[OPEN-ILS-GENERAL] Securing an Evergreen Server

[Ben Shum]

Hi Jesse,

I might actually recommend against doing any unattended upgrades on
your servers.  I've seen this occur before where a security fix for
PostgreSQL (which is normally a good thing) caused the server to
restart spontaneously and disrupt Evergreen services, which didn't
reconnect appropriately after the restart.  In my experiences, it's
been more effective to plan for and apply updates as necessary
manually, rather than automatically.  It does require more constant
vigilance on the part of staff, but it leaves less surprises.

I'll ponder the rest of your questions and will reply if others don't
get there first, but I just wanted to mention that opinion first.

-- Ben

On Wed, Jun 3, 2015 at 11:38 AM, Jesse McCarty <jessem at burlingtonwa.gov> wrote:
> Hello Everyone,
>
>
>
> I am in the process of building a new host server (Ubuntu 14.04) for our
> Evergreen system, with a planned deployment in the fall running the 2.8
> series of Evergreen. I was wondering what steps fellow Sys Admins take to
> secure the host OS for the best possible security? We obviously have a good
> hardware firewall on our network and I was planning on installing fail2ban
> and mod_security in Apache. I also plan on blocking unused ports with the
> system firewall. For SSH connections we have deny all in our hosts.deny file
> with only the needed IP addresses in our hosts.allow file. The host system
> also runs unattended upgrades in the middle of the night so any important
> security fixes are applied without delay.
>
>
>
> Any other steps to take to ensure a secure environment?
>
>
>
> Thanks!
>
>
>
> Jesse McCarty
>
> City of Burlington
>
> IT Technical Assistant
>
>



-- 
Benjamin Shum
Evergreen Systems Manager
Bibliomation, Inc.
24 Wooster Ave.
Waterbury, CT 06708
203-577-4070, ext. 113