outch...Bastille firewall with Cpanel

[conanqtran]

Hi all, i installed bastille firewall, everything is fine untill i start the firewall, i got this:

Quote:

root@baby [~]# /etc/rc.d/init.d/bastille-firewall restart
modprobe: Can't open dependencies file /lib/modules/2.4.20-hostnoc-686smp-1/modules.dep (No such file or directory)
modprobe: Can't open dependencies file /lib/modules/2.4.20-hostnoc-686smp-1/modules.dep (No such file or directory)
iptables v1.2.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't open dependencies file /lib/modules/2.4.20-hostnoc-686smp-1/modules.dep (No such file or directory)
iptables v1.2.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't open dependencies file /lib/modules/2.4.20-hostnoc-686smp-1/modules.dep (No such file or directory)
modprobe: Can't open dependencies file /lib/modules/2.4.20-hostnoc-686smp-1/modules.dep (No such file or directory)
modprobe: Can't open dependencies file /lib/modules/2.4.20-hostnoc-686smp-1/modules.dep (No such file or directory)
Setting up IP spoofing protection... done.
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done.

what about it, could you give me some info? looks like there are errors: something to do with my kernel, but the firewall is running

thanks

[Esr Tek]

However here is something that may help ...

All credit for below goes to Christos of Icehosting.com.........

Quote:

Hello,
this is the how-to.
I have use this how to in many cpanel server without any problem, in any
item.
If you want any other help contact me.
Regards,
Christos

*******************************HOW-TO************************
Log in to SSH

type su - to get to root

wget http://www.bastille-linux.org/perl-T...22-11.i386.rpm
wget http://www.bastille-linux.org/perl-C...05-10.i386.rpm
wget
http://osdn.dl.sourceforge.net/sourc...4-1.0.i386.rpm


rpm -ihv --nodeps perl-Curses-1.05-10.i386.rpm
rpm -ihv Bastille-2.0.4-1.0.i386.rpm perl-Tk-800.022-11.i386.rpm
rm -fr *.rpm

Then type

InteractiveBastille

(if that command does not work, use: /usr/sbin/InteractiveBastille)

On the welcome screen type 'accept' and press [RETURN]. You must do this
within 5 minutes otherwise the installation
will abort. On the next screen choose 'next' then press [RETURN].

Q: Would you like to set more restrictive permissions on the
administration utilities?

Choose 'yes', press [RETURN], select 'next' then press [RETURN] again.

Q: Should Bastille disable clear-test r-protocols that use IP-based
authentication?

Choose 'yes' then press [RETURN].

Q: Would you like to enforce password aging?

Choose 'no' then press [RETURN].

Q: Would you like to restrict the use of cron to administrative accounts?

Choose 'no' then press [RETURN].

Q: Do you want to set a default umask?

Choose 'no' then press [RETURN]

Q: Should we disallow root login on tty's 1-6?

Choose 'yes' then press [RETURN].

Q:Would you like to password-protect the GRUB prompt?

Choose 'no' then press [RETURN].

Q: Would you like to password-protect the LILO prompt?

Choose 'no' then press [RETURN].

Q: Would you like to reduce the LILO delay time to zero?

Choose 'no' then press [RETURN].

Q: Do you ever boot Linux from the hard drive?

Choose 'yes' then press [RETURN].

Q: Would you like to write the LILO changes to a boot floppy?

Choose 'no' then press [RETURN].

Q: Would you like to disable CTRL-ALT-DELETE rebooting?

Choose 'no' then press [RETURN].

Q: Would you like to password protect single-user mode?

Choose 'no' then press [RETURN].

Q: Would you like to set a default-deny on TCP Wrappers and xinetd?

Choose 'no' then press [RETURN].

Q: Should Bastille ensure the telnet service does not run on this system?

Choose 'yes' then press [RETURN].

Q: Should Bastille ensure the FTP service does not run on this system?

Choose 'no' then press [RETURN].

Q: Would you like to display "Authorized Use" messages at log-in time?

Choose 'no' then press [RETURN].

Q: Would you like to disable the gcc compiler?

Choose 'no' then press [RETURN].

Q: Would you like to put limits on system resource usage?

Choose 'no' then press [RETURN].

Q: Should we restrict console access to a small group of user accounts?

Choose 'no' then press [RETURN].

Q: Would you like to add additional logging?

Choose 'yes' then press [RETURN]. This has enabled some additional logs:
/var/log/kernel & /var/log/syslog.
Press [TAB] to continue.

Q: Do you have a remote logging host?

Choose 'no' then press [RETURN]. Choose 'next' then again press [RETURN].

Q: Would you like to deactivate NIS server programs?

Choose 'yes' then press [RETURN].

Q: Do you want to stop sendmail from running in daemon mode?

Choose 'no' then press [RETURN].

Q: Would you like to chroot named and set it to run as a non-root user?

Choose 'no' then press [RETURN].

Q: Would you like to bind the web server to listen only to the localhost?

Choose 'no' then press [RETURN].

Q: Would you like to bind the web server to a particular interface?

Choose 'no' then press [RETURN]. Choose 'next' and again press [RETURN].

Q: Would you like to deactivate the following of symbolic links?

Choose 'no' then press [RETURN].

Q: Would you like to deactivate server-side includes?

Choose 'no' then press [RETURN].

Q: Would you like to disable CGI scripts, at least for now?

Choose 'no' then press [RETURN].

Q: Would you like to disable indexes?

Choose 'no' then press [RETURN].

Q: Would you like to disable printing?

Choose 'yes' then press [RETURN].

Q: Would you like to install TMPDIR/TMP scripts?

Choose 'no' then press [RETURN].

Q: Would you like to run the packet filtering script?

Choose 'yes' then press [RETURN]. Choose 'next' and again press [RETURN].

Q: Do you need the advanced networking options?

Choose 'no' then press [RETURN].

Q: DNS Servers: [0.0.0.0/0]

Press [TAB], choose 'next' and press [RETURN].

Q: Public interfaces: [eth+ ppp+ slip+]

Change to [eth+] Press [TAB], choose 'next' and press [RETURN].

Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login
linuxconf ssh]

Press [TAB], choose 'next' and press [RETURN].

Q: UDP services to audit: [31337]

Press [TAB], choose 'next' and press [RETURN].

Q: ICMP services to audit: [ ]

Press [TAB], choose 'next' and press [RETURN].

Q: TCP service names or port numbers to allow on public interfaces:[ ]

Type '21 22 25 53 80 110 143 443 465 993 995 2082 2083 2086 2087 2095
2096 3306 6666 7786', press [TAB],
choose 'next' then press [RETURN].

Q: UDP service names or port numbers to allow on public interfaces:[ ]

Type '53', press [TAB], choose 'next' then press [RETURN].

Q: Force passive mode?

Choose 'no' then press [RETURN].

Q: TCP services to block: [2049 2065:2090 6000:6020 7100]

Type '2049 2065:2081 2084 2085 2088 2089 2090 6000:6020 7100', Press
[TAB], choose 'next' and press [RETURN].

Q: UDP services to block: [2049 6770]

Press [TAB], choose 'next' and press [RETURN].

Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]

Press [TAB], choose 'next' and press [RETURN].

Q: Enable source address verification?

Choose 'yes' then press [RETURN].

Q: Reject method: [DENY]

Change to [DROP] Press [TAB], choose 'next' and press [RETURN].

Q: Interfaces for DHCP queries: [ ]

Press [TAB], choose 'next' and press [RETURN].

Q: NTP servers to query: [ ]

Press [TAB], choose 'next' and press [RETURN].

Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded]

Press [TAB], choose 'next' and press [RETURN].

Q: Should Bastille run the firewall and enable it at boot time?

Choose 'yes' then press [RETURN].

Q: Would you like to setup PSAD?

Choose 'yes' then press [RETURN].

Q: psad check interval: [15]

Press [TAB], choose 'next' and press [RETURN].

Q: Port range scan threshold: [1]

Press [TAB], choose 'next' and press [RETURN].

Q: Enable scan persistence?

Choose 'yes' then press [RETURN].

Q: Show all scan signatures?

Choose 'yes' then press [RETURN].

Q: Danger Levels: [5 50 1000 5000 10000]

Press [TAB], choose 'next' and press [RETURN].

Q: Enable email alerts?

Choose 'yes' then press [RETURN].

Q: Email addresses: [root@localhost]

Replace 'root@localhost' with your own your email address, Press [TAB],
choose 'next' then press [RETURN]

Q: Email alert danger level: [3]

Press [TAB], choose 'next' and press [RETURN].

Q: Alert on all new packets?

Choose 'yes' then press [RETURN].

Q: Enable automatic blocking of scanning IPs?

Choose 'yes' then press [RETURN].

Q: Auto blocking danger level: [5]

Press [TAB], choose 'next' and press [RETURN].

Q: Should Bastille enable psad at boot time? [N]

Choose 'yes' then press [RETURN].

Q: Do you want to implement the choices now or continue making choices?

Choose 'yes' then press [RETURN], then press [TAB] and the installation
will exit. At the command prompt, type the
following commands:

/sbin/service syslog restart[RETURN]
/etc/rc.d/init.d/bastille-firewall start[RETURN]
/etc/rc.d/init.d/psad start[RETURN]

HTH

[conanqtran]

thats what i did lol, i even got a much more details guide on how to install it

i contact support and they said that its because my kernel wasn't complie with iptables/chains or some sort so its need to be recomplied

my server was down since....

[conanqtran]

I have Nocster support guy (Herb) recomplied my kernel with the IPTables options built in as modules. Then I went ahead and reinstall Bastille, working like a charm now

Big thank to Herb (Herbert Jackson) for saving my day

[eddie]

Quote:

Originally posted by conanqtran
thats what i did lol, i even got a much more details guide on how to install it

i contact support and they said that its because my kernel wasn't complie with iptables/chains or some sort so its need to be recomplied

my server was down since....

Can we see your guide please

[scuro_falcao]

I tried it too, got my server locked up... Installed it on ensim many times before...

[Cranky]

Port 7786? What's that for?

[Alarion]

interchange

[S4Ostin]

I never had problems when I used Bastile? Anyway, I do not recommend the firewall. Try APF, it's what I'm using after trying Bastile, KISS and others... Great...