bastille with linux next kernel

Discussion in 'Installation/Configuration' started by dynamind, Oct 22, 2011.

  1. dynamind

    dynamind Member

    bastille with linux next kernel not working - webserver hacked/stopped/killed

    I compiled a fresh linux next kernel. Now at bootup it shows bastille can't be activated. Restarting it manually shows:

    /sbin/bastille-ipchains: Zeile 442: /sbin/ipchains: Datei oder Verzeichnis nicht gefunden
    /sbin/bastille-ipchains: Zeile 459: /sbin/ipchains: Datei oder Verzeichnis nicht gefunden
    /sbin/bastille-ipchains: Zeile 459: /sbin/ipchains: Datei oder Verzeichnis nicht gefunden
    /sbin/bastille-ipchains: Zeile 459: /sbin/ipchains: Datei oder Verzeichnis nicht gefunden
    /sbin/bastille-ipchains: Zeile 459: /sbin/ipchains: Datei oder Verzeichnis nicht gefunden
    /sbin/bastille-ipchains: Zeile 464: /sbin/ipchains: Datei oder Verzeichnis nicht gefunden
    /sbin/bastille-ipchains: Zeile 464: /sbin/ipchains: Datei oder Verzeichnis nicht gefunden
    /sbin/bastille-ipchains: Zeile 464: /sbin/ipchains: Datei oder Verzeichnis nicht gefunden
    /sbin/bastille-ipchains: Zeile 464: /sbin/ipchains: Datei oder Verzeichnis nicht gefunden
    /sbin/bastille-ipchains: Zeile 464: /sbin/ipchains: Datei oder Verzeichnis nicht gefunden

    In the debian packages bastille is not listed for squeeze. So I downloaded the bastille sources and started the install.sh script - it shows DB6.0 is not supported.

    Maybe someone of you knows how to regain a functional bastille-firewall.

    update: perfect, webserver has been hacked/stopped over night. Can you please answer this issue?
     
    Last edited: Oct 23, 2011
  2. falko

    falko Super Moderator ISPConfig Developer

    Bastille is just an iptables (kernel 2.4 and newer)/ipchains (kernel 2.2) wrapper script that comes with ISPConfig, so all you need is iptables/ipchains. Make sure you compiled your kernel with iptables support.
     
  3. dynamind

    dynamind Member

    CONFIG_IP_NF_QUEUE=m
    CONFIG_IP_NF_IPTABLES=m
    CONFIG_IP_NF_MATCH_AH=m
    CONFIG_IP_NF_MATCH_ECN=m
    CONFIG_IP_NF_MATCH_TTL=m
    CONFIG_IP_NF_FILTER=m
    CONFIG_IP_NF_TARGET_REJECT=m
    CONFIG_IP_NF_TARGET_LOG=m
    CONFIG_IP_NF_TARGET_ULOG=m
    CONFIG_IP_NF_TARGET_MASQUERADE=m
    CONFIG_IP_NF_TARGET_NETMAP=m
    CONFIG_IP_NF_TARGET_REDIRECT=m
    CONFIG_IP_NF_MANGLE=m
    CONFIG_IP_NF_TARGET_CLUSTERIP=m
    CONFIG_IP_NF_TARGET_ECN=m
    CONFIG_IP_NF_TARGET_TTL=m
    CONFIG_IP_NF_RAW=m
    CONFIG_IP_NF_SECURITY=m
    CONFIG_IP_NF_ARPTABLES=m
    CONFIG_IP_NF_ARPFILTER=m
    CONFIG_IP_NF_ARP_MANGLE=m

    I used the original config-2.6.32-5-686 for compilation, looks like it's supported. iptables -L shows:


    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
    fail2ban-courierpop3 tcp -- anywhere anywhere multiport dports pop3
    fail2ban-courierimaps tcp -- anywhere anywhere multiport dports imaps
    fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp
    fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp
    fail2ban-courierimap tcp -- anywhere anywhere multiport dports imap2

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain fail2ban-courierimap (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-courierimaps (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-courierpop3 (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-pureftpd (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-sasl (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-ssh (1 references)
    target prot opt source destination
     

Share This Page