The document provides instructions for configuring an authenticated Samba server with OpenVPN for secure remote access. Key steps include:
1. Installing Samba, CUPS and other required packages. Configuring firewall rules to allow SMB ports and sharing a directory.
2. Editing the Samba configuration file to define the shared directory and users. Starting the Samba and name resolution services.
3. Testing access from Linux and Windows clients.
4. Hardening the server with iptables firewall rules and installing ClamAV for antivirus scanning of the shared directory. Scheduling freshclam and clamscan to run periodically.
Report
Share
Report
Share
1 of 9
Download to read offline
More Related Content
Athenticated smaba server config with open vpn
1. Authenticated Samba Server Config with Open VPN
Chanaka.lasantha@gmail.com
Designed , Doumented and Tested by Chanaka Lasantha Nanayakkara Wawage
Most Important Settings
Date:
date -s "9 AUG 2013 11:32:08"
Add repository EPEL that is provided from Fedora project.
rpm –Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
2. Installing Samba Server and cups-libs is for printer
# yum install -y samba samba-commons cups-libs xinetd portmap
# setup Select System service from list
You have to tick the following boxes if not already selected,
[*]portmap
[*]xinetd
[*]smb
Create a directory which you would like to share
mkdir /sharedrepo
Add a new group or you can use existing group to provide access on shared directory,
Here I am adding new group called staff
groupadd staff
Change the group and permission of sharing folder
chgrp -R staff /sharedrepo
chmod -R 777 /sharedrepo
Explanation of behavior of chmod syntax’s
The chmod numeric format accepts up to four octal digits. The rightmost three refer to permissions for the file
owner, the group and other users. The next digit (fourth from the right) specifies special setuid, setgid and sticky
flags.
Numerical permissions:
# Permission rwx
7
6
Full
Read and Write
111
110
3. 5
4
3
2
1
0
Read and Execute
Read Only
Write and Execute
Write Only
Execute Only
None
101
100
011
010
001
000
rwx = Read, Write, Execute
Further Explanation :
Read = read a file or list a directory's contents
Write = write to a file or directory
Execute = execute a file or recurse a directory tree
Sample : chmod -R 777 /sharedrepo has a full permission for Read, Write and Execute.
create user and add them in group called staff. And set the samba password for this user
useradd test
usermod -G staff test
smbpasswd -a test
Take backup of /etc/samba/smb.conf file then edit the smb.conf file. And add the given
parameter in last line of /etc/samba/smb.conf file
cd /etc/samba/
cp -p smb.conf smb.conf.orig
vim /etc/samba/smb.conf
[sharedrepo]
comment = shared-directory
path = /sharedrepo
public = no
valid users = test, @staff
writable = yes
browseable = yes
create mask = 0765
4. Edit these lines in /etc/samba/smb.conf . To allow network to reach samba server
Change the value of 192.168.2.0/24 with your subnet. And change the ethernet value which is in used by your
system and which you want to allow for traffic.
In second line ,192.168.2. is for subnet .Same rule applied to 127. which is for loopback.
interfaces = lo eth0 192.168.2.0/24
hosts allow = 127. 192.168.2.
Mainly for windows users,if your all PC in your network are using different WORKGROUP name edit the given
below line in smb.conf with your workgroup name. Windows system bydefault uses the WORKGROUP as
WORKGROUP. Try first without changing the WORKGROUP name,if required do the change.
workgroup = WORKGROUP
Add services in /etc/services files
vim /etc/services
netbios-ns 137/tcp # netbios name service
netbios-ns 137/udp # netbios name service
netbios-dgm 138/tcp # netbios datagram service
netbios-dgm 138/udp # netbios datagram service
netbios-ssn 139/udp # netbios session service
netbios-ssn 139/udp # netbios session service
Enable IP Forwarding (Highly Important!)
If you want your OpenVPN clients to be able to access the network, in addition to the push routes statements
above you will need to setup ip forwarding for the tunnel interface and change the 0 to a 1.
vim /etc/sysctl.conf
# ------ Edit the following line changing the 0 to a 1 -----
net.ipv4.ip_forward = 1
5. Save and close the file. Reload the changes by typing the following command:
Or
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -p
Add iptables rule in samba server for port no. 137,138.139 and 445.
service iptables start
iptables –-flush
iptables --table nat -–flush
iptables --delete-chain
service iptables save
service iptables restart
service network restart
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEP
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -N SYN_FLOOD
iptables -A INPUT -p tcp --syn -j SYN_FLOOD
iptables -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
iptables -A SYN_FLOOD -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan –remove
6. iptables -A INPUT -s 0.0.0.0/7 -j DROP
iptables -A INPUT -s 2.0.0.0/8 -j DROP
iptables -A INPUT -s 5.0.0.0/8 -j DROP
iptables -A INPUT -s 7.0.0.0/8 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 23.0.0.0/8 -j DROP
iptables -A INPUT -s 27.0.0.0/8 -j DROP
iptables -A INPUT -s 31.0.0.0/8 -j DROP
iptables -A INPUT -s 36.0.0.0/7 -j DROP
iptables -A INPUT -s 39.0.0.0/8 -j DROP
iptables -A INPUT -s 42.0.0.0/8 -j DROP
iptables -A INPUT -s 49.0.0.0/8 -j DROP
iptables -A INPUT -s 50.0.0.0/8 -j DROP
iptables -A INPUT -s 77.0.0.0/8 -j DROP
iptables -A INPUT -s 78.0.0.0/7 -j DROP
iptables -A INPUT -s 92.0.0.0/6 -j DROP
iptables -A INPUT -s 96.0.0.0/4 -j DROP
iptables -A INPUT -s 112.0.0.0/5 -j DROP
iptables -A INPUT -s 120.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 173.0.0.0/8 -j DROP
iptables -A INPUT -s 174.0.0.0/7 -j DROP
iptables -A INPUT -s 176.0.0.0/5 -j DROP
iptables -A INPUT -s 184.0.0.0/6 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 197.0.0.0/8 -j DROP
iptables -A INPUT -s 198.18.0.0/15 -j DROP
iptables -A INPUT -s 223.0.0.0/8 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.2.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.2.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.2.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.2.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -I FORWARD -s 0.0.0.0/0 -m string --string “%27+or+%271%27%3d%271” --algo bm -j DROP
iptables -I FORWARD -s 0.0.0.0/0 -m string --string “%27+or+1%3d1” --algo bm -j DROP
iptables -I FORWARD -s 0.0.0.0/0 -m string --string “%27+or+%271%27%3d%271” --algo bm -j DROP
iptables -I FORWARD -s 0.0.0.0/0 -m string --string “%27+or+%27%27%3d%27” --algo bm -j DROP
iptables -I FORWARD -s 0.0.0.0/0 -m string --string “%27+or+1%3d1” --algo bm -j DROP
iptables -I FORWARD -s 0.0.0.0/0 -m string --string “%27+or+%271%27%3d%271” --algo bm -j DROP
iptables -I FORWARD -s 0.0.0.0/0 -m string --string “%27+or+%27%27%3d%27” --algo bm -j DROP
iptables -I FORWARD -s 0.0.0.0/0 -m string --string “%27+or+1%3d1” --algo bm -j DROP
iptables -I FORWARD -s 0.0.0.0/0 -m string --string “%27+or+%271%27%3d%271” --algo bm -j DROP
service iptables save
7. service iptables restart
service network restart
/sbin/iptables -L
iptables -L -t nat –n
iptables -vnL
Now start the smb and nmb services.
/etc/init.d/smb start
/etc/init.d/nmb start
Now we will test samba from linux and windows machine (Windows User)
Open the Run and type ip-address-of-samba-servershared-Direcory-name
for eg:- 192.168.56.101sharedrepo
Give username and password. (password which you set with the help of smbpasswd command)
8. Linux Users: smbclient must be installed in system
smbclient //ip-samba-server/sharedDirectory -U username
smbstatus
FINAL STAGE OF OPEN VPN SOLUTION CONFIG FOR A WORLD WIDE SECURE SAMBA
REMOTE ACCESS CAN BE SETUP USING BY CLICKING THIS URL.
Install the ClamAV Virus Guard for Inter-clients Virus Protectiion
yum --enablerepo=rpmforge -y install clamav
vim /etc/freshclam.conf
line 122: make it comment:-
#NotifyClamd /etc/clamd.conf
update pattern files:-
freshclam
vim /etc/crontab
# Explanation:-
# MIN HOUR MDAY MON DOW COMMAND
# */5 * * * * echo 'Hello'
#
# MIN Minute 0-60
# HOUR Hour [24-hour clock] 0-23
# MDAY Day of Month 1-31
# MON Month 1-12 OR jan,feb,mar,apr .
# DOW Day of Week 0-6 OR
# sun,mon,tue,wed,thu,fri,sat
# COMMAND Command to be run Any valid command-line
#Run a Virus SCAN for " sharedrepo" folder after every 3-hours while awake by the ClamAV Virus Guard
0 7-23/3 * * * clamscan --infected --remove --recursive /sharedrepo && clamscan --infected --remove --recursive
#Run the Automatic Updater for the ClamAV Virs Batabase by Every 3 Hours Periodically
0 7-23/3 * * * freshclam
init 0
9. How to enable or disable SMB protocols on the SMB client on Windows Vista, Windows
Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012
To disable SMBv1 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
To enable SMBv1 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb10 start= auto
To disable SMBv2 and SMBv3 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc.exe config mrxsmb20 start= disabled
To enable SMBv2 and SMBv3 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb20 start= auto