[OPEN-ILS-GENERAL] Securing an Evergreen Server

Wed Jun 3 13:20:56 EDT 2015

Thanks for the feedback Ben. I have actually been running unattended upgrades on all our Ubuntu servers for a while now (probably close to a year, including our current Evergreen production and test server). I have the automatic-reboot option set to false and then run a script via cron every Thursday (our planned maintenance day for system restarts if necessary) that checks if a system restart is required and reboots if necessary. This setup has been trouble free so far, but I will keep in mind the possible PostgresSQL issue mentioned and monitor the new server (which will be run in a test environment to see if there are any issues before taking over the production work). 

I upgraded PostgresSQL to version 9.2 (from 9.1) via the Postgres apt repository on our current production server and since then some versioning has gotten off kilter and now there are broken dependencies on the production server with Postgres 9.1. This has prompted me to move my server upgrade instead of staying on 12.04. Should be a nice upgrade though, moving to an SSD based server.

We are small enough that our Evergreen setup is one server for everything, its running behind the hardware firewall with a virtual IP on said firewall (which also has additional rules/security to keep things locked down as much as possible - but more security doesn't hurt).

Jesse McCarty
City of Burlington
IT Technical Assistant

-----Original Message-----
From: Open-ils-general [mailto:open-ils-general-bounces at list.georgialibraries.org] On Behalf Of Ben Shum
Sent: Wednesday, June 03, 2015 9:52 AM
To: Evergreen Discussion Group
Subject: Re: [OPEN-ILS-GENERAL] Securing an Evergreen Server

Hi Jesse,

I might actually recommend against doing any unattended upgrades on your servers.  I've seen this occur before where a security fix for PostgreSQL (which is normally a good thing) caused the server to restart spontaneously and disrupt Evergreen services, which didn't reconnect appropriately after the restart.  In my experiences, it's been more effective to plan for and apply updates as necessary manually, rather than automatically.  It does require more constant vigilance on the part of staff, but it leaves less surprises.

I'll ponder the rest of your questions and will reply if others don't get there first, but I just wanted to mention that opinion first.

-- Ben

On Wed, Jun 3, 2015 at 11:38 AM, Jesse McCarty <jessem at burlingtonwa.gov> wrote:
> Hello Everyone,
>
>
>
> I am in the process of building a new host server (Ubuntu 14.04) for 
> our Evergreen system, with a planned deployment in the fall running 
> the 2.8 series of Evergreen. I was wondering what steps fellow Sys 
> Admins take to secure the host OS for the best possible security? We 
> obviously have a good hardware firewall on our network and I was 
> planning on installing fail2ban and mod_security in Apache. I also 
> plan on blocking unused ports with the system firewall. For SSH 
> connections we have deny all in our hosts.deny file with only the 
> needed IP addresses in our hosts.allow file. The host system also runs 
> unattended upgrades in the middle of the night so any important security fixes are applied without delay.
>
>
>
> Any other steps to take to ensure a secure environment?
>
>
>
> Thanks!
>
>
>
> Jesse McCarty
>
> City of Burlington
>
> IT Technical Assistant
>
>

--
Benjamin Shum
Evergreen Systems Manager
Bibliomation, Inc.
24 Wooster Ave.
Waterbury, CT 06708
203-577-4070, ext. 113