LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 05-21-2006, 10:08 AM   #1
Marinus
LQ Newbie
 
Registered: Aug 2005
Distribution: Debian Etch
Posts: 20

Rep: Reputation: 0
Security settings for file server


Hi all,

I have completed the installation of our new openSUSE based fileserver and it's running great.
However, I would like to ask if the following configuration is OK.
The infrastructure:
DSL modem -> Wireless router -> Switch => 2 XP clients, 1 2000 client via WEP 128, file server, shared storage device.
The wireless router is a LinkSys with all settings default, except for the wireless security settings (SSID hidden, WEP etc.), admin password changed and all remote settings disabled.

The clients all have ZoneAlarm running with the adapter's static IP addresses added to the Subnet list / Trusted Zone.
The fileserver has

hosts.deny
http-rman : ALL EXCEPT LOCAL
ALL : ALL

hosts.allow set to
ALL : LOCAL, 192.168.1.

One issue, one question:

when I turn the SuSe firewall on the Samba shares become unbrowsable (outgoing, the server itself remains browseable from all clients) and this makes it impossible to automate the backup (done via a nightly script/crontab on the fileserver, mounting the SSD (Samba share). Do you know what the correct setup is for the firewall? This issue is mentioned a lot in the various forums and on Google but the only effective measure offered seems turning it off and restricting the hosts. settings.

Therefore the questions I have is: are my hosts. settings ok?
As the fileserver is not a internet server or mail server, is this enough protection?
So far, the logs are clean and the rotational backup process works really well.
Network speed is excellent.
The office is happy, but I would like to make this network completely airtight. I lack IPTABLES knowledge but I'm going to read up today.

Any help/insight is greatly appreciated.

Marinus.

Last edited by Marinus; 05-22-2006 at 09:35 AM.
 
Old 05-22-2006, 07:47 AM   #2
imagineers7
Member
 
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Rep: Reputation: 30
Hello Marinus,

May I know how do you backup your server?

Which ports do you use for the purpose?
Which programs?

Enable the firewall and then allow those ports used by backup programs.


Its a hint work on it!
 
Old 05-22-2006, 07:49 AM   #3
Linux.tar.gz
Senior Member
 
Registered: Dec 2003
Location: Paris
Distribution: Slackware forever.
Posts: 2,223

Rep: Reputation: 86
WEP is weak. It takes more or less 1 hour to break it. Use WPA.
Hidden SSID is ineffective.
I don't understand why your adapter's static IP addresses was added to the Subnet list / Trusted Zone. Did you opened lan or just the linksys adress?
You probably need to open some samba ports. Search which on some samba wiki.
You can do a lot of other tricks to improve sensible data protection, like using BSD secure levels to lock server machines.
 
Old 05-22-2006, 09:32 AM   #4
Marinus
LQ Newbie
 
Registered: Aug 2005
Distribution: Debian Etch
Posts: 20

Original Poster
Rep: Reputation: 0
Hi imagineers,

I use the following scripts based on rsync.
The problem though was that no shares/computers were browsable so I guess it's a Samba ports issue. I had not looked into that at all, thanks for the tip.

In the SuSe firewall there are three zones; Internal, External and Demilitarized. In the External zone, Samba Server is added. Should I include Samba Server in another zone as well? In the Advanced settings, I can add various ports but I'm not sure what to put there. It would seem that the samba ports are open as the Samba service is already listed as approved.
***
I have restarted the firewall but this prevents me from running the backup script; all SMB connections fail.
***
Manually adding UDP 137 and 138 + TCP 139 and 445, as expected, does not help.

What is the next best step towards hardening this server?
I would honestely prefer to completely firewall it by hand, so I understand better how that works especially IPTABLES wise. I also notice that the response time between for example clicking on the server share icon and getting the signon popup is very long when the firewall is turned on. When it's turned off it's instantaneous.

Hi linux.tar.gz, I had to open the IP/subnet of the machine's adapter to the trusted zone myself; a common solution as it otherwise is not possible to browse Samba via XP/ZoneAlarm. However, this solution came straight from various discussion forums and I am not sure what technical basis this solution has and what risks it brings along.


