This morning I realized that my to-do list for Project X was getting out of hand. I’ve used various bug-tracking systems before, and I thought one of those would be ideal for this (both now and in the future), so I decided it was time to set up a local copy of Bugzilla.
I’d looked into doing this before, prior to my switch to Linux, and it involved far too much work to be worthwhile. But under Ubuntu Linux, with the apt-get system automating the installation of all the other programs that it requires, it was a lot easier — enough so that I dived right into it.
Getting it installed and configured properly wasn’t a walk in the park, but it wasn’t too difficult. However, installing it required installing the Apache web server, the MySQL server, and the Sendmail program too, and that set my paranoia alarms shrieking at high volume. This system is behind a hardware firewall most of the time, but I do take it out of the office a few times a week, and it’s occasionally connected to other networks when I do. I can’t risk having a possibly-insecure program running on it.
First stop: a software firewall. (I didn’t see any need for this previously, because Linux is fairly secure by default.) The guarddog package seemed to be just what the doctor ordered. It was a pain to set it up initially, but it looks like it does everything I need.
After confirming that the firewall was set up correctly, I dove into the Bugzilla security guide. I found that one of the items was out of date (MySQL no longer uses the skip-networking option, instead it only allows network access from localhost by default), and the root MySQL password was already set, but otherwise I had little trouble with it. I wasn’t happy with just doing that though, so I did some further research on security-hardening MySQL and Apache. I also removed Sendmail from the startup scripts entirely, after telling Bugzilla not to bother sending any e-mail (it doesn’t need to, since this is a single-user installation at this point).
That’s it! I now have a secure Bugzilla installation. 🙂
Sendmail is not the most secure email server, though now that it doesn’t run as root it’s improved. Postfix is very secure, from IBM, and has now a fair amount of features. There’s also Qmail for the ultimate in security (not to be confused by the old FidoNet program by the same name!), but I’ve never tried it and due to djb’s bad attitude and lack of open source credentials to his software (hence making it not packaged as binaries in Debian and derivatives (e.g. Ubuntu)) I don’t recommend it. Plus I’m sure it’s not as simple as Postfix, which is easy – especially compared to Sendmail, who’s configuration file format is in an alien tongue.
Thanks, but as I’ve disabled Sendmail, and have firewall-blocked its ports as well, that doesn’t much matter to me.
It’s just info just in case you need an MTA…