Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I have completed the installation of our new openSUSE based fileserver and it's running great.
However, I would like to ask if the following configuration is OK.
DSL modem -> Wireless router -> Switch => 2 XP clients, 1 2000 client via WEP 128, file server, shared storage device.
The wireless router is a LinkSys with all settings default, except for the wireless security settings (SSID hidden, WEP etc.), admin password changed and all remote settings disabled.
The clients all have ZoneAlarm running with the adapter's static IP addresses added to the Subnet list / Trusted Zone.
The fileserver has
http-rman : ALL EXCEPT LOCAL
ALL : ALL
hosts.allow set to
ALL : LOCAL, 192.168.1.
One issue, one question:
when I turn the SuSe firewall on the Samba shares become unbrowsable (outgoing, the server itself remains browseable from all clients) and this makes it impossible to automate the backup (done via a nightly script/crontab on the fileserver, mounting the SSD (Samba share). Do you know what the correct setup is for the firewall? This issue is mentioned a lot in the various forums and on Google but the only effective measure offered seems turning it off and restricting the hosts. settings.
Therefore the questions I have is: are my hosts. settings ok?
As the fileserver is not a internet server or mail server, is this enough protection?
So far, the logs are clean and the rotational backup process works really well.
Network speed is excellent.
The office is happy, but I would like to make this network completely airtight. I lack IPTABLES knowledge but I'm going to read up today.
WEP is weak. It takes more or less 1 hour to break it. Use WPA.
Hidden SSID is ineffective.
I don't understand why your adapter's static IP addresses was added to the Subnet list / Trusted Zone. Did you opened lan or just the linksys adress?
You probably need to open some samba ports. Search which on some samba wiki.
You can do a lot of other tricks to improve sensible data protection, like using BSD secure levels to lock server machines.
I use the following scripts based on rsync.
The problem though was that no shares/computers were browsable so I guess it's a Samba ports issue. I had not looked into that at all, thanks for the tip.
In the SuSe firewall there are three zones; Internal, External and Demilitarized. In the External zone, Samba Server is added. Should I include Samba Server in another zone as well? In the Advanced settings, I can add various ports but I'm not sure what to put there. It would seem that the samba ports are open as the Samba service is already listed as approved.
I have restarted the firewall but this prevents me from running the backup script; all SMB connections fail.
Manually adding UDP 137 and 138 + TCP 139 and 445, as expected, does not help.
What is the next best step towards hardening this server?
I would honestely prefer to completely firewall it by hand, so I understand better how that works especially IPTABLES wise. I also notice that the response time between for example clicking on the server share icon and getting the signon popup is very long when the firewall is turned on. When it's turned off it's instantaneous.
Hi linux.tar.gz, I had to open the IP/subnet of the machine's adapter to the trusted zone myself; a common solution as it otherwise is not possible to browse Samba via XP/ZoneAlarm. However, this solution came straight from various discussion forums and I am not sure what technical basis this solution has and what risks it brings along.
# This script last modified on: 2006-05-20 / Marinus