#!/bin/bash

# This script last modified on: 2006-05-20 / Marinus
#

unset PATH ;

ID=/usr/bin/id ;
ECHO=/bin/echo ;
MOUNT=/bin/mount ;
UMOUNT=/bin/umount ;
RM=/bin/rm ;
MV=/bin/mv ;
CP=/bin/cp ;
CHMOD=/bin/chmod ;
TOUCH=/bin/touch ;
SUDO=/usr/bin/sudo ;

RSYNC=/usr/bin/rsync ;




# Environment variables
MAXTORSSD_SERVER=//MAXTORSSD/BACKUP_SERVER ;
MAXTORSSD_LOCAL=//MAXTORSSD/BACKCUP_LOCAL ;
MAXTORMOUNT=/mnt/maxtorssd ;
DAILY_CURRENT_TEMP=/mnt/maxtorssd/home/temp ;
DAILY_CURRENT=/mnt/maxtorssd/home/daily_current

SOURCE=/home/ ;




if (( `$ID -u` != 0 )) ;
then
if (( `$ID -u` != 1003 )) ;
then
{ $ECHO "Sorry, only Marinus or root may perform (manual) backups.
Exiting..." ; exit ; }
fi ;
fi ;



# Mount the Maxtor Shared Storage Device on /mnt/maxtorssd
# for backup of server files

cd / &
wait ;

sleep 2 ;

# Unmount just in case it is mounted
$UMOUNT $MAXTORMOUNT &
wait ;

# Mount the Maxtor Shared Storage Drive
$MOUNT -t smbfs $MAXTORSSD_SERVER $MAXTORMOUNT -o username=backup,password=backup ;


# ******************************************************************

# Rotation schedule


if [ -d $MAXTORMOUNT/home/daily_3 ]
then

$RM -rf $MAXTORMOUNT/home/daily_3 ;


fi ;


if [ -d $MAXTORMOUNT/home/daily_2 ]
then

$MV $MAXTORMOUNT/home/daily_2 $MAXTORMOUNT/home/daily_3 ;


fi ;

if [ -d $MAXTORMOUNT/home/daily_1 ]
then

$MV $MAXTORMOUNT/home/daily_1 $MAXTORMOUNT/home/daily_2 ;


fi ;

if [ -d $DAILY_CURRENT ]
then


$CP -a $DAILY_CURRENT $MAXTORMOUNT/home/daily_1 ;

fi ;

# ******************************************************************

# RSYNC to daily current backup
$RSYNC -a $SOURCE $DAILY_CURRENT ;

# And touch the directory to reflect the backup time
$TOUCH $DAILY_CURRENT ;


# Done, quiet mount
cd / &
wait ;

sleep 2 ;

# Unmount
$UMOUNT $MAXTORMOUNT ;

exit ;

Last edited by Marinus; 05-22-2006 at 10:26 AM.
 
Old 05-23-2006, 01:18 AM   #5
imagineers7
Member
 
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Rep: Reputation: 30
Hi Marinus,

Some quick links to look at for iptables

http://www.siliconvalleyccie.com/lin...bles-intro.htm
http://iptables-tutorial.frozentux.n...-tutorial.html
Also you may find good info on tldp

Have a session
 
Old 05-26-2006, 05:30 PM   #6
Marinus
LQ Newbie
 
Registered: Aug 2005
Distribution: Debian Etch
Posts: 20

Original Poster
Rep: Reputation: 0
I found the solution:

place the target IP address in the /etc/sysconfig Network|Firewall|SUSEFirewall2 FW_TRUSTED_NETS list.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Just trying to make a simple, no security file server mrd Linux - Networking 1 10-15-2005 04:46 AM
security settings buzzycoy Linux - Security 2 12-09-2004 08:22 AM
security settings!! blind958 Mandriva 1 07-16-2004 01:49 PM
please rate me security settings qwijibow Linux - Security 2 09-09-2003 04:28 AM
security settings infamous41md Linux - Newbie 1 06-03-2003 09:18 PM


All times are GMT -5. The time now is 01:23 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration