[OPEN-ILS-GENERAL] Securing an Evergreen Server

Michael Peters mpeters at emeralddata.net
Wed Jun 3 13:15:02 EDT 2015 

+1 to no automatic upgrades!

Clustering surely helps a bit with security, if you only have one public 
facing box running ldirectord to act as a "portal" to your local network. 
Have all of the Evergreen servers (database, utility, web/app servers, etc.) 
operating only on private IP's that can only be reached from your "portal" 
box.

Surely, much easier to manage security for one box that is public facing, 
than it is for multiple!

Regular apt-get dist-upgrade runs are recommended.  Just take care when 
upgrading anything that may be a dependency for Evergreen.  The developers 
do a great job of staying on top of the latest packages, but there have been 
a few new releases (I'm remembering a change in ejabberd.cfg format one 
time) that caused some trouble for Evergreen.  It was quickly fixed though, 
thanks to our great developer community.

Michael Peters
Senior Systems Analyst
Emerald Data Networks, Inc.
Phone: 678.302.3000 x1013
Help Desk: 678.302.3000 x1500
www.emeralddata.net

-----Original Message-----
From: Open-ils-general 
[mailto:open-ils-general-bounces at list.georgialibraries.org] On Behalf Of Ben 
Shum
Sent: Wednesday, June 3, 2015 12:52 PM
To: Evergreen Discussion Group
Subject: Re: [OPEN-ILS-GENERAL] Securing an Evergreen Server

Hi Jesse,

I might actually recommend against doing any unattended upgrades on your 
servers.  I've seen this occur before where a security fix for PostgreSQL 
(which is normally a good thing) caused the server to restart spontaneously 
and disrupt Evergreen services, which didn't reconnect appropriately after 
the restart.  In my experiences, it's been more effective to plan for and 
apply updates as necessary manually, rather than automatically.  It does 
require more constant vigilance on the part of staff, but it leaves less 
surprises.

I'll ponder the rest of your questions and will reply if others don't get 
there first, but I just wanted to mention that opinion first.

-- Ben

On Wed, Jun 3, 2015 at 11:38 AM, Jesse McCarty <jessem at burlingtonwa.gov> 
wrote:
> Hello Everyone,
>
>
>
> I am in the process of building a new host server (Ubuntu 14.04) for
> our Evergreen system, with a planned deployment in the fall running
> the 2.8 series of Evergreen. I was wondering what steps fellow Sys
> Admins take to secure the host OS for the best possible security? We
> obviously have a good hardware firewall on our network and I was
> planning on installing fail2ban and mod_security in Apache. I also
> plan on blocking unused ports with the system firewall. For SSH
> connections we have deny all in our hosts.deny file with only the
> needed IP addresses in our hosts.allow file. The host system also runs
> unattended upgrades in the middle of the night so any important security 
> fixes are applied without delay.
>
>
>
> Any other steps to take to ensure a secure environment?
>
>
>
> Thanks!
>
>
>
> Jesse McCarty
>
> City of Burlington
>
> IT Technical Assistant
>
>



--
Benjamin Shum
Evergreen Systems Manager
Bibliomation, Inc.
24 Wooster Ave.
Waterbury, CT 06708
203-577-4070, ext. 113

More information about the Open-ils-general mailing list