
    
    --------------------------------------------------------------------------------
     _____ ___________   _____              __ _         ____
    |_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
      | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
      | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |  |_ |
     _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
     \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
                                                  __/ |
                                                 |___/ 
    --------------------------------------------------------------------------------
    
    
    >> Update  
    
    Operating System: Debian 6.0 (Squeeze/Sid) or compatible
    
    This application will update ISPConfig 3 on your server.
    
    Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: 
    
    Creating backup of "/usr/local/ispconfig" directory...
    Creating backup of "/etc" directory...
    Checking ISPConfig database .. OK
    Starting incremental database update.
    Reconfigure Permissions in master database? (yes,no) [no]: 
    
    Reconfigure Services? (yes,no) [yes]: 
    
    Configuring Postfix
    Configuring Mailman
    Configuring Jailkit
    Configuring SASL
    Configuring PAM
    Configuring Courier
    Configuring Spamassassin
    Configuring Amavisd
    Configuring Getmail
    Configuring Pureftpd
    Configuring BIND
    Configuring Apache
    Configuring vlogger
    Configuring Apps vhost
    Configuring Database
    Updating ISPConfig
    ISPConfig Port [443]: 
    
    Create new ISPConfig SSL certificate (yes,no) [no]: 
    
    Reconfigure Crontab? (yes,no) [yes]: 
    
    Updating Crontab
    Restarting services ...
    Stopping MySQL database server: mysqld.
    Starting MySQL database server: mysqld.
    Checking for corrupt, not cleanly closed and upgrade needing tables..
    Stopping Postfix Mail Transport Agent: postfix.
    Starting Postfix Mail Transport Agent: postfix.
    Stopping SASL Authentication Daemon: saslauthd.
    Starting SASL Authentication Daemon: saslauthd.
    Stopping amavisd: amavisd-new.
    Starting amavisd: amavisd-new.
    Stopping ClamAV daemon: clamd.
    Starting ClamAV daemon: clamd .
    Stopping Courier authentication services: authdaemond.
    Starting Courier authentication services: authdaemond.
    Stopping Courier IMAP server: imapd.
    Starting Courier IMAP server: imapd.
    Stopping Courier IMAP-SSL server: imapd-ssl.
    Starting Courier IMAP-SSL server: imapd-ssl.
    Stopping Courier POP3 server: pop3d.
    Starting Courier POP3 server: pop3d.
    Stopping Courier POP3-SSL server: pop3d-ssl.
    Starting Courier POP3-SSL server: pop3d-ssl.
    [Tue Apr 10 22:31:01 2012] [warn] NameVirtualHost 82.98.148.78:443 has no VirtualHosts
    [Tue Apr 10 22:31:01 2012] [warn] NameVirtualHost *:80 has no VirtualHosts
    [Tue Apr 10 22:31:04 2012] [warn] NameVirtualHost 82.98.148.78:443 has no VirtualHosts
    [Tue Apr 10 22:31:04 2012] [warn] NameVirtualHost *:80 has no VirtualHosts
    Restarting web server: apache2 ... waiting ..
    Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -Y 1 -O clf:/var/log/pure-ftpd/transfer.log -u 1000 -H -A -b -E -8 UTF-8 -D -B
    Update finished.
    
    As you can see, there is not Bastille mention at all.

    There is not bastille start script also:
    Code:
    # ls -la /etc/init.d/bast*
    ls: cannot access /etc/init.d/bast*: No such file or directory
    
    I'm still without firewall:
    Code:
    #  iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain fail2ban-courierimap (0 references)
    target     prot opt source               destination         
    
    Chain fail2ban-courierimaps (0 references)
    target     prot opt source               destination         
    
    Chain fail2ban-courierpop3 (0 references)
    target     prot opt source               destination         
    
    Chain fail2ban-courierpop3s (0 references)
    target     prot opt source               destination         
    
    Chain fail2ban-pureftpd (0 references)
    target     prot opt source               destination         
    
    Chain fail2ban-sasl (0 references)
    target     prot opt source               destination         
    
    Chain fail2ban-ssh (0 references)
    target     prot opt source               destination 
    I've tried to reboot server, with no sucess, still no firewall.

    I'm at my very end, why is not ispconfig installing bastille?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The Bastille firewall script is part of ispconfig and gets installed when you create the first firewall record for your server. Installaing a bastille package manually can corrupt the setup and cause that ispconfig i not able to manage a firewall on your server.

