Mesh/Server security

Revision as of 00:03, 13 October 2013 by Juul (talk | contribs) (Created page with "This document attempts to outline some of the steps that have been taken to enhance the security of sudomesh servers. = Automatic updates = We only ever install the debian/u...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This document attempts to outline some of the steps that have been taken to enhance the security of sudomesh servers.

Automatic updates

We only ever install the debian/ubuntu repository versions of software unless the software is not available through these repositories. This goes for stuff like wordpress and mediawiki as well. This ensures that security updates can be installed with a simple:

 aptitude update && aptitude safe-upgrade

cron-apt

cron-apt is installed and set up to automatically download and install security updates once every 24 hours.

cron-apt is installed:

 aptitude install cron-apt

then it is disabled in cron.d since we want to use anacron instead:

 rm /etc/cron.d/cron-apt

and setup to run daily via anacron:

 cd /etc/cron.daily
 ln -s /usr/sbin/cron-apt

The following line is added to /etc/cron-apt/config to make it use aptitude instead of apt-get:

 APTCOMMAND=/usr/bin/aptitude

Per default, cron-apt only downloads updates and doesn't install them. We remove the download action:

 cd /etc/cron-apt/action.d
 rm 3-download

Then we add the file 5-safe-upgrade containing the following line:

 safe-upgrade -y quiet=2