Hi all,

I have completed the installation of our new openSUSE based fileserver and it's running great.
However, I would like to ask if the following configuration is OK.
The infrastructure:
DSL modem -> Wireless router -> Switch => 2 XP clients, 1 2000 client via WEP 128, file server, shared storage device.
The wireless router is a LinkSys with all settings default, except for the wireless security settings (SSID hidden, WEP etc.), admin password changed and all remote settings disabled.

The clients all have ZoneAlarm running with the adapter's static IP addresses added to the Subnet list / Trusted Zone.
The fileserver has

hosts.deny
http-rman : ALL EXCEPT LOCAL
ALL : ALL

hosts.allow set to
ALL : LOCAL, 192.168.1.

One issue, one question:

when I turn the SuSe firewall on the Samba shares become unbrowsable (outgoing, the server itself remains browseable from all clients) and this makes it impossible to automate the backup (done via a nightly script/crontab on the fileserver, mounting the SSD (Samba share). Do you know what the correct setup is for the firewall? This issue is mentioned a lot in the various forums and on Google but the only effective measure offered seems turning it off and restricting the hosts. settings.

Therefore the questions I have is: are my hosts. settings ok?
As the fileserver is not a internet server or mail server, is this enough protection?
So far, the logs are clean and the rotational backup process works really well.
Network speed is excellent.
The office is happy, but I would like to make this network completely airtight. I lack IPTABLES knowledge but I'm going to read up today.

Any help/insight is greatly appreciated.

Marinus.

Hello Marinus,

May I know how do you backup your server?

Which ports do you use for the purpose?
Which programs?

Enable the firewall and then allow those ports used by backup programs.


Its a hint work on it!

WEP is weak. It takes more or less 1 hour to break it. Use WPA.
Hidden SSID is ineffective.
I don't understand why your adapter's static IP addresses was added to the Subnet list / Trusted Zone. Did you opened lan or just the linksys adress?
You probably need to open some samba ports. Search which on some samba wiki.
You can do a lot of other tricks to improve sensible data protection, like using BSD secure levels to lock server machines.

Hi imagineers,

I use the following scripts based on rsync.
The problem though was that no shares/computers were browsable so I guess it's a Samba ports issue. I had not looked into that at all, thanks for the tip.

In the SuSe firewall there are three zones; Internal, External and Demilitarized. In the External zone, Samba Server is added. Should I include Samba Server in another zone as well? In the Advanced settings, I can add various ports but I'm not sure what to put there. It would seem that the samba ports are open as the Samba service is already listed as approved.
***
I have restarted the firewall but this prevents me from running the backup script; all SMB connections fail.
***
Manually adding UDP 137 and 138 + TCP 139 and 445, as expected, does not help.

What is the next best step towards hardening this server?
I would honestely prefer to completely firewall it by hand, so I understand better how that works especially IPTABLES wise. I also notice that the response time between for example clicking on the server share icon and getting the signon popup is very long when the firewall is turned on. When it's turned off it's instantaneous.

Hi linux.tar.gz, I had to open the IP/subnet of the machine's adapter to the trusted zone myself; a common solution as it otherwise is not possible to browse Samba via XP/ZoneAlarm. However, this solution came straight from various discussion forums and I am not sure what technical basis this solution has and what risks it brings along.


#!/bin/bash

# This script last modified on: 2006-05-20 / Marinus
#

unset PATH ;

ID=/usr/bin/id ;
ECHO=/bin/echo ;
MOUNT=/bin/mount ;
UMOUNT=/bin/umount ;
RM=/bin/rm ;
MV=/bin/mv ;
CP=/bin/cp ;
CHMOD=/bin/chmod ;
TOUCH=/bin/touch ;
SUDO=/usr/bin/sudo ;

RSYNC=/usr/bin/rsync ;




# Environment variables
MAXTORSSD_SERVER=//MAXTORSSD/BACKUP_SERVER ;
MAXTORSSD_LOCAL=//MAXTORSSD/BACKCUP_LOCAL ;
MAXTORMOUNT=/mnt/maxtorssd ;
DAILY_CURRENT_TEMP=/mnt/maxtorssd/home/temp ;
DAILY_CURRENT=/mnt/maxtorssd/home/daily_current

SOURCE=/home/ ;




if (( `$ID -u` != 0 )) ;
then
if (( `$ID -u` != 1003 )) ;
then
{ $ECHO "Sorry, only Marinus or root may perform (manual) backups.
Exiting..." ; exit ; }
fi ;
fi ;



# Mount the Maxtor Shared Storage Device on /mnt/maxtorssd
# for backup of server files

cd / &
wait ;

sleep 2 ;

# Unmount just in case it is mounted
$UMOUNT $MAXTORMOUNT &
wait ;

# Mount the Maxtor Shared Storage Drive
$MOUNT -t smbfs $MAXTORSSD_SERVER $MAXTORMOUNT -o username=backup,password=backup ;


# ******************************************************************

# Rotation schedule


if [ -d $MAXTORMOUNT/home/daily_3 ]
then

$RM -rf $MAXTORMOUNT/home/daily_3 ;


fi ;


if [ -d $MAXTORMOUNT/home/daily_2 ]
then

$MV $MAXTORMOUNT/home/daily_2 $MAXTORMOUNT/home/daily_3 ;


fi ;

if [ -d $MAXTORMOUNT/home/daily_1 ]
then

$MV $MAXTORMOUNT/home/daily_1 $MAXTORMOUNT/home/daily_2 ;


fi ;

if [ -d $DAILY_CURRENT ]
then


$CP -a $DAILY_CURRENT $MAXTORMOUNT/home/daily_1 ;

fi ;

# ******************************************************************

# RSYNC to daily current backup
$RSYNC -a $SOURCE $DAILY_CURRENT ;

# And touch the directory to reflect the backup time
$TOUCH $DAILY_CURRENT ;


# Done, quiet mount
cd / &
wait ;

sleep 2 ;

# Unmount
$UMOUNT $MAXTORMOUNT ;

exit ;

Hi Marinus,

Some quick links to look at for iptables

http://www.siliconvalleyccie.com/lin...bles-intro.htm
http://iptables-tutorial.frozentux.n...-tutorial.html
Also you may find good info on tldp

Have a session

I found the solution:

place the target IP address in the /etc/sysconfig Network|Firewall|SUSEFirewall2 FW_TRUSTED_NETS list.