Domain Server

How to Securing your Linux Server

1 Comment

Securing your environment starts during the ordering process when you are deploying server resources. If you want to deploy a quick server without putting it behind an extra hardware firewall layer or deploying it with an APF (Advanced Policy Firewall).

There are a couple of security hardening tips. I  set my servers to have a solid base level of security when I deploy a Linux system.

 

Limit physical access and booting capabilities

  • Enable BIOS password
  • Disable floppy and usb booting
  • Set a LILO or GRUB password (/etc/lilo.conf or /boot/grub/menu.lst, respectively)
  • check that the LILO or GRUB configuration file is read-protected.

 

Disable Root Login

When you need super-user permissions, use sudo instead of su. Sudo is more secure than using su: When a user uses sudo to execute root-level commands, all commands are tracked by default in /var/log/secure. Furthermore, users will have to authenticate themselves to run sudo commands for a short period of time.

Note:
You should Stop Using Root!

 

Partitioning

  • Separate user-writable data, non-system data, and rapidly changing run-time data to their own partitions
  • Set nosuid,noexec,nodev mount options in /etc/fstab on ext2 partitions such as /tmp

 

Limiting the network access

  • Install and configure ssh (suggest PermitRootLogin No in /etc/ssh, PermitEmptyPasswords No; note other suggestions in text also)
  • Consider disabling or removing in.telnetd
  • Generally, disable gratuitous services in /etc/inetd.conf using update-inetd –disable (or disable inetd altogether, or use a replacement such as xinetd or rlinetd)
  • Disable other gratuitous network services; mail, ftp, DNS, www etc should not be running
  • if you do not need them and monitor them regularly.
  • For those services which you do need, do not just use the most common programs, look for more secure versions shipped with Debian (or from other sources). Whatever you end up running,make sure you understand the risks.
  • Set up chroot jails for outside users and daemons.
  • Configure firewall and tcpwrappers (i.e. hosts_access); note trick for /etc/hosts.deny in text
  • If you run ftp, set up your ftpd server to always run chrooted to the user’s home director
  • If you run X, disable xhost authentication and go with ssh instead; better yet, disable remote X if you can (add -nolisten tcp to the X command line and turn off XDMCP in /etc/X11/xdm/xdm-config by setting the requestPort to 0)
  • Disable outside access to printers
  • Tunnel any IMAP or POP sessions through SSL or ssh; install stunnel if you want to provide this service to remote mail users Set up a loghost and configure other machines to send logs to this host (/etc/syslog.conf)
  • Secure BIND, Sendmail, and other complex daemons (run in a chroot jail; run as non-root pseudo-user)
  • Install snort or a similar logging tool.
  • Do without NIS and RPC if you can (disable portmap).

 

Password hygiene and login security

  • Do not choose passwords less than 8 characters “Create complexity with upper and lower-case of letters ,Special character and numbers e.g Qu4DL1nux*I0″
  • Enable password shadowing and MD5
  • Install and use PAM – Add MD5 support to PAM and make sure that (generally speaking) entries in /etc/pam.d/ files which grant access to the machine have the second field in the pam.d file set to “requisite” or “required”.
  • Tweak /etc/pam.d/login so as to only permit local root logins.
  • Also mark authorized tty:s in /etc/security/access.conf and generally set up this file to limit root logins as much as possible.
  • Add pam_limits.so if you want to set per-user limits
  • Tweak /etc/pam.d/passwd: set minimum length of passwords higher (6 characters maybe) and enable md5
  • Add group wheel to /etc/group if desired; add pam_wheel.so group=wheel entry to /etc/pam.d/su
    For custom per-user controls, use pam_listfile.so entries where appropriate
  • Have an /etc/pam.d/other file and set it up with tight security
  • Set up limits in /etc/security/limits.conf (note that /etc/limits is not used if you are using PAM)
  • Tighten up /etc/login.defs; also, if you enabled MD5 and/or PAM, make sure you make the corresponding

Note:
Disable root ftp access in /etc/ftpusers
Disable network root login; use su or sudo.