    Login to ISPConfig, go to System > Firewall > basic, add a firewall record for the server and press save.
     
  8. Davide

    Davide New Member HowtoForge Supporter

    I've deleted existing firewall rule, and created a new one:
    Code:
    2012-04-11 13:30 	machine.domain.com 	Debug 	Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock 	
    2012-04-11 13:30 	machine.domain.com 	Debug 	Processed datalog_id 11860 	
    2012-04-11 13:30 	machine.domain.com 	Debug 	Restarting the firewall 	
    2012-04-11 13:30 	machine.domain.com 	Debug 	Writing firewall configuration /etc/Bastille/bastille-firewall.cfg 	
    2012-04-11 13:30 	machine.domain.com 	Debug 	Calling function 'insert' from plugin 'firewall_plugin' raised by event 'firewall_insert'. 	
    2012-04-11 13:30 	machine.domain.com 	Debug 	Found 1 changes, starting update process. 	
    2012-04-11 13:30 	machine.domain.com 	Debug 	Set Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    
    but still no firewall:
    Code:
    iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain fail2ban-courierimap (0 references)
    target     prot opt source               destination         
    RETURN     all  --  anywhere             anywhere            
    
    Chain fail2ban-courierimaps (0 references)
    target     prot opt source               destination         
    RETURN     all  --  anywhere             anywhere            
    
    Chain fail2ban-courierpop3 (0 references)
    target     prot opt source               destination         
    RETURN     all  --  anywhere             anywhere            
    
    Chain fail2ban-courierpop3s (0 references)
    target     prot opt source               destination         
    RETURN     all  --  anywhere             anywhere            
    
    Chain fail2ban-pureftpd (0 references)
    target     prot opt source               destination         
    
    Chain fail2ban-sasl (0 references)
    target     prot opt source               destination         
    
    Chain fail2ban-ssh (0 references)
    target     prot opt source               destination         
    RETURN     all  --  anywhere             anywhere
    
    and no /etc trace about bastille but conf file
    Code:
    # ls -la /etc/Bastille/bastille-firewall.cfg
    -rw-r--r-- 1 root root 14373 Apr 11 15:43 /etc/Bastille/bastille-firewall.cfg
    # find /etc -name "*astill*"
    ./Bastille
    ./Bastille/bastille-firewall.cfg
    
    It seems /etc/init.d and rc.X entries are missing because the deinstalation of lenny's bastille.
     
  9. Davide

    Davide New Member HowtoForge Supporter

    Please, tell me if this I've done is correct:

    Code:
    cp ispconfig3_install/install/apps/bastille-netfilter /sbin
    cp ispconfig3_install/install/apps/bastille-ipchains /sbin
    chmod 700 /sbin/bastille-*
    
    cp ispconfig3_install/install/apps/bastille-firewall /etc/init.d
    chmod 700 /etc/init.d/bastille-firewall 
    
    Now I can start and stop bastille with
    Code:
    /etc/init.d/bastille-firewall [stop|start]
    
    I suppose I have to softlink /etc/init.d/bastille-firewall to /etc/rc2.d, because there is not ispconfig start script as used to be in ispconfig2

    Am I right?
     
  10. Davide

    Davide New Member HowtoForge Supporter

    Does ispconfig3 installation creates symlinks in /etc/rcX.d?
    Is yes, which ones?

    Thank you!
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    run:

    update-rc.d bastille-firewall defaults

    to recreate the symlinks if you removed them.
     
  12. Davide

    Davide New Member HowtoForge Supporter

    Thank you!
    This solves my firewalling problems ;)

    Only one last question
    Investigatin install/update scripts, I've found references to server.ini, but I cannot find that file in my server.

    Might this be why ispconfig was not automagically installing bastille on updates?

    It did in the past, I can see it in ispconfig_install.log, but it stopped doing it, probably when by mistake I ran update from panel instead of using update script.

    If this file must exist, how could I regenerate it?
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    server.ini is in the ispconfig tar.gz in the install/tpl/ folder,it is not used during runtime so you find it not in your install.

    No. The firewall is installed / enabled when you create a firewall record in ispconfig for that server and not when you install ispconfig. See firewall plugin and not installer.
     

Share This Page