TheTAZZone - Internet Chaos

Tutorial – Securing Your Box With Bastille

ORIGINALLY POSTED BY J-K9 FOR THETAZZONE/TAZFORUM HERE

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

Bastille is a hardening tool which is very effective at locking down your system, and all it requires is a few minutes of your time! It is currently available for the major Linux distributions: SUSE, Mandrake (Mandriva releases are still not supported), Fedora Core, Red Hat, Debian, and Gentoo, and it is also available for HP-UX and Mac OS X, as well as the source code which can be compiled on most *nix systems. In this tutorial I shall take you through the steps of installing it and setting it up properly in order to secure your system better than before (this tutorial may not be suitable for you if the computer is not a workstation or for personal use).

First of all, we’ll install it. As my demonstration system I am using a laptop running (a slightly outdated) Fedora Core 3. You may use the method described on Bastille’s site to install it if you have a different distro/OS to mine. Here is how I installed it:

* Download the Bastille RPM – which will work for Red Hat, Fedora Core, SUSE, or Mandrake. Install it onto your system, either by using the inbuilt package manager or the following commands in console:

Code: Select all
$ su
Password:
# rpm -ivh Bastille-3.0.8-1.0.noarch.rpm

* Now, download perl-Curses (although non-graphical, at the end of the day it tends to cause fewer problems than installing perl-Tk). Choose the correct one for your distro and release at the module table. Install it the same way you installed Bastille in part 1.
* Once you have installed both of these, fire up Bastille’s configuration in the console by typing the following command (still as root):

Code: Select all
bastille -c

Note: If that doesn’t work, type the following into the console:

Code: Select all
PATH=/usr/sbin:$PATH

– then try to run Bastille again, and it should work.

A word of advice: I may tell you to just ‘Press “Next”‘ or ‘Hit “Yes”‘ in some places, but you should read the text to make sure you understand what you are configuring and that the choice I am leading you to is the right one.

Having started up Bastille, some lines of text should appear on your screen.

* Press Ctrl + C and it will scroll to the end of the text, as shown below:

Image

* Type “accept” and press Enter. Now you will be taken to Bastille’s configuration, and introduced to the program. Press “Next” to continue.

Image

* At this first question you may want to press “No”, for if not simple commands like ‘ifconfig’ and ‘runlevel’ will be disabled to all users but root (and I personally use them quite a lot) – although hitting “Yes” is the more secure option.

Image

* Press “Next”.

Image

* Press “No”, because if not you will be unable to mount and unmount devices after boot (unless you are root).

Image

* At the next screen, hit “Yes”.

Image

* Once again, press “Yes”.

Image

* Press “Yes” at the ‘r-tools’ question.

Image

* And “Yes” at the ‘usernetctl’ one.

Image

* “Yes” again, to leave traceroute available to all users.

Image

* “Yes” to disable r-protocols.

Image

* At this screen, it is a good idea to press “Yes” – this will get you into the good habit of renewing your password every 60 days.

Image

* Press “Yes” to set the default umask.

Image

* Here, leaving 077 is a good idea – it means that no other users on your system can read or write to your files (of course, this is your choice). When you’re happy, hit Tab and then “Next”.

Image

* I have decided to set this one as “Yes”, because if you need to become root on the other tty’s then you can just ‘su’ from a normal user’s account.

Image

* “No” at password-securing the GRUB prompt, because this isn’t necessary unless you’re scared a cracker may be able to access your computer physically.

Image

* It’s also fine to choose “No” at this one.

Image

* Hitting “Yes” here is a good option.

Image

* Leave the following one as “No”.

Image

* For a bit of ‘fun’, leave this one as “Yes”. :)

Image

* Press Tab at this screen.

Image

* Type in your name here, and then press Tab and hit “Next”.

Image

* If you’re running a server you may want to set this one as “Yes”, but otherwise leave it as the default “No”.

Image

* Choose “No” here unless the computer is a public one and you want to restrict console access to some users.

Image

* Also choose “No” here – if not you will end up with some pretty large logs.

Image

* This screen is another informative one, so just hit “Next”.

Image

* As my computer is a laptop, I chose “No” here. But, if you’re using a desktop, press “Yes”.

Image

* Press “No” here if you are on a Local Area Network (LAN) and connect to other computers regularly.

Image

* Again, if you are using a laptop you’ll probably want to press “No”. Otherwise, “Yes” is fine.

Image

* GPM is fairly useless unless you do not like using the keyboard to move around in console, so hit “Yes” here unless you really do want it.

Image

* If you have a Hewlett-Packard all-in-one scanner/fax/printer, then choose “No”. Otherwise choose “Yes”. (Most of you should not see this screen).

Image

* Unless you connect to the internet via ISDN, choose “Yes”.

Image

* Choose “Yes” here to deactivate ‘kudzu’. (Most of you should not see this screen)

Image

* Hit “Yes” to stop sendmail running in daemon mode.

Image

* Another info screen – press “Next”.

Image

* I advise you press “No” here to keep printing enabled.

Image

* Hit “No” not to install the TMPDIR/TMP scripts.

Image

* Then, press “Yes” to run the packet filtering script. Here is where we shall configure the firewall.

Image

* Hit “Next”.

Image

* Hit “No” (unless your computer is acting as a gateway to the internet, and you plan to have a LAN behind it).

Image

* Remove the text and hit “Next”.

Image

* Hit “Next”.

Image

* Hit “Next”.

Image

* Hit “Next”.

Image

* Type in “echo-request” and hit “Next”.

Image

* Hit “Next”.

Image

* Hit “Next”.

Image

* Press “No” (to keep things simple).

Image

* Hit “Next”.

Image

* Hit “Next”.

Image

* Hit “Next”.

Image

* Press “Yes”.

Image

* Hit “Next”.

Image

* Type in your network interfaces (‘eth0 ppp0’ are the likely ones) and press “Next” – this shouldn’t matter if you’re running kernel 2.4+

Image

* Hit “Next”.

Image

* Hit “Next”.

Image

* Press “Yes”.

Image

* PSAD is not necessary, but if you’re security-conscious you might want to set it up to log any suspicious (possible) crack attempts. I will cover it anyway – so, if you would like to set it up, hit “Yes”. Otherwise, choose “No” (in that case, skip to #70).

Image

* Hit “Next”.

Image

* Hit “Next”.

Image

* Press “No”.

Image

* Hit “Next”.

Image

* Press “No”.

Image

* Leave the default values and hit “Next”.

Image

* Type in your email address (to which any security alerts will be reported) and hit “Next”.

Image

* Hit “Next”.

Image

* Press “Yes”.

Image

* Press “No”.

Image

* Press “Yes”.

Image

* Finally, press “Yes”!

Image

You have finished installing Bastille – an array of daemons have ceased to run, and your system is now less vulnerable.

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertise

If you'd like to advertise on The Mutt ( aka TheTAZZone.com ) feel free to contact us at: administration[at]thetazzone.com

TheTAZZone is a non-commercial entity. We do not sell any products or services ourselves. Our revenue comes from advertising and donations only.

We appreciate your support! Your advertising revenue ( or donations ) helps us to continue to upgrade, improve, and offset the costs of maintaining this site.

Donations can be made through the page ' Donate '.