Policy issues

  • Educate users about the whys and hows of your policies. When you have prohibited something which is regularly available on other systems, provide documentation which explains how to accomplish similar results using other, more secure means.
  • Prohibit use of protocols which use cleartext passwords (telnet, rsh and friends; ftp, imap, http)
  • Prohibit programs which use SVGAlib.
  • Use disk quotas.

Update Kernel and Software

Ensure your kernel and software patches are up to date. I like to make sure my Linux kernel and software are always up to date because patches are constantly being released with corrected security flaws and exploits. Remember you have access to SoftLayer’s private network for updates and patches, so you don’t have to expose your server to the public network to get updates. Run this with sudo to get updates in RedHat or CentOS: yum update.

How to protecting linux server against denial of service “DOS” attacks

4 Comments

Denial Of Service “DOS” attack is according to Wikipedia:

In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management.[1]

One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

But most of the times this kind of attacks are attempted against web servers, and that is the one I’m going to show you how  to protecting linux server against denial of service “DOS” attacks using fail2ban.

What is Fail2ban

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

Installation

Open a Terminal “CTRL+ALT+T” and type this command line:

Debian / Ubuntu

# sudo -i 
# apt-get install fail2ban

Red Hat / CentOS

# su
# yum install fail2ban

Configuration

Depending on the distribution you are using, now to configure it, consider that there are two main configuration files.

/etc/fail2ban/fail2ban.conf
/etc/fail2ban/jail.conf

Make a ‘local’ copy the jail.conf  or fail2ban.conf file in /etc/fail2ban 

cd /etc/fail2ban
cp jail.conf jail.local

Now edit the file:

nano jail.local

Basic configurations are listed under the [DEFAULT] heading in the configuration file for fail2ban.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

 

Protect SSH/SFTP

After the basic settings in conf file, you can find the section for SSH [ssh-iptables]. Update the section and restart the fail2ban service.

Example:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 3
# service fail2ban restart

Protect your FTP server:

Example:

[proftpd-iptables]

enabled  = false
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=you@example.com]
logpath  = /var/log/proftpd/proftpd.log
maxretry = 5
# service fail2ban restart

 

How to Setup iptables on LInux Debian / Ubuntu

Leave a comment

A firewall is a system or router that sits between an external network (i.e. the Internet) and an internal network. This internal network can be a large LAN at a business or your networked home PCs. The firewall in it’s simplest form is like a one-way street. It allows people on the internal network to access the external network (the Intenet), but it restricts traffic so that no one can use the external network to access the systems or files on the internal network.

A firewall has two network connections, one for the external network and one for the internal network. Traffic that is allowed to flow between the two networks is internally “bridged” (using a FORWARD rule) between these two connections. Disallowed traffic is not. This decision-based bridging of traffic between two connections is called “routing” or “IP forwarding”. What this means is that any firewall, by its very nature, is a router (but not all routers block traffic, so not all routers are firewalls).

Login as root

Login as root user either by opening the Terminal or login over the ssh based session. Type the following command:

sudo -i

Install UFW

“This software is used for managing a Linux firewall and aims to provide an easy to use interface for the user”.

Type this command line:

apt-get install ufw

Find status of firewall

Type the following command:

ufw status verbose

Sample outputs:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

Enable firewall

Type the following command to enables firewall on boot:

ufw enable

Sample outputs:

Firewall is active and enabled on system startup

Disable firewall

Type the following command to disables firewall on boot:

ufw disable

Sample outputs:

Firewall stopped and disabled on system startup

 

Restart firewall

Type the following command to restart firewall:

ufw reload

Sample outputs:

Firewall reloaded

Note: that by default, deny is being applied to incoming. There are exceptions, which can be found in the output of this command:

ufw show raw

 You can also read the rules files in /etc/ufw (the files whose names end with .rules).

iptbles

Allow and Deny (specific rules)

 Allow

ufw allow <port>/<optional: protocol>

example: To allow incoming tcp and udp packet on port 53 

  • ufw allow 53

     

example: To allow incoming tcp packets on port 53 

  • ufw allow 53/tcp

     

example: To allow incoming udp packets on port 53 

  • ufw allow 53/udp

     

Deny

ufw deny <port>/<optional: protocol>

example: To deny tcp and udp packets on port 53 

  • ufw deny 53

     

example: To deny incoming tcp packets on port 53 

  • ufw deny 53/tcp

     

example: To deny incoming udp packets on port 53 

  • ufw deny 53/udp

     

Delete Existing Rule

To delete a rule, simply prefix the original rule with delete. For example, if the original rule was: 

deny 80/tcp

Use this to delete it: 

ufw delete deny 80/tcp

Services

You can also allow or deny by service name since ufw reads from /etc/services To see get a list of services: 

less /etc/services

Allow by Service Name

ufw allow <service name>

example: to allow ssh by name 

  • ufw allow ssh

     

Deny by Service Name

ufw deny <service name>

example: to deny ssh by name 

ufw deny ssh

Logging

To enable logging use: 

ufw logging on

To disable logging use: 

ufw logging off

Advanced Syntax

You can also use a fuller syntax, specifying the source and destination addresses, ports and protocols.

Allow Access

This section shows how to allow specific access.

Allow by Specific IP

ufw allow from <ip address>

example:To allow packets from 107.46.232.182: 

  • ufw allow from 107.46.232.182

     

Allow by Subnet

You may use a net mask : 

ufw allow from 192.168.1.0/24

Allow by specific port and IP address

ufw allow from <target> to <destination> port <port number>

example: allow IP address 192.168.0.4 access to port 22 for all protocols 

  • ufw allow from 192.168.0.4 to any port 22

     

Allow by specific port, IP address and protocol

ufw allow from <target> to <destination> port <port number> proto <protocol name>

example: allow IP address 192.168.0.4 access to port 22 using TCP 

  • ufw allow from 192.168.0.4 to any port 22 proto tcp

     

Enable PING

Note: Security by obscurity may be of very little actual benefit with modern cracker scripts. By default, UFW allows ping requests. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems.

In order to disable ping (icmp) requests, you need to edit /etc/ufw/before.rules and remove the following lines: 

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

or change the “ACCEPT” to “DROP” 

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

Deny Access

Deny by specific IP

ufw deny from <ip address>

example:To block packets from 107.46.232.182: 

  • ufw deny from 107.46.232.182

     

Deny by specific port and IP address

ufw deny from <ip address> to <protocol> port <port number>

example: deny ip address 192.168.0.1 access to port 22 for all protocols 

  • ufw deny from 192.168.0.1 to any port 22

Working with numbered rules

Listing rules with a reference number

You may use status numbered to show the order and id number of rules: 

ufw status numbered

Editing numbered rules

Delete numbered rule

You may then delete rules using the number. This will delete the first rule and rules will shift up to fill in the list. 

ufw delete 1

Insert numbered rule

ufw insert 1 allow from <ip address>

Advanced Example

Scenario: You want to block access to port 22 from 192.168.0.1 and 192.168.0.7 but allow all other 192.168.0.x IPs to have access to port 22 using tcp 

ufw deny from 192.168.0.1 to any port 22
ufw deny from 192.168.0.7 to any port 22
ufw allow from 192.168.0.0/24 to any port 22 proto tcp

Tutorial netlogon script for window client “netlogon .bat and .vbs”

1 Comment

Window Bat file

@echo off

REM removes any network drives in use by user
@if exist h:  use h: /delete /yes
@if exist g:  use g: /delete /yes
@if exist p:  use p: /delete /yes
@if exist u:  use u: /delete /yes
#repeat this fo any other mapped drives @if exist p: net use p: /delete /yes

REM Maps shares as network drives
start  %LOGONSERVER%\netlogon\logon.vbs

REM WPKG installer
cscript \\pdc\wpkg\wpkg.js /synchronize /quiet

REM Syncronize the time on the workstation to that of the server.
net time %LOGONSERVER% /SET /Y
 

VBscript

First make sure all variables are dimensioned.
This isn’t necessary for functionality; it’s for coding discipline only.


