Hi, list There is not bastille package in debian stable (squeeze). My installation is an update from lenny to squeeze, so I've only realised when I had to deinstall it trying to make bastille start with system I have installed bastille from lenny, and it seems to work OK now, but I don't like the idea of having lenny packages in squeeze Is there any other recommended way to install bastille in squeeze? Why is bastille not mentioned in anyone of all Perfect setup for debian squeeze? Thank you
I've tried to update ispconfig3 after deinstalling bastille with no sucess. Bastille was not mentioned at all. With lenny package, ispconfig 3 is updating /etc/Bastille/bastille-firewall.cfg. How could I reactivate ISPConfig3 included bastille?
Anyone? I think I have found the origin of my mistake. My initial installation was following this perfect setup. I suppose I've trusted this comment so I installed Lenny's bastille. Is reinstalling ispconfig the only solution for bringing back bastille after deinstalling debian package?
I'm not sure what is wrong with your system right now, but you can simply try an ISPConfig upgrade. Download the latest version, go to the install dir and run Code: php update.php
I'll try to explain: This was my actual situation (lenny's bastille installed): Code: # apt-cache policy bastille bastille: Instalados: 1:2.1.1-13 Candidato: 1:2.1.1-13 Tabla de versión: *** 1:2.1.1-13 0 100 /var/lib/dpkg/status # /etc/init.d/bastille-firewall restart Setting up IP spoofing protection... done. Allowing traffic from trusted interfaces... done. Setting up chains for public/internal interface traffic... done. Setting up general rules... done. Setting up outbound rules... done. # iptables -L Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere loopback/8 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere DROP all -- base-address.mcast.net/4 anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain PAROLE (14 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain PUB_IN (5 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-request PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data PAROLE tcp -- anywhere anywhere tcp dpt:ftp PAROLE tcp -- anywhere anywhere tcp dpt:ssh PAROLE tcp -- anywhere anywhere tcp dpt:smtp PAROLE tcp -- anywhere anywhere tcp dpt:domain PAROLE tcp -- anywhere anywhere tcp dpt:www PAROLE tcp -- anywhere anywhere tcp dpt:pop3 PAROLE tcp -- anywhere anywhere tcp dpt:imap2 PAROLE tcp -- anywhere anywhere tcp dpt:https PAROLE tcp -- anywhere anywhere tcp dpt:submission PAROLE tcp -- anywhere anywhere tcp dpt:imaps PAROLE tcp -- anywhere anywhere tcp dpt:pop3s PAROLE tcp -- anywhere anywhere tcp dpt:mysql PAROLE tcp -- anywhere anywhere tcp dpt:webmin ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:mysql DROP icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain PUB_OUT (5 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain fail2ban-courierimap (0 references) target prot opt source destination Chain fail2ban-courierpop3 (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-courierpop3s (0 references) target prot opt source destination Chain fail2ban-pureftpd (0 references) target prot opt source destination Chain fail2ban-sasl (0 references) target prot opt source destination Chain fail2ban-ssh (0 references) target prot opt source destination As you can see, Bastille is working. So, I'm going to deinstall lenny's bastille: Code: apt-get remove --purge bastille Leyendo lista de paquetes... Hecho Creando árbol de dependencias Leyendo la información de estado... Hecho El paquete indicado a continuación se instaló de forma automática y ya no es necesarios. libcurses-perl Utilice «apt-get autoremove» para eliminarlos. Los siguientes paquetes se ELIMINARÁN: bastille* 0 actualizados, 0 se instalarán, 1 para eliminar y 0 no actualizados. Se liberarán 1544 kB después de esta operación. ¿Desea continuar [S/n]? (Leyendo la base de datos ... 56812 ficheros o directorios instalados actualmente.) Desinstalando bastille ... Stopping Bastille firewall.. WARNING: reverting to default settings (dropping firewall) disabling IP forwarding... done. unloading masquerading modules... done. resetting default input rules to accept... done. resetting default output rule to accept... done. resetting default forward rule to accept... done. flushing INPUT rules... done. flushing OUTPUT rules... done. flushing FORWARD rules... done. removing user-defined chains... done. done. Purgando ficheros de configuración de bastille ... insserv: warning: script 'K01jailkit' missing LSB tags and overrides insserv: warning: script 'jailkit' missing LSB tags and overrides Procesando disparadores para man-db ... so I have not firewall now: Code: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-courierimap (0 references) target prot opt source destination Chain fail2ban-courierimaps (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-courierpop3 (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-courierpop3s (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-pureftpd (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-ssh (0 references) target prot opt source destination So I'm going to update ispconfig. I'm going to do a REAL update from 3.0.4.3 to 3.0.4.4: Code: # ispconfig_update.sh -------------------------------------------------------------------------------- _____ ___________ _____ __ _ |_ _/ ___| ___ \ / __ \ / _(_) | | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ | | `--. \ __/ | | / _ \| '_ \| _| |/ _` | _| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | \___/\____/\_| \____/\___/|_| |_|_| |_|\__, | __/ | |___/ -------------------------------------------------------------------------------- >> Update Please choose the update method. For production systems select 'stable'. The update from svn is only for development systems and may break your current setup. Note: Update all slave server, before you update master server. Select update method (stable,svn) [stable]: --2012-04-10 22:29:49-- http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz Resolviendo www.ispconfig.org... 78.46.59.59 Connecting to www.ispconfig.org|78.46.59.59|:80... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 2697357 (2,6M) [application/x-gzip] Saving to: `ISPConfig-3-stable.tar.gz' 100%[====================================================================================================================================>] 2.697.357 5,49M/s in 0,5s 2012-04-10 22:29:49 (5,49 MB/s) - `ISPConfig-3-stable.tar.gz' saved [2697357/2697357] ispconfig3_install/ ispconfig3_install/server/ ispconfig3_install/server/server.php [..] ispconfig3_install/helper_scripts/setup_in_openvz/recreate_ssh_and_hostname.sh ispconfig3_install/helper_scripts/setup_in_openvz/diff_openssl.cnf -------------------------------------------------------------------------------- _____ ___________ _____ __ _ ____ |_ _/ ___| ___ \ / __ \ / _(_) /__ \ | | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ / | | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ | _| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \ \___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/ __/ | |___/ -------------------------------------------------------------------------------- >> Update Operating System: Debian 6.0 (Squeeze/Sid) or compatible This application will update ISPConfig 3 on your server. Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: Creating backup of "/usr/local/ispconfig" directory... Creating backup of "/etc" directory... Checking ISPConfig database .. OK Starting incremental database update. Reconfigure Permissions in master database? (yes,no) [no]: Reconfigure Services? (yes,no) [yes]: Configuring Postfix Configuring Mailman Configuring Jailkit Configuring SASL Configuring PAM Configuring Courier Configuring Spamassassin Configuring Amavisd Configuring Getmail Configuring Pureftpd Configuring BIND Configuring Apache Configuring vlogger Configuring Apps vhost Configuring Database Updating ISPConfig ISPConfig Port [443]: Create new ISPConfig SSL certificate (yes,no) [no]: Reconfigure Crontab? (yes,no) [yes]: Updating Crontab Restarting services ... Stopping MySQL database server: mysqld. Starting MySQL database server: mysqld. Checking for corrupt, not cleanly closed and upgrade needing tables.. Stopping Postfix Mail Transport Agent: postfix. Starting Postfix Mail Transport Agent: postfix. Stopping SASL Authentication Daemon: saslauthd. Starting SASL Authentication Daemon: saslauthd. Stopping amavisd: amavisd-new. Starting amavisd: amavisd-new. Stopping ClamAV daemon: clamd. Starting ClamAV daemon: clamd . Stopping Courier authentication services: authdaemond. Starting Courier authentication services: authdaemond. Stopping Courier IMAP server: imapd. Starting Courier IMAP server: imapd. Stopping Courier IMAP-SSL server: imapd-ssl. Starting Courier IMAP-SSL server: imapd-ssl. Stopping Courier POP3 server: pop3d. Starting Courier POP3 server: pop3d. Stopping Courier POP3-SSL server: pop3d-ssl. Starting Courier POP3-SSL server: pop3d-ssl. [Tue Apr 10 22:31:01 2012] [warn] NameVirtualHost 82.98.148.78:443 has no VirtualHosts [Tue Apr 10 22:31:01 2012] [warn] NameVirtualHost *:80 has no VirtualHosts [Tue Apr 10 22:31:04 2012] [warn] NameVirtualHost 82.98.148.78:443 has no VirtualHosts [Tue Apr 10 22:31:04 2012] [warn] NameVirtualHost *:80 has no VirtualHosts Restarting web server: apache2 ... waiting .. Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -Y 1 -O clf:/var/log/pure-ftpd/transfer.log -u 1000 -H -A -b -E -8 UTF-8 -D -B Update finished. As you can see, there is not Bastille mention at all. There is not bastille start script also: Code: # ls -la /etc/init.d/bast* ls: cannot access /etc/init.d/bast*: No such file or directory I'm still without firewall: Code: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-courierimap (0 references) target prot opt source destination Chain fail2ban-courierimaps (0 references) target prot opt source destination Chain fail2ban-courierpop3 (0 references) target prot opt source destination Chain fail2ban-courierpop3s (0 references) target prot opt source destination Chain fail2ban-pureftpd (0 references) target prot opt source destination Chain fail2ban-sasl (0 references) target prot opt source destination Chain fail2ban-ssh (0 references) target prot opt source destination I've tried to reboot server, with no sucess, still no firewall. I'm at my very end, why is not ispconfig installing bastille?
The Bastille firewall script is part of ispconfig and gets installed when you create the first firewall record for your server. Installaing a bastille package manually can corrupt the setup and cause that ispconfig i not able to manage a firewall on your server. Login to ISPConfig, go to System > Firewall > basic, add a firewall record for the server and press save.
I've deleted existing firewall rule, and created a new one: Code: 2012-04-11 13:30 machine.domain.com Debug Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock 2012-04-11 13:30 machine.domain.com Debug Processed datalog_id 11860 2012-04-11 13:30 machine.domain.com Debug Restarting the firewall 2012-04-11 13:30 machine.domain.com Debug Writing firewall configuration /etc/Bastille/bastille-firewall.cfg 2012-04-11 13:30 machine.domain.com Debug Calling function 'insert' from plugin 'firewall_plugin' raised by event 'firewall_insert'. 2012-04-11 13:30 machine.domain.com Debug Found 1 changes, starting update process. 2012-04-11 13:30 machine.domain.com Debug Set Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock but still no firewall: Code: iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-courierimap (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-courierimaps (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-courierpop3 (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-courierpop3s (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-pureftpd (0 references) target prot opt source destination Chain fail2ban-sasl (0 references) target prot opt source destination Chain fail2ban-ssh (0 references) target prot opt source destination RETURN all -- anywhere anywhere and no /etc trace about bastille but conf file Code: # ls -la /etc/Bastille/bastille-firewall.cfg -rw-r--r-- 1 root root 14373 Apr 11 15:43 /etc/Bastille/bastille-firewall.cfg # find /etc -name "*astill*" ./Bastille ./Bastille/bastille-firewall.cfg It seems /etc/init.d and rc.X entries are missing because the deinstalation of lenny's bastille.
Please, tell me if this I've done is correct: Code: cp ispconfig3_install/install/apps/bastille-netfilter /sbin cp ispconfig3_install/install/apps/bastille-ipchains /sbin chmod 700 /sbin/bastille-* cp ispconfig3_install/install/apps/bastille-firewall /etc/init.d chmod 700 /etc/init.d/bastille-firewall Now I can start and stop bastille with Code: /etc/init.d/bastille-firewall [stop|start] I suppose I have to softlink /etc/init.d/bastille-firewall to /etc/rc2.d, because there is not ispconfig start script as used to be in ispconfig2 Am I right?
Thank you! This solves my firewalling problems Only one last question Investigatin install/update scripts, I've found references to server.ini, but I cannot find that file in my server. Might this be why ispconfig was not automagically installing bastille on updates? It did in the past, I can see it in ispconfig_install.log, but it stopped doing it, probably when by mistake I ran update from panel instead of using update script. If this file must exist, how could I regenerate it?
server.ini is in the ispconfig tar.gz in the install/tpl/ folder,it is not used during runtime so you find it not in your install. No. The firewall is installed / enabled when you create a firewall record in ispconfig for that server and not when you install ispconfig. See firewall plugin and not installer.
