Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 05-21-2006, 10:08 AM   #1
LQ Newbie
Registered: Aug 2005
Distribution: Debian Etch
Posts: 20

Rep: Reputation: 0
Security settings for file server

Hi all,

I have completed the installation of our new openSUSE based fileserver and it's running great.
However, I would like to ask if the following configuration is OK.
The infrastructure:
DSL modem -> Wireless router -> Switch => 2 XP clients, 1 2000 client via WEP 128, file server, shared storage device.
The wireless router is a LinkSys with all settings default, except for the wireless security settings (SSID hidden, WEP etc.), admin password changed and all remote settings disabled.

The clients all have ZoneAlarm running with the adapter's static IP addresses added to the Subnet list / Trusted Zone.
The fileserver has

http-rman : ALL EXCEPT LOCAL

hosts.allow set to
ALL : LOCAL, 192.168.1.

One issue, one question:

when I turn the SuSe firewall on the Samba shares become unbrowsable (outgoing, the server itself remains browseable from all clients) and this makes it impossible to automate the backup (done via a nightly script/crontab on the fileserver, mounting the SSD (Samba share). Do you know what the correct setup is for the firewall? This issue is mentioned a lot in the various forums and on Google but the only effective measure offered seems turning it off and restricting the hosts. settings.

Therefore the questions I have is: are my hosts. settings ok?
As the fileserver is not a internet server or mail server, is this enough protection?
So far, the logs are clean and the rotational backup process works really well.
Network speed is excellent.
The office is happy, but I would like to make this network completely airtight. I lack IPTABLES knowledge but I'm going to read up today.

Any help/insight is greatly appreciated.


Last edited by Marinus; 05-22-2006 at 09:35 AM.
Old 05-22-2006, 07:47 AM   #2
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Rep: Reputation: 30
Hello Marinus,

May I know how do you backup your server?

Which ports do you use for the purpose?
Which programs?

Enable the firewall and then allow those ports used by backup programs.

Its a hint work on it!
Old 05-22-2006, 07:49 AM   #3
Senior Member
Registered: Dec 2003
Location: Paris
Distribution: Slackware forever.
Posts: 2,346

Rep: Reputation: 91
WEP is weak. It takes more or less 1 hour to break it. Use WPA.
Hidden SSID is ineffective.
I don't understand why your adapter's static IP addresses was added to the Subnet list / Trusted Zone. Did you opened lan or just the linksys adress?
You probably need to open some samba ports. Search which on some samba wiki.
You can do a lot of other tricks to improve sensible data protection, like using BSD secure levels to lock server machines.
Old 05-22-2006, 09:32 AM   #4
LQ Newbie
Registered: Aug 2005
Distribution: Debian Etch
Posts: 20

Original Poster
Rep: Reputation: 0
Hi imagineers,

I use the following scripts based on rsync.
The problem though was that no shares/computers were browsable so I guess it's a Samba ports issue. I had not looked into that at all, thanks for the tip.

In the SuSe firewall there are three zones; Internal, External and Demilitarized. In the External zone, Samba Server is added. Should I include Samba Server in another zone as well? In the Advanced settings, I can add various ports but I'm not sure what to put there. It would seem that the samba ports are open as the Samba service is already listed as approved.
I have restarted the firewall but this prevents me from running the backup script; all SMB connections fail.
Manually adding UDP 137 and 138 + TCP 139 and 445, as expected, does not help.

What is the next best step towards hardening this server?
I would honestely prefer to completely firewall it by hand, so I understand better how that works especially IPTABLES wise. I also notice that the response time between for example clicking on the server share icon and getting the signon popup is very long when the firewall is turned on. When it's turned off it's instantaneous.

Hi linux.tar.gz, I had to open the IP/subnet of the machine's adapter to the trusted zone myself; a common solution as it otherwise is not possible to browse Samba via XP/ZoneAlarm. However, this solution came straight from various discussion forums and I am not sure what technical basis this solution has and what risks it brings along.


# This script last modified on: 2006-05-20 / Marinus

unset PATH ;

ID=/usr/bin/id ;
ECHO=/bin/echo ;
MOUNT=/bin/mount ;
UMOUNT=/bin/umount ;
RM=/bin/rm ;
MV=/bin/mv ;
CP=/bin/cp ;
CHMOD=/bin/chmod ;
TOUCH=/bin/touch ;
SUDO=/usr/bin/sudo ;

RSYNC=/usr/bin/rsync ;

# Environment variables
MAXTORMOUNT=/mnt/maxtorssd ;
DAILY_CURRENT_TEMP=/mnt/maxtorssd/home/temp ;

SOURCE=/home/ ;

if (( `$ID -u` != 0 )) ;
if (( `$ID -u` != 1003 )) ;
{ $ECHO "Sorry, only Marinus or root may perform (manual) backups.
Exiting..." ; exit ; }
fi ;
fi ;

# Mount the Maxtor Shared Storage Device on /mnt/maxtorssd
# for backup of server files

cd / &
wait ;

sleep 2 ;

# Unmount just in case it is mounted
wait ;

# Mount the Maxtor Shared Storage Drive
$MOUNT -t smbfs $MAXTORSSD_SERVER $MAXTORMOUNT -o username=backup,password=backup ;

# ******************************************************************

# Rotation schedule

if [ -d $MAXTORMOUNT/home/daily_3 ]

$RM -rf $MAXTORMOUNT/home/daily_3 ;

fi ;

if [ -d $MAXTORMOUNT/home/daily_2 ]

$MV $MAXTORMOUNT/home/daily_2 $MAXTORMOUNT/home/daily_3 ;

fi ;

if [ -d $MAXTORMOUNT/home/daily_1 ]

$MV $MAXTORMOUNT/home/daily_1 $MAXTORMOUNT/home/daily_2 ;

fi ;

if [ -d $DAILY_CURRENT ]


fi ;

# ******************************************************************

# RSYNC to daily current backup

# And touch the directory to reflect the backup time

# Done, quiet mount
cd / &
wait ;

sleep 2 ;

# Unmount

exit ;

Last edited by Marinus; 05-22-2006 at 10:26 AM.
Old 05-23-2006, 01:18 AM   #5
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Rep: Reputation: 30
Hi Marinus,

Some quick links to look at for iptables
Also you may find good info on tldp

Have a session
Old 05-26-2006, 05:30 PM   #6
LQ Newbie
Registered: Aug 2005
Distribution: Debian Etch
Posts: 20

Original Poster
Rep: Reputation: 0
I found the solution:

place the target IP address in the /etc/sysconfig Network|Firewall|SUSEFirewall2 FW_TRUSTED_NETS list.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Just trying to make a simple, no security file server mrd Linux - Networking 1 10-15-2005 04:46 AM
security settings buzzycoy Linux - Security 2 12-09-2004 08:22 AM
security settings!! blind958 Mandriva 1 07-16-2004 01:49 PM
please rate me security settings qwijibow Linux - Security 2 09-09-2003 04:28 AM
security settings infamous41md Linux - Newbie 1 06-03-2003 09:18 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:33 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration