Forum OpenACS Q&A: How much time does it takes to set up bboard from scratch

1: How much time does it takes to set up bboard from scratch

Posted by Quang-Tuan Luong on 12/10/01 09:32 PM

Having a unix box running, how long did it
take you to install and configure aolserver, postgresql,
openacs, and get the bboard module running ? Since this
is dependent on the skill and knowledge of the person doing
it, together with your answer, please describe briefly your
background, ie "I am a software engineer with x years of db/web
programming experience". Or maybe could you give an estimate of the
time it would take for someone familiar with the concepts (read
Philip Greenspun's book) and programming, but not specifically
db/web ? I am trying to get an idea of the effort involved. Thanks.

2: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by S. Y. on 12/10/01 10:22 PM

My estimate: one day for web/db programmers. Maybe a long weekend weekend for a programmer with a UNIX background. This is assuming that you've actually read the various installation guides and manuals, you're a conscientious, detail-oriented person, and you're not trying to do this at 3 a.m. when you're dead tired.

My background: I am an erstwhile technical marketing guy; I was briefly a web/db programmer. My educational background is liberal arts. I've been on UNIX/Linux boxes for about eight years. I've been involved with the ACS/OpenACS for about three years. I'm not really a programmer; I used to be an okay sysadmin many moons ago.

From what I've seen in both the ArsDigita bboards and this OpenACS one, people with limited UNIX experience will need to allocate more time to learn some of the *nix nuts and bolts. There are some "Learn Linux in 21 Days", but that will take you, uh, 21 days, I suppose.

Also, from what I've seen, the vast majority of problems seem to related to A.) botched editing of the nsd.tcl configuration file, B.) botched editing of the ad.ini configuration file (or whatever it's called), C.) incorrect/botched TCP/IP network configuration, and D.) not paying close enough attention to the documentation. The first two mistakes are often explained later as "Uh, I was really tired when I was doing this". The third mistake is usually a *NIX newbie mistake. The fourth mistake cannot be attributed to any particular reason other than some people have better reading comprehension than others.

Thankfully, you do not have to install Oracle, another big can of worms that could add days and/or weeks to your installation.

3: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by Cathy Sarisky on 12/10/01 10:51 PM

From Jonathan's RPMs, easily done in a day. Up and mostly working in a couple hours, and then some customizing with the rest of the day.

I'm a chemist with some unix experience (I had an SGI on my desk for years but was mostly an end user), and have done fairly extensive scripting with tcl (7.something) and tk before.

On my ISDN line, it took longer to download everything you need than to get at least a crude prototype up and running.

4: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by S. Y. on 12/10/01 10:55 PM

Just to clarify/summarize:

web/db UNIX programmers: 1-2 days
other UNIX programmers: 2-4 days, maybe a week
web/db non-UNIX programmers: 1-4 weeks
other non-UNIX programmers: 4-8 weeks
all others: 2-12 months

Oh, I forgot to mention: anyone who could pick up enough *nix in a few weeks/months to install OpenACS still would not be qualified to administer a production-grade, publicly-accessible web/db box. A small intranet box, maybe, but not the real thing on the Internet.

You've probaly already thought about this, but it's worth mentioning in light of a recent thread about security and who is concievably qualified to administer public web servers.

5: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by S. Y. on 12/10/01 11:07 PM

I also based my time estimates for someone who was going to build from the source code, not use RPMs (since you only mentioned UNIX in a generic way). I've never used the RPMs mostly because I tend to compile my security and web software from scratch anyhow.

The RPMs apparently make it easier, but quite a few Linux newbies don't quite understand the concept of software package dependencies. Again, lack of UNIX knowledge is a hindrance that really can't be estimated well. Also some people eventually figure out how to type "man rpm"; others apparently can't find those keys on their keyboard.

I'm not surprised that Cathy found the RPMs very easy to use. On SGI IRIX, inst is the command line installer, and the concept of software dependencies is very clear to anyone having IRIX experience. (I know: when I gave up my Indigo2, it had IRIX 6.2 + >60 patches.)

6: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by Tom Mizukami on 12/11/01 03:25 AM

Assuming that we put our site behind a hardware firewall appliance/router like sonicwall or smoothwall, and properly configure it, how much hardening of a stock distro is needed? I don't care much about the content and there won't be much public interest in my site but I would rather my machine not participate in a DoS attack, get cracked, etc.

I have a static IP and SDSL connection. I've installed various versions of ACS and OpenACS, I can type man RPM, but I am definitely a security naif.

I am slowly getting better with Linux, Oracle, and OpenACS etc. I'm sure I can follow directions on removing unwanted packages, installing patches, recompiling, etc. However, as I'm really still learning much of Gnu/Linux CVS, Jade, DocBook, Emacs, LaTex, Postgress, etc. I like to install the new disrtros when they become available - is there a way around having to reharden your machine following every installation.

Thanks.

7: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by Matthew Terenzio on 12/11/01 03:35 AM

Sean's estimates seem about right, even though the two or three times I installed Oracle went pretty smoothly.
If BBoards is what you want, then they will work and be pretty intuitive. But, once you get OpenACS installed, don't expect all the module administration to be self evident.
I've been trying for years to figure out how to use certain features. (This is a plea for the writers of next user's guide! If it wasn't for the educational early photo.net and Arsdigita site many of us wouldn't be here.)
Of course the OpenACS Bboard patrol is always around to help out!

8: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by S. Y. on 12/11/01 05:46 AM

I hope Jon Griffin will chime in, because I'm certainly no security expert. I'm not convinced that hardware firewalls can compensate for shortcomings in some of the applications they protect (or pass information to): things like executing arbitrary commands as root with buffer overflows. Hardware firewalls are not a panacea; they should be considered additional insurance above and beyond the regular security hardening you perform on a public server. Yes, you are paying a professionally run company whose livelihood is in protecting systems.

Certainly, there's no way that a Linux newbie can go out and buy a Sonicwall, and be done with it.

For Red Hat Linux, there are a significant amount of security work that needs to take place. I've been using Red Hat the past three years, and it has gotten better, but it's still designed for maximum hardware compatability and installation ease. Each time I install Red Hat from scratch, it takes me a couple of days to really lock down the box; there is no way to get around hardening your box every time you reinstall the OS.

In any case, security holes are discovered all the time. Even if you had a snapshot of an allegedly secure system from three months ago, today, it would not be as secure. The Bastille Linux hardening scripts might be of some use to you; basically, it's a checklist of stuff that a real UNIX sysadmin would consider anyhow, but by packaging it this way, you're less prone to forget something critical. Of course, the Bastille scripts aren't going to replace sendmail with qmail or BIND with djbdns.

I'd try the Bastille scripts, in conjunction with the nmap port scanner and Nessus vulnerability assessment utility. Naturally, you would still want a security guru to look at your firewall settings and your server's security anyhow. I don't know anything about any other Linux distributions (I tried Gentoo Linux once), but Red Hat needs a sizable amount of work before it could be considered as a fairly secure box.

New topic: installing Oracle and installing Postgres are like night and day. Oracle installation has gotten easier and there's a lot more user-contributed documentation nowadays. The very worst Oracle on Linux version was 8.1.5 (the original Oracle8i). Installing that was an absolute nightmare. The last version of Oracle8i I installed was Release 3 (8.1.7). That one went fairly smoothly, but even a straightforward Oracle installation could take half or all day (especially if you're using a journalled filesystem).

9: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by David Walker on 12/11/01 06:05 AM

In my estimation, if nmap shows only port 80 and possibly 443, you're fairly safe. That leaves a couple of areas for intrusion. The web server and the scripts on the web server.

OpenACS 3.2.5 has at least one security hole and possibly others. (My patch helps with that https://openacs.org/sdm/one-patch.tcl?patch_id=35)
AOLServer 3.2 has one known potential security hole. Upgrading or patching will take care of that.

However, there are lot more things that can be done to secure your server. How far you should go probably relates to the sensitivity of your data and how willing you are to start over if your security is breached.

10: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by S. Y. on 12/11/01 06:31 AM

Yeah, you really want to be running a minimum number of services on a public web server. In addition to 80 and 443, ssh and smtp ports (typically 22 and 25) are fairly common on web servers.

Some of the Bastille scripts (and other security hardening measures) have to do with local exploits and security holes, i.e., local users being stupid and/or malicious. You have to consider things like setuid bits on certain binaries, not giving out root passwords and restricting people to sudo, etc.

I also forgot to mention Tripwire; configure it and run the scan nightly. And don't forget those backups! Your data is the most important thing; if you don't have recent backups, well, you're screwed.

11: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by David Walker on 12/11/01 06:43 AM

I recommend not having smtp listening on port 25 on your web server
unless it is really acting as your mail server. Outgoing messages
from your web server can be handled without it. You may have to set
up a cron job to clear your outgoing mail queue but I prefer that to
having another potential security problem.

I also recommend, if you are running ssh on your web server, that
you tell it so listen on some 5 digit port (using
/etc/ssh/sshd_config on my system, may vary on yours). There is no
need to run ssh on the standard port as only people knowledgeable to
your setup ever have need to connect to it. (Unless you're hosting
shell accounts or something neat like that.)

12: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by Jon Griffin on 12/11/01 06:49 AM

If you run redhat recompile the kernel as soon as you download it.

I updated some links on my (very old) doc at dev.jongriffin.com.

These are no where near complete and one day I hope to update it. At a minimum add the grsecurity fixes and recompile without modules. You don't need modules, the distros use them to allow more hardware to be supported. Modules suck, they are a security flaw, did I mention that modules suck?

Get up2date if you can't/don't have experience upgrading software.
Delete most of what is in /etc/xinetd.d/.
Add another user with an id of 0 and never login as root.
Run Tripwire before you go on the net as you will be probed within minutes of plugging the cable in.
get and install portsentry and logcheck. Learn to love reading your logs, you will soon find out what is not normal (like login from root).
NMAP is your friend (just make sure you don't have an automatic lockout program such as portsentry running or you will lock yourself out.)
Nessus is your friend
Snort can be a good buddy
Build a firewall (smoothwall is excellent) and use it in front of your real box. You don't need to buy someones proprietary box.
SSH is your wife. Don't allow anyone to talk you into ftp/telnet.
Get on Redhats update list
Follow some security sites DAILY
there is more, but you get the idea.
Most of this applys to ANY OS.

13: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by S. Y. on 12/11/01 06:53 AM

True, true. I think some port scanners will find sshd on other ports, but running smtp and ssh on the standard ports is often discouraged. It's better to make the crackers' lives harder. Again, these are decisions that an experienced sysadmin will have to make after careful considering the options, the risks, etc.

Way back when I ran my own personal server, I made the choice what to lock down and what I could live with. The box never got cracked, but I know that a couple of times somebody was poking about.

14: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by S. Y. on 12/11/01 07:16 AM

Now that we've totally gone off topic, it's probably worth mentioning that while installing the OpenACS might take me one day, securing a new box, etc. could conceivably take several days (that's certainly the case for me).

15: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by Louis Gabriel on 12/11/01 06:49 PM

Hi,

Some online reviews point out that Mandrake 8.1 (thinking of power pack version) allows new users to set up their security level during installation "automagically". They offer various settings. From something like "Welcome to Crackers" to "Paranoid". Might this distro be good for OpenACS newbies because:

1) Easy to install

2) Comes with lots of updated software for exploring Linux and the software that runs on it (besides just OpenACS, I mean). KDE, GNOME, programming tools; for instance Xfree86 4.1.0 ships with this distro allowing lots more video cards to work well (like Matrox G450 dual head cards without ugly kludges that would be bad for newbies).

2) Based on Redhat; so lots of RH specific documentation will apply or be close enough to enable figuring out. Some OpenACS RPMs will work. This allows newbies to get up and running quickly.

3) Allows first time users to have a secured box at the end of installation if they follow the communities suggestions to choose options A, B and C or whatever during installation.

Your opinion?

Based on my understanding, Debian would be great for keeping one's box up to date, Slack would be great for learning "UNIX proper", *BSD would be great for many reasons, but for those just getting started, wouldn't Mandrake 8.1 power pack be as close to ideal as anything?
Maybe after a few weeks or months the newbie could explore and switch to something else for whatever reasons. But having all one's hardware recognized and set up correctly during installation AND the availability of RPMs to install OpenACS specific stuff seems to make Mandrake very appealing as a choice for newbies.

Please share your insights on this. Am I right on or off target?

Thanks,

Louis

16: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by Talli Somekh on 12/11/01 07:06 PM

Louis,

To put it simply, it's war out there. The number of port scans that are performed on a box connected to the internet is astounding. If you don't really care about your data or how your server may be used if it's been hacked into, then your level of security can be arbitrary.

However, if you do care about either of those things, and considering that at the very least port 80 is open on an OACS install, then there is no getting around that running a server is non-trivial if not full time task. If this were not true, then we could rid the world of bearded, corpulent BOFHs that dictate our lives so completely.

Alas, we cannot.

For instance, at one point we were upgrading from one version of SSH to the latest. In the very short time that we left ourselves vulnerable we got hacked with a man in the middle exploit. We may have been a bit careless with our approach, but not so careless that it wasn't a calculated risk. Even still, we got hammered.

AFAIK, Mandrake is more or less developed for the desktop installation rather than for servers. Someone, maybe Ben, once told me that Mandrake is the best selling distro in the US. Of course, this is not a merit of distinction considering that most systems are installed from downloads. (Google, whose data collection system consists of 4,000 Celeron PCs, bought only 50 cds of Redhat linux.)

So the point is that if you're a newbie, you have two choices:

a) get a *nix distro, a good how-to book, throw away your Gillete Mach3 and order a bunch of Big Macs because you need to figure out how to install GCC and all of its dependencies; or

b) save some time and spend some money to have the 11 year old next door who gets his ass kicked at recess set you up with a killer box or boxen.

Just my 0.02.

talli

17: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by Louis Gabriel on 12/11/01 08:51 PM

Hi Talli,

Your point about desktop .vs open to the world servers is a great point. As you point out, Mandrake is quite popular. Therefor, there should be a lot of help out there for newbies in addition to here at Open/ACS. Maybe some cross pollination could help the community grow, too.

My post concerns newbies learning OpenACS and new to Linux too. I was not thinking about a newbie having their newly installed Mandrake/OpenACS box available as a public website right after installation. Instead, as a desktop/server learning environment. However, as one installed securely enough not to get cracked without a lot of effort if at all; most likely behind an internet connection sharing device like a low cost router/gateway running a firewall and NAT -- not perfect, but better than nothing.

I hate to hear of your unfortunate experiences getting cracked. You do touch on another issue. With an up to date distro one often has the benefit of having most or all of the software one needs to get at least Linux installed and hardened before even connecting to the internet. I think Mandrake 8.1 might offer this or come close thru options available during installation. But I don't know enough about security to say so -- thus my request for community replies. Maybe we need an OpenBSD install/Quickstart guide :)

Contrast this to the distro mentioned in lots of Open/ACS documentation -- Redhat 6.2. Maybe great in it's day, but old and thus needing a lot of updates/patches for security.

I suspect not many newbies will download all patches for 6.2, burn them to CD so they have them on hand prior to beginning installation AND make sure they're not connected to the internet UNTIL they both complete the install and work thru hardening their system.

I wonder how many Open/ACS newbies following community documentation have unwittingly exposed themselves to just the type of fast acting crackers that compromised your boxes.

I think helping newbies get up and running securely will help our community flourish -- and not doing so will be detrimental.

I was thinking by the time someone new to OpenACS/*nix was ready to host a site, that they likely won't be newbies any more -- and would have a better idea how to set up a server box securely for "public consumption" using whatever version of whatever OS they thought best for security and other reasons.

Your point of how fast an unsecured box can be compromised is one of the main reasons I mentioned Mandrake since, I suspect, their install procedure, regarded as easy for newbies, allows newbies to easily set a lot of what they need to have a higher level of security than other distros provide "out of the box" without the newbie having to know in advance what to do to harden their system.

I suspect they have too many services enabled by default -- that's why I mentioned what I did about "suggestion A, B, C and whatever of the community for installation options/instructions".

Maybe the members of our community most knowledgeable about security could either advise what distro and hardening procedure to use or come up with either an OpenACS distro for newbies or a Bastille like script to use for what the community recommends.

Again, a lot of community documentation mentions RH 6.2, and since RH 6.2 is quite lacking in security out of the box, I think our community needs some up to date recommendation or resources for newbies wanting to get started safely without worries of people cracking their boxes.

Since getting everything installed just gets folks to the starting gate, debating OS versions is not the most important thing of course -- but solid community advice on what options are good for a newbie to learn safely without worrying about being cracked IS imperative, IMO. If our community has it's own version of "Install this/these versions and follow this/these step by step hardening guide(s) to have a hardened install for learning OpenACS", we should state so prominently; if not I feel we should create such. This question does keep coming up.

In summary, I'm not saying Mandrake is "the distro for newbies to get up and running securely if you choose/do A, B, C...N during installation"; I'm asking if it is. And if so, what installation options are best for a new install for someone wanting adequate security?

Thanks one and all for your input and help,

Louis

18: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by S. Y. on 12/24/01 08:18 PM

Talli wrote: "To put it simply, it's war out there. The number of port scans that are performed on a box connected to the internet is astounding. If you don't really care about your data or how your server may be used if it's been hacked into, then your level of security can be arbitrary."

Just to point out, you don't even need a broadband connection to attract the attention of crackers. I'm on plain old dialup PPP over a plain old POTS line and nowadays I get port scanned every other hour or so. I'm tail-ing the syslog in a small terminal window and with PortSentry listening, I can see every time someone comes knocking at my door. You're really gambling with disaster if you're not proactive and taking active, aggressive measures.

The short shrift paid to security and backups by people who run web services is astounding. You'd think that in this day and age people responsible for serious servers would know better, but I guess some people will only learn by getting knocked down. The kuro5hin.org site was down for weeks because they A.) didn't have a warm spare, B.) didn't have cold spares, and C.) worst of all and totally inexcusable, in their own words, they didn't have any useful backups of their database/website. Their tale of woe could easily be retitled: How Not to Run a Database-Backed Web Server.

In their case, they weren't really cracked, but the end result would have been the same, maybe worse, because they didn't care enough about their data to keep backups (and their fancy RAID array didn't serve any pages to site visitors for weeks as it languished in one of Compaq's data recovery labs).

19: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by Tom Jackson on 12/24/01 09:18 PM

I noticed several of us are using portsentry. I started using it as well, but it doesn't seem to be working as advertised. I have it running in advanced mode on linux. I have it set to start blocking scans on the second attempt at a non listening port. This seems to work fine for ports that are not listening, further attempts to connect get logged as being blocked. However, I can still connect to open ports. Personally I don't see the advantage in this setup, as the scanner still gets a list of open ports. Has anyone else run into this problem?

My domain is multi.zmbh.com and port 80 is open. If you try telnetting to some random port a few times you can stil get to 80.

20: Response to How much time does it takes to set up bboard from scratch (response to 1)

Posted by Jon Griffin on 01/24/02 02:32 AM

I should have answered this sooner. Portsentry version 1.0 had a bug and didn't ever call your lockout program.

Please upgrade to the latest 1.1 and you will find that iptables/chains blocking works perfect.