Bastille Linux for Debian 5.0 (lenny)?

I'm new to web server administration, and have been spending the last few days working through the basics of installing a LAMP server on Debian 5.0 with email support, as well as securing it. Currenty I've been configuring Apache, iptables, ssh and various other config files by hand. It's been slow going as there's a lot ot take in!

I've read here in older threads and in other tutorials about the Bastille Linux (or Unix) module to help beginners learn and configure their OS for security. When I installed it and tried it out, however, it seems it doesn't support Debian 5.0 - which is a bit weird given it downloaded modules marked "lenny".

I'm now not sure whether it's a good idea to try and run it in Debian 4.0 compatibility, as given my unfamiliarity with the deep guts of Debian and the changes between OS versions could do harm. Or whether I give Bastille a miss and go back to trying to fix everything by hand, which has the danger that I might miss something important. Or is there another security hardening package that is better to use with Debian 5.0?

I know I'm learning a lot by tweaking things by hand, but it would be nice to have some automated assurance I haven't done anything stupid with my iptables or left something really unsecure running by default!

14 Replies

Hi trazoi, I'm registering here just to answer your question because I've been tracking that bug and, finally, the solution is done already and waiting to hit Lenny's repository.

As you can read at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510884 the maintainer said: > We believe that the bug you reported is fixed in the latest version of bastille, which is due to be installed in the Debian FTP archive.

That means that is fixed in Testing but I don't know when will arrive to Stable.

In any case, don't 'tweak this thing by hand' ;-)

Thanks! It's good to know I'll be able to try it out sometime soon, although it's a bit annoying I won't be able to use it now, during the week I've dedicated to learning the basics of the server so I can work on the website next week.

I guess I'll stick to learning how to lock things down by hand for now, which I'm hoping will block the majority of what's out there.

Bastille and other similar tools are a help but nothing more than that.

While you're waiting for the package in Lenny, maybe you'll find interesting Securing Debian Manual.

That manual is a work in progress but has some fine ideas and howtos.

@advocatux:

Bastille and other similar tools are a help but nothing more than that.
I know, but Bastille has a whole bunch of information at each step that tells you why it's doing what it's doing. I was looking forward to a sort of interactive tutorial on security.

Thanks for the link to the security manual. I'll work through it and see what I've missed so far.

You're welcome.

Talking about security a little paranoia is always good. For instance, you can harden your server ports, Apache, CMS, etc and then install a beautiful theme for your CMS with malicious code inside!

http://www.tburns.com/2009/tracking-dow … linux-box/">http://www.tburns.com/2009/tracking-down-malicious-code-on-a-linux-box/

Unfortuntely, I think I might be a bit too paranoid, especially since I'm acutely aware of how little I know about this. :)

Currently my strategy is to: 1) install what I need, 2) learn basic security (alongside step 1), 3) figure out how to monitor everything in case something goes wrong and 4) backup the system so if (when?) the server breaks I can always restart from scratch. Except for a minor point with my email step 1 was really easy, but step 2 is turning out to be a real challenge - mostly because there seems to be about ten different ways to do everything.

Unfortunately, unless it is deemed a security fix, this change will never hit Debian Lenny. The stable version is specifically not updated except to patch security holes. You would have to build it from testing to get it on Lenny (add a deb-src for squeeze in sources.list, sudo apt-get build-dep bastille; sudo apt-get source -b -t testing bastille).

Hello,

I tryed to install Bastille on the new Ubuntu 9.04, but one isn't recognized by Bastille.

Any ideas, please?

TIA.

You can simply download the testing package and use it in lenny. That's what I did, and I had no problems.

@Alucard:

Unfortunately, unless it is deemed a security fix, this change will never hit Debian Lenny. The stable version is specifically not updated except to patch security holes. You would have to build it from testing to get it on Lenny (add a deb-src for squeeze in sources.list, sudo apt-get build-dep bastille; sudo apt-get source -b -t testing bastille).
Ah yes, thanks. I should have known that - that's the reason why I picked Debian over Ubuntu in the first place; they're more conservative about what goes into stable.

I'm a bit hesitant about trying software from testing, but I might make an exception for Bastille.

Although it isn't available yet I presume Bastille will be as a Lenny backport package soon.

http://www.backports.org/

Thanks everyone. With your help I managed to install a runnable version of Bastille. After using aptitude to install the "stable" (but unrunnable) version of Bastille to get the dependencies, I just grabbed the deb package direct from its squeeze repository webpage and used dpkg to install it.

However, although Bastille is runnable, I'm not sure if it's working. The console interface was rather flaky, and some of the key elements it installed don't appear to work - the firewall script is throwing syntax errors, for example. I think with my early tinkering I'd managed to harden down half the stuff it did anyway, and I'm not sure if Bastille decided to revert some of that. Bastille did manage to harden a few permissions and turn on some logging options that were useful, but I fear it's made a pig's breakfast out of some of the rest of the system.

Not that it matters too much, as I'm planning on rebuilding the system from scratch in a few days anyway (this is just a test run to learn the ropes). But I'm on the horns of a dlemma. On the one hand, I trust the Bastille developers to know a lot more about security than me. But on the other, while the automated system did a good job of telling me why it should make the changes, it didn't give me a clue what it was doing, and I'm uncomfortable with that. I'm thinking I might be happier relying on my much simpler hand written changes, where at least I know for sure what, why and how I made each decision I did - although I don't know if that makes me more secure.

I think I might have found an acceptable compromise. The new version of Debian's Bastille has the ability to generate assessment reports (the stable one didn't). With the assessment report, I can look through the current state of my system and see what Bastille flags as a possible security risk. Bastille still doesn't tell me how to fix them myself, but with the power of Google I should be able to find that out. I can thus both secure my system and learn a bit more about the guts of what's going on.

This is an old thread but it was the first thing that came up when I searched for it. And I found a simpler solution than what is presented above. So, I just wanted to share it.

on Debian 5 there are two files that need to be modified after installing the bastille package:

/usr/lib/Bastille/API.pm

/usr/lib/Bastille/IOLoader.pm

Search for DB4.0 and you will see it grouped with the OS compatability listings. Just add DB5.0 right after the DB4.0 and you're set. At least, it worked fine for me.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct