J_K9 @ Linux

HOW TO: Secure Your Box With Bastille

January 4, 2006 on 9:40 pm | In Linux, HOW TO, Security |

Bastille is a hardening tool which is very effective at locking down your system, and all it requires is a few minutes of your time! It is currently available for the major Linux distributions: SUSE, Mandrake (the available RPM should work with Mandriva), Fedora Core, Red Hat, Debian, and Gentoo, and it is also available for HP-UX and Mac OS X, as well as the source code which can be compiled on most *nix systems. In this tutorial I shall take you through the steps of installing it and setting it up properly in order to secure your system better than before. Please note that this tutorial is designed for users new to Linux, and so may be slightly cumbersome for the more advanced users out there.

First of all, we’ll install it. As my demonstration system I am using a laptop running Fedora Core 3, and I am installing Bastille version 3.0.8. You may use the method described on Bastille’s site to install it if you have a different distro or Operating System to mine. Here is how I installed it:

1. Download the Bastille RPM - which will work for Red Hat, Fedora Core, SUSE, or Mandrake. Install it onto your system, either by using the inbuilt package manager or the following commands in console:
   $ su
Password:
# rpm -ivh Bastille-3.0.8-1.0.noarch.rpm
2. Now, download perl-Curses (although non-graphical, at the end of the day it tends to cause fewer problems than installing perl-Tk). Choose the correct one for your distro and release at the module table. Install it the same way you installed Bastille in part 1.
3. Once you have installed both of these, fire up Bastille’s configuration in the console by typing the following command (still as root):
   # bastille -c
   Note: If that doesn’t work, type the following into the console: PATH=/usr/sbin:$PATH - then try to run Bastille again, and it should work.

A word of advice: I may tell you to just ‘Press “Next”‘ or ‘Hit “Yes”‘ in some places, but you should read the text to make sure you understand what you are configuring and that the choice I am leading you to is the right one.

Having started up Bastille, some lines of text should appear on your screen.

1. Press Ctrl + C and it will scroll to the end of the text, as shown below:

   

2. Type “accept” and press Enter. Now you will be taken to Bastille’s configuration, and introduced to the program. Press “Next” to continue.

   

3. At this first question you may want to press “No”, for if not simple commands like ‘ifconfig’ and ‘runlevel’ will be disabled to all users but root (and I personally use them quite a lot) - although hitting “Yes” is the more secure option.

   

4. Press “Next”.

   

5. Press “No”, because if not you will be unable to mount and unmount devices after boot (unless you are root).

   

6. At the next screen, hit “Yes”.

   

7. Once again, press “Yes”.

   

8. Press “Yes” at the ‘r-tools’ question.

   

9. And “Yes” at the ‘usernetctl’ one.

   

10. “Yes” again, to leave traceroute available to all users.

    

11. “Yes” to disable r-protocols.

    

12. At this screen, it is a good idea to press “Yes” - this will get you into the good habit of renewing your password every 60 days.

    

13. Press “Yes” to set the default umask.

    

14. Here, leaving 077 is a good idea - it means that no other users on your system can read or write to your files (of course, this is your choice). When you’re happy, hit Tab and then “Next”.

    

15. I have decided to set this one as “Yes”, because if you need to become root on the other tty’s then you can just ’su’ from a normal user’s account.

    

16. “No” at password-securing the GRUB prompt, because this isn’t necessary unless you’re scared a cracker may be able to access your computer physically.

    

17. It’s also fine to choose “No” at this one.

    

18. Hitting “Yes” here is a good option.

    

19. Leave the following one as “No”.

    

20. For a bit of ‘fun’, leave this one as “Yes”.

    

21. Press Tab at this screen.

    

22. Type in your name here, and then press Tab and hit “Next”.

    

23. If you’re running a server you may want to set this one as “Yes”, but otherwise leave it as the default “No”.

    

24. Choose “No” here unless the computer is a public one and you want to restrict console access to some users.

    

25. Also choose “No” here - if not you will end up with some pretty large logs.

    

26. This screen is another informative one, so just hit “Next”.

    

27. As my computer is a laptop, I chose “No” here. But, if you’re using a desktop, press “Yes”.

    

28. Press “No” here if you are on a Local Area Network (LAN) and connect to other computers regularly.

    

29. Again, if you are using a laptop you’ll probably want to press “No”. Otherwise, “Yes” is fine.

    

30. GPM is fairly useless unless you do not like using the keyboard to move around in console, so hit “Yes” here unless you really do want it.

    

31. If you have a Hewlett-Packard all-in-one scanner/fax/printer, then choose “No”. Otherwise choose “Yes”. (Most of you should not see this screen).

    

32. Unless you connect to the internet via ISDN, choose “Yes”.

    

33. Choose “Yes” here to deactivate ‘kudzu’. (Most of you should not see this screen)

    

34. Hit “Yes” to stop sendmail running in daemon mode.

    

35. Another info screen - press “Next”.

    

36. I advise you press “No” here to keep printing enabled.

    

37. Hit “No” not to install the TMPDIR/TMP scripts.

    

38. Then, press “Yes” to run the packet filtering script. Here is where we shall configure the firewall.

    

39. Hit “Next”.

    

40. Hit “No” (unless your computer is acting as a gateway to the internet, and you plan to have a LAN behind it).

    

41. Remove the text and hit “Next”.

    

42. Hit “Next”.

    

43. Hit “Next”.

    

44. Hit “Next”.

    

45. Type in “echo-request” and hit “Next”.

    

46. Hit “Next”.

    

47. Hit “Next”.

    

48. Press “No” (to keep things simple).

    

49. Hit “Next”.

    

50. Hit “Next”.

    

51. Hit “Next”.

    

52. Press “Yes”.

    

53. Hit “Next”.

    

54. Type in your network interfaces (’eth0 ppp0′ are the likely ones) and press “Next” - this shouldn’t matter if you’re running kernel 2.4+

    

55. Hit “Next”.

    

56. Hit “Next”.

    

57. Press “Yes”.

    

58. PSAD is not necessary, but if you’re security-conscious you might want to set it up to log any suspicious (possible) crack attempts. I will cover it anyway - so, if you would like to set it up, hit “Yes”. Otherwise, choose “No” (in that case, skip to #70).

    

59. Hit “Next”.

    

60. Hit “Next”.

    

61. Press “No”.

    

62. Hit “Next”.

    

63. Press “No”.

    

64. Leave the default values and hit “Next”.

    

65. Type in your email address (to which any security alerts will be reported) and hit “Next”.

    

66. Hit “Next”.

    

67. Press “Yes”.

    

68. Press “No”.

    

69. Press “Yes”.

    

70. Finally, press “Yes”!

    

You have now finished installing Bastille - an array of daemons have ceased to run, and your system is now more secure. Tedious, but worthwhile in the long run!

Please leave a comment below or contact me if you have a problem.

Online certifications are for those professionals who want to recognize their skills and authentication in a field of their specific specialization. All professionals chose some best quality transcender help to get through the typical online exams like comptia a+ and Microsoft’s mcse certification exams. Cisco have little different scene, ccna certification needs proper study knowledge and concepts of multi layer model of networks while itil certification required handsome study approach to pass the exam.

Add to: