I’ve never been impressed by them.
There’s a lot of fluffy feel good stuff in those scripts that does almost nothing to address the real source of almost all security problems, while they also break quite a lot of functionality in subtle and sometimes difficult to diagnose ways (/tmp usage is a source of many problems with these scripts…though Virtualmin gives each user a private tmp directory, so this wouldn’t strike your users using our Install Scripts…but things that we didn’t install might break).
In short, I don’t recommend them, unless you have a lot of time to kill. Red Hat has more experienced security people on staff, likewise with Debian among their volunteers, than any of these projects have among their ranks. There are probably circumstances where these things might be helpful, but I’m not convinced a hosting server is one of them.
There are some truly interesting security projects in existence. SELinux is the best known among them, and probably the best, but AppArmor also looks pretty good. I think they are worth the effort to implement (particularly on operating systems that include them, by default). We currently disable SELinux on systems that have it…because it introduces a whole new layer of permissions that are not at all understood by the majority of administrators at this point, and permissions problems are the single largest source of trouble on hosting systems. But Virtualmin is already aware of context (to some degree), and it’s possible to run a full-featured Virtualmin on a system with SELinux, as long as the policy has been modified to correctly allow everything to work (this is tricky, and different for every version of Fedora and RHEL and there is no standard way to distribute SELinux policy changes, so we haven’t integrated it yet).
All of that said, there are three things that almost no administrator really does (even many that go to lots of extra trouble installing stuff like Bastille–I’ve seen several compromised Bastille systems, due to the following problems), that can dramatically reduce your risk of security trouble:
-
Keep your software up to date. Always run the latest versions of everything from your OS provider (and our repos, if running Virtualmin Professional).
-
Use strong passwords. Eight or more characters, letters and numbers and/or symbols. Change them every year at minimum.
-
Turn off unneeded services. If you don’t know what it is, Google it. Be sure you understand what your system is doing.
Notice that firewalls aren’t in that list at all. A firewall can do a lot of good in a private network where the boxes inside have no business being spoken to by the world outside. But we’re talking about a public server providing all public services. So, pretty much every active port needs to be open, so it can provide services to the world. And if there is no service listening on a port, it’s better than firewalled–it’s dead, and assuming no huge glaring kernel bugs, it’s completely useless to a cracker.
So, if you’re already doing those three things, you might then consider spending time getting SELinux working. After all of that, if you still don’t feel safe, spend some time with those “hardening” scripts. But pick and choose the techniques. Most of them are so far out of date that it’s laughable that they still exist in these scripts (I’m not familiar with ELS, but I know Bastille pretty well). They address problems that existed in the ancient history of UNIX and have long since been addressed by kernel features in Linux.
That said, this does bring up one nice thing about Bastille: It’s interactive and pretty informative. So, running it and saying “no” to every option can be very educational–though the information is less detailed than I’d like, and more generic than is useful…if you follow up by googling each concept, you can learn a LOT about the history of UNIX security. And that’s a really useful thing to know. How hackers think and how they approach the problem of exploiting machines is more important than any specific exploit, and it can help you be more attuned to keeping things safe and secure. And that’s never a bad thing.