Option Explicit

'dimension all our variables
dim objNetwork
dim strDriveLetter, strRemotePath, strUser, strGrp
dim strGroupADSPath, strUserADSPath, grp
dim objShell, grouplistD, ADSPath, userPath, listGroup
dim objFileSys,  objExecObject
dim arrShares
dim strShare,  strCommandText, strResults
dim arrPrivaryDrives(4)

Const SERVERPATH = "\\devadom\"

On Error Resume Next

'This script will use the MapNetworkDrive method
'for each network drive mapped.

'We'll be using the Wscript.Network Object to enumerate the user as well as to map drives.
'We only need to instantiate it once at the beginning.
Set objNetwork = Wscript.CreateObject("Wscript.Network")

'First let's get the user name since we'll use it for mapping the home directory
'as well as checking group memberships.
strUser = objNetwork.UserName

'In just about every network at least two drives are mapped:
'One for the user's home directory, and one for an organizational public share.
'Set array Primary Drives
arrPrivaryDrives(0) = strUser
arrPrivaryDrives(1) = "public"
arrPrivaryDrives(2) = "transit"

' *****************************************************
'We'll map those first since they don't depend on group memberships.
Function mapPrimaryNetworkDrive()
'PublicShare Drive to P:
strDriveLetter = "P:"
strRemotePath = SERVERPATH & "public"
objNetwork.MapNetworkDrive strDriveLetter, strRemotePath

strDriveLetter = "T:"
strRemotePath = SERVERPATH & "transit"
objNetwork.MapNetworkDrive strDriveLetter, strRemotePath

end Function
' *****************************************************

' *****************************************************
' This function is listing all network drives
Function getNetworkDriveList ()
Set objNetwork = Wscript.CreateObject("Wscript.Network")
Set objFileSys = CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("Wscript.Shell")

strCommandText = "net view " & SERVERPATH
strResults=""

Set objExecObject = objShell.Exec(strCommandText)
strCommandText =""

' Loop the object status
Do
WScript.Sleep 60
Loop Until objExecObject.Status <> 0

' Read all object
strResults = objExecObject.StdOut.ReadAll()
arrShares = fetchShareNetworkDrive(strResults)

For Each strShare In arrShares
Call mapNetworkDrive(strShare)
Next

wscript.quit
End Function
' *****************************************************

' *****************************************************
' This function is mapping the network drives
' Parameter string strShare
Function mapNetworkDrive(strShare)

'Find next available drive letter
'TO-DO What if all drive letters are already taken? Add guard to prevent further mapping

strDriveLetter = Asc("c")    'Convert CHAR C to ASCII code
While objFileSys.DriveExists(Chr(strDriveLetter)+":")    'Increase ASCII code index by 1 until free letter is found
strDriveLetter = strDriveLetter+1
Wend

strDriveLetter = Chr(strDriveLetter) + ":"    'Convert ASCII code back to character and concatenate : to it
'Wscript.Echo "The next available drive letter is "+strShare +" :" + strDriveLetter
strRemotePath = SERVERPATH&CStr(strShare)
strRemotePath = CStr(strRemotePath)

objNetwork.MapNetworkDrive strDriveLetter, strRemotePath    'map the drive

End Function
' *****************************************************

' *****************************************************
' This function is feching the shared network drives
' Parameter string
' Return method

Function fetchShareNetworkDrive(str)
'set variables
Dim i    'current position in string
Dim asciiChar    'current string character converted to ascii
Dim startFound, parse 'bool
Dim strShare    'share name
Dim arrayPosition    'position in array of shares
Dim Shares()    'shares array

'init default values
arrayPosition = 0
parse = False
startFound = False

For i = 1 To Len(str)

If (startFound=False) Then
asciiChar = CStr(Asc(Mid(str, i, 1)))+CStr(Asc(Mid(str, i+1, 1)))+CStr(Asc(Mid(str, i+2, 1)))
Else
asciiChar = CStr(Asc(Mid(str, i, 1)))
End If

If (asciiChar = "451310") Then 'match char '-' Line Feed and Carriage Return -> at this stage next char will be first letter of our share name
parse = True    ' allow parsing
startFound = True    'start of share list found set flag to true
i=i+3    'increase i by 3 to skip - LF CR
ElseIf ((asciiChar = "10") And (startFound)) Then    'if current character in Line Feed and we already found start -> start parsing
parse = True
i=i+1
End If

If ((parse)) Then
While((asciiChar <> "32"))    'While character is not ' ' parse chars to out strShare buffer
If(i=Len(str)) Then    'safeguard if we reach end of file
asciiChar="32"
Else
asciiChar = CStr(Asc(Mid(str, i, 1)))
If (asciiChar <> "32") Then 'If character is not whitespace add it
strShare=strShare+ Mid(str, i, 1)
End if
i = i+1
End if
Wend
ReDim Preserve Shares(arrayPosition) 'increase array size
Shares(arrayPosition)= strShare    'add new share to array
arrayPosition = arrayPosition+1
parse=False
End If
strShare =""
Next

ReDim Preserve Shares(arrayPosition-3)    'remove 3 last items of array -> it is rubbish I had no time to tune parser, will do later, works fine anyways
fetchShareNetworkDrive = Shares
End Function
' *****************************************************

' *****************************************************
'This function returns a particular environment variable's value.
' for example, if you use EnvString("username"), it would return
' the value of %username%.
Function EnvString(variable)
variable = "%" & variable & "%"
EnvString = objShell.ExpandEnvironmentStrings(variable)
End Function
' *****************************************************

' *****************************************************
' returns the index of obj in array. obj can be anything.
' Returns false if found.
Function IsNotInArray(strIn, arrCheck)
'IsInArray: Checks for a value inside an array
Dim bFlag
bFlag = True
If IsArray(arrCheck) AND Not IsNull(strIn) Then
Dim i
For i = 0 to UBound(arrCheck)
If LCase(arrcheck(i)) = LCase(strIn) Then
bFlag = False
Exit For
End If
Next
End If
IsNotInArray = bFlag
End Function
' *****************************************************

' Clean up
Set objShell = Nothing

'**********************************
' Main Program              '
'**********************************
mapPrimaryNetworkDrive()
getNetworkDriveList()

How to setup samba configuration file

4 Comments

Samba configuration on a Linux (or other UNIX machine) is controlled by a single file, /etc/smb.conf. This file determines which system resources you want to share with the outside world and what restrictions you wish to place on them.

Since the following sections will address sharing Linux drives and printers with Windows machines, the smb.conf file shown in this section is as simple as you can get, just for introductory purposes.

Don’t worry about the details, yet. Later sections will introduce the major concepts.

Each section of the file starts with a section header such as [global], [homes], [printers], etc.

The [global] section defines a few variables that Samba will use to define sharing for all resources.

The [homes] section allows a remote users to access their (and only their) home directory on the local (Linux) machine). That is, users trying to connect to this share from Windows machines, will be connected to their personal home directories. Note that to do this, they must have an account on the Linux box.

The sample smb.conf file below allows remote users to get to their home directories on the local machine and to write to a temporary directory. For a Windows user to see these shares, the Linux box has to be on the local network. Then the user simply connects a network drive from the Windows File Manager or Windows Explorer.

Note that in the following sections, additional entries for this file will be given to allow more resources to be shared.

[global]

#resolve order
name resolve order = bcast lmhosts host wins

#hostname
netbios name = DEVADOMAIN

#workgroup
workgroup = DEVADOMAIN

#Company name
server string = Your Company Name

# Run a WINS server
wins support = yes
wins server = 191.191.191.14

# Always act as the local master browser
# and domain master browser.  Do not allow
# any other system to take over these roles!

domain master = yes
local master = yes
preferred master = yes
os level = 255

# Perform domain authentication.

security = user
encrypt passwords = true
passdb backend = tdbsam
domain logons = yes

#password path
passwd program = /usr/bin/passwd %u

# The location of user profiles for Windows NT/2000/XP.

logon path = \\%L\profiles\%U\%a

# Users' Windows home directories and storage of Win95/98/Me roaming profiles.
logon drive = H:
follow symlinks = yes

# The following line is optional because
# Samba always offers NetBIOS time service.
# This causes it to also be advertised:

time server = yes

# The logon script used for all users,
# Relative to [netlogon] share directory.
logon script = logon.bat

# The group identifying administrative users.
# If you have domain users in the Domain Admins
# group, use them here instead of "devadmin".
#domain admin group users = root administrator devadmin @smbadmins
admin users = administrator @smbadmins
# For adding machine accounts automatically.
# This example works on Linux. For other host
# operating systems, you might need a different
# command.
add user script = /usr/sbin/useradd -m '%u' -g smbusers -G smbusers

# unix password sync
unix password sync = yes

#system log
syslog = 0

# panic action and change password
panic action = /usr/share/samba/panic-action %d
pam password change = yes
obey pam restrictions = yes

#optional
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .


#locking set to no, for access files
strict locking = no
oplocks = no
blocking locks = no
strict locking = no
locking = no

#printer
printing = cups
show add printer wizard = No
printcap name = cups
printer = 10.129.192.180:9100

#remote announce = 191.191.0.0/191.191.0.255  192.192.0.0/192.192.0.52

#anonym account default disable
guest account = nobody

#sripts
add machine script = /usr/sbin/useradd -s /bin/false -d /nonexistent '%u' -g smbmachines
disable spoolss = Yes
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
socket options = TCP_NODELAY
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'

#logs
max log size = 1000
log file = /var/log/samba/samba.log


# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
interfaces = 127.0.0.0/8 eth1 191.191.0.0/24

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;    bind interfaces only = yes

# Allow Symlinks
follow symlinks = yes
wide links = yes
unix extensions = no



[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
browseable = no
read only = no
#valid users = %S
#read only = yes
#valid users = @smbadmins @smbusers

[profiles]
comment = Network Profiles Share
path = /srv/storage/profiles
comment = Network Profiles Share
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
browseable = no
guest ok = no
printable = no
profile acls = yes
csc policy = disable

[homes]
comment = Home Directory
browseable = no
read only = no
valid users = %S

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
write list = root


[printers]
comment = Printer in Linux
path = /var/spool/samba
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = No



[public]
revalidate = yes
comment = Public shares
writeable = yes
path = /home/public


[group_folder]
write list = @compressor
path = /home/groups/mosusers/compressor
force directory mode = 0770
force create mode = 0770
create mask = 0770
comment = Share folder 
directory mask = 0770
valid users = @compressor
read only = no
oplocks = no
blocking locks = no
strict locking = no
locking = no


[client_softwares]
browseable = no
valid users = @administrator,@mosadmin,@users
path = /home/client_softwares
write list = @administrator

[wpkg]
comment = Windows Packager
path = /var/www/wpkg/wpkg
read only = yes
browseable = no

[transit]
oplocks = no
writeable = yes
locking = no
invalid users = @GROUP
path = /home/groups/transit
strict locking = no
comment = Share Folder
blocking locks = no

How to install Samba as Domain Controller for linux and window clients

2 Comments

A Samba-based Windows PDC (Primary Domain Controller) server (without the Windows) which is configured to support netlogon, network attached storage for domain users, roaming profiles and PnP printing services with an example PDF printing service. Includes a powerful web interface for configuring Samba and printing services.

The TKL PDC is ready to go straight out of the box. A vanilla XP install on the same subnet will join the domain with just a little network configuration…
Before you start…

TurnKey PDC is not an Active Directory replacement: The v12.x (and previous versions) of TKL PDC uses Samba 3. If you’re looking for a Server 200x Active Directory full replacement, this isn’t going to do the job. With this PDC acting as the DC on your network, you’re going to have a NT domain. However if you follow these  instructions then you can add it to your existing AD domain.

Note:
Windows Home versions can’t join a domain: None of the Windows Home versions [Starter (XP, Vista, Win7),  Home (XP), MCE (XP), Home Basic (Vista, Win7), Home Premium (Vista, Win7) or Windows 8 (Windows 8 without a suffix title is the successor to Win7 Home Premium)] are capable of joining a domain. You’ll need to use a ‘professional’ version [Pro (XP, Win8) Business (Vista), Professional (Win7), Enterprise (Vista, Win7, Win8) or Ultimate (Vista, Win7, Win8)].

 

How to install

Download Turnkey Domain Controller

Burn Turnkey ISO to a CD/DVD or Flash drive and boot from the ISO.

Replacement-PDC-Test-2012-02-20-13-05-58

  1. Use Arrow keys select the option “Install into disk” and press Enter.
  2. Select the partition type. In this example we select: “Guide – use entire disk and set up LVM”.
  3. Click Yes to continue
  4. Enter the amount of volume to use for guided partitioning. Select OK and press Enter.
  5. Select Yes and press Enter.
  6. Install the GRUB boot loader to the master boot record, Select Yes and press Enter.
  7. The installation is complete. Click Yes to reboot the system.

Configuration

  1. After reboot, we need to configure our system.
  2. Enter the new password for user root. You have to enter the same password again to confirm.
  3. Next step, Enter the password for AjaxXplorer local admin account. You can use the same password of root user or different.
  4. Enter the domain you want to use.
  5. Enter the password for Samba administrator.
  6. TurnKey Backup and Migration, We skip this for step. We also can configure this step later.
  7. Install the security update for the following step required. and we will get the summary of our services setup.
  8. Set a static IP for server, by select on Advanced Menu and press Enter
  9. Select on Networking –> Static IP  press Enter, and configure the Static IP as our wish. In this example will be 192.168.5.200
  10. And then click on Back –> Reboot –> Select.
  11. Reboot the appliance Yes. After reboot we get our system with our static IP.

We can access to use our services via web with different ports:

Web: http://192.168.5.200
CUPS admin: https://192.168.5.200:631
Web shell: https://192.168.5.200:12320
Webmin: https://192.168.5.200:12321
File Manager: https://192.168.5.200:files
SMB/CISFS: \192.168.5.200 (ports 139/445)
SSH/SFTP root@192.168.5.200 (port)

23

Access our TurnKey Domain Controller via Web

24

That’s all about now. You can manage your own Samba domain controller via web browser. Create users,groups and shares depend your Organization structures.

 

Setting Up

Build your TKL PDC or get the VM up and running (e.g., VirtualBox installation tutorial). You should set up the network address, PDC name, domain name and root password before you do anything else. DO NOT TRY TO CREATE ANY WINDOWS USERS AT THIS POINT.

You can set the PDC IP on the config console when the machine boots up. To set the PDC and Domain names, fire up a browser, point it a the PDC address and select the Samba icon. After you’ve logged in, you can change the domain and PDC settings via the ‘Windows Networking’ icon.

On the XP client networking settings, set the WINS address to the PDC IP. NT domains rely heavily on NETBIOS so you don’t need to worry about DNS.

Make sure you can ping the PDC from the client and vice versa to prove the network configuration. Ping by IP and by name to ensure that everything appears as expected.

If you are using a VirtualBox XP build for testing and you can’t join the domain, you probably have a network misconfiguration. The default network setting for VirtualBox machines is NAT, this won’t work. You need to bridge the virtual network to your physical network. Take a look at the network settings on the TKL PDC virtual machine, it’s set up with bridging by default.

