Configuration
Firewall configuration
First thing really should be to install the firewall rules: This is the standard firewall set and is only a base line things may need changing dependant on your use Make sure you put your IP HOST address in correctly otherwise you might not be able to login!!
root@ood:/etc/network/if-up.d
HOST="194.171.176.??" LAN="194.171.176.0/25" DMZ="194.171.176.128/25"
/sbin/iptables -F
/sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state \ ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -m state --state \ ESTABLISHED,RELATED -j ACCEPT
#/sbin/iptables -A INPUT -d $HOST -p tcp \ #--dport 389 --sport 1024:65535 -m state \
/sbin/iptables -A INPUT -d $HOST -p tcp \ -s $LAN --dport 22 --sport 1024:65535 -m state \ --state NEW -j ACCEPT
#/sbin/iptables -A INPUT -d $HOST -p tcp \ #--dport 5001 --sport 1024:65535 -m state \
#/sbin/iptables -A INPUT -d $HOST -p 6 \
#/sbin/iptables -A INPUT -d $HOST -p 17 \
#/sbin/iptables -A INPUT -d $HOST -p 6 \
#/sbin/iptables -A INPUT -d $HOST -p 17 \
#/sbin/iptables -A INPUT -d $HOST -p 6 \
#/sbin/iptables -A INPUT -d $HOST -p 17 \
#/sbin/iptables -A INPUT -d $HOST -p tcp \ #--dport 80 --sport 1024:65535 -m state \
#/sbin/iptables -A INPUT -d $HOST -p tcp \ #--dport 5308 --sport 1024:65535 -m state \
#/sbin/iptables -A INPUT -d 194.171.176.75 -p tcp \ #--dport 443 --sport 1024:65535 -m state \
/sbin/iptables -A INPUT -d $HOST -p tcp \ -s $LAN --dport 9102 --sport 1024:65535 -m state \ --state NEW -j ACCEPT #/sbin/iptables -A INPUT -d 194.171.176.75 -p tcp \ #--dport 36131 --sport 1024:65535 -m state \
#/sbin/iptables -A INPUT -d 194.171.176.75 -p tcp \ #--dport 990 --sport 1024:65535 -m state \
#/sbin/iptables -A INPUT -d 194.171.176.75 -p tcp \ #--dport 5678 --sport 1024:65535 -m state \
#/sbin/iptables -A INPUT -d 194.171.176.75 -p tcp \ #--dport 5679 --sport 1024:65535 -m state \
#/sbin/iptables -A INPUT -p udp -s $HOST --sport 1024:65535 \
#/sbin/iptables -A OUTPUT -p udp -s 194.171.176.136 --sport 161:162 \
The minimum ports to be left open are 22,9102 as shown here port 22 is for SSH access and 9102 is to allow the bacula agent to connect to the file deamon. put these firewall rules into a file called firewall in the /etc/networks/if-up directory and make sure that the file will run i.e chmod +x firewall or chmod 755 firewall also make sure that the file is owned by root. -rwxr-xr-x 1 root root 2759 Oct 15 15:03 firewall
Bacula configuration
then edit the file /etc/bacula-fd.conf and make sure it has at least this information: Director { Name = tardis-dir Password = "A8a75yJao1eB+ZhsH4/rSVdvm4VwQS4gk3AVKM2hz7m6" } Director { Name = tardis-mon Password = "8EDARLUNru1ci+obvt+kaSrcaP2dqFQEjUPQcUTJfTOy" Monitor = yes }
FileDaemon { # this is me Name = -fd FDport = 9102 # where we listen for the director WorkingDirectory = /var/bacula/working *> Make sure these are the same as the default config file they seem to change!! Pid Directory = /var/run ***> Maximum Concurrent Jobs = 20 }
Messages { Name = Standard director = tardis-dir = all, !skipped, !restored } But in any case follow the information found here for a complete config run down how to install bacula the proper way
ssh configuration
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600 ServerKeyBits 768
SyslogFacility AUTH LogLevel INFO
LoginGraceTime 120 PermitRootLogin no StrictModes yes
RSAAuthentication yes PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
X11Forwarding no X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
Host *
SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no Make sure that everybodies keys are published in authorized_keys
drwxr-xr-x 2 wmes agstaff 121 2008-10-31 11:05 . drwxr-xr-x 12 user agstaff 4096 2008-11-20 11:37 .. -rw-r--r-- 1 user agstaff 4950 2008-10-15 07:39 authorized_keys -rw------- 1 user agstaff 668 2008-10-14 08:13 id_dsa -rw-r--r-- 1 user agstaff 614 2008-10-14 08:13 id_dsa.pub -rw-r--r-- 1 user agstaff 5402 2008-10-14 12:03 known_hosts Root should have basic logging crontabs (crontab -e)
30 08 * * * /usr/sbin/logwatch --mailto netadmin@argoss.nl >/dev/null 2>&1 Mailservers should have pflogsumm install
10 0 * * /usr/sbin/pflogsumm -d yesterday /var/log/mail. 2>&1 | /usr/bin/mailx -s "uname -n
daily mail stats" netadmin@argoss.nl
10 4 * 0 /usr/sbin/pflogsumm /var/log/mail. 2>&1 | /usr/bin/mailx -s "uname -n
weekly mail stats" netadmin@argoss.nl
00 08 * * /usr/bin/sa-update && /etc/init.d/amavis restart
30 08 * * /usr/sbin/logwatch --mailto netadmin@argoss.nl >/dev/null 2>&1
For any feedback or corrections, please write in to: Simon Quantrill