 

Joining the Domain

Log on to the client with the local admin account and:

  • Right click ‘My Computer’ and select ‘Properties’
  • Select the ‘Computer Name’ tab on the system properties dialog.
  • Selecting the ‘Change’ button brings up the computer name changes dialog.
  • Select the ‘Domain’ option and type the name of your domain into the text box.

If all is well, you should be prompted for a username and password to join the domain. Enter the Samba username ‘administrator’ and the password (‘turnkey’ is the default).

If all is well, you should get a short wait followed by a ‘Welcome to the domain’ message. Once the client is rebooted, you can log on with the Samba administrator account (remember to select the domain at the logon prompt).

Adding Users

Now you can create domain/Samba users on the PDC, they will be automagically be available for logon on the client. There are a few gotchas with creating users, groups and policies, but that’s beyond the scope of this guide.

If you are getting an error message such as “windows cannot locate server copy roaming profile” on login, then please ensure that your Linux user is in the Linux group “smbuser” and that Linux users and Samba users are synced.

 

Tutorial Samba config & Netlogon Scripts

Tutorial samba configuration file

Tutorial netlogon script for window client “netlogon.vbs”

 

How to install Monitoring agent on Linux

1 Comment

omd_monitoring

Check_MK includes not only its famous checking and configuration engine but also MK Livestatus – a Nagios event broker module that allows quick, direct and comfortable access to your status data -, Multisite – a full featured status GUI for Nagios based on Livestatus, which natively supports distributed monitoring, WATO – a configuration GUI for Check_MK and many other components.

Check_MK is also contained in OMD – the Open Monitoring Distribution. For customers with a support contract we provide officially-supported ready-to-use OMD builds for every available Check_MK version – including precompiled Nagios, NagVis, PNP4Nagios and many other addons. The lastest stable Check_MK version is also contained in the community edition of OMD.

NOTE: If you are updating from earlier versions you might need to adapt your configuration. Please carefully read the migration notes!

check_mk-1.2.4p3.tar.gz Complete tarball including all agents and MK Livestatus
check_mk-agent-1.2.4p3-1.noarch.rpm RPM package of linux agent (SuSE, RedHat, ESX)
check_mk-agent-logwatch-1.2.4p3-1.noarch.rpm RPM package of logwatch extension for agent
check_mk-agent-oracle-1.2.4p3-1.noarch.rpm RPM package of oracle extension for agent
check_mk-agent-scriptless-1.2.4p3-1.noarch.rpm RPM package of linux agent (Without RPM scripts)
check-mk-agent_1.2.4p3-2_all.deb DEB package of linux agent (Debian, Ubuntu)
check-mk-agent-logwatch_1.2.4p3-2_all.deb DEB package of logwatch extension for agent
check-mk-agent-1.2.4p3.exe Windows agent installer
mk-livestatus-1.2.4p3.tar.gz Standalone source code of MK Livestatus
mkeventd-1.2.4p3.tar.gz Standalone source code of MK Event Console

Note :

All packages are platform independent. The source codes are only contained in the complete tarball.

The complete tarball contains one Windows executable: The check_mk_agent.exe. It is needed for monitoring Windows hosts. We are not aware of any virus or other malware in that file – even if some scanners report possible infections.If you don’t trust us, you can recompile it yourself. The source code and a Makefile is included. You need to install the MinGW compiler on Windows (which is free).

We apologize for no longer providing DEB and RPM packages of Check_MK. We suggest using OMD instead. Packages for these agents are still available.

Installing the Agent via RPM or DEB is very easy. All you have to do is to make sure xinetd is installed first and then install the package. Usually, you’ll also want to install the logwatch extension.

Debian / ubuntu

sudo apt-get install xinetd
sudo dpkg -i check-mk-agent_1.1.18-2_all.deb
sudo dpkg -i check-mk-agent-logwatch_1.1.18-2_all.deb

Red Hat / CentOS

su
yum install xinetd
rpm -i check_mk-agent-1.1.18-1.noarch.rpm
rpm -i check_mk-agent-logwatch-1.1.18-1.noarch.rpm