Share (II)

Services

We will install Samba and NFS in the following paths:

Samba: /srv/samba
NFS: /srv/share

Installation

_$: apt-get install ntp ntpdate
_$: apt-get install logwatch logrotate
_$: apt-get install zabbix-agent
_$: apt-get install htop vim rsync sudo

_$: apt-get install postgresql-9.1 postgresql-server-dev-9.1
_$: apt-get install mysql-server

_$: apt-get install samba
_$: apt-get install nfs-common nfs-kernel-server

Iptables

/etc/iptables.up.rules:
-----------------------
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-P INPUT DROP
-P FORWARD DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 137 -j ACCEPT   <=== Samba
-A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT   <=== Samba
-A INPUT -p tcp -m state --state NEW -m tcp --dport 138 -j ACCEPT   <=== Samba
-A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT   <=== Samba
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT   <=== Samba
-A INPUT -p udp -m state --state NEW -m udp --dport 139 -j ACCEPT   <=== Samba
-A INPUT -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT  <=== NFS
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT  <=== NFS
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT
-A INPUT -j DROP
COMMIT

/etc/network/if-pre-up.d/iptables:
----------------------------------
#!/bin/bash -
/sbin/iptables-restore < /etc/iptables.up.rules

_$: chmod +x /etc/network/if-pre-up.d/iptables

Samba

_$: mkdir -p /srv/samba

/etc/samba/smb.conf:
--------------------
...
[global]
workgroup=WORKGROUP
security=user
...
### Samba configuration
[samba]
  path=/srv/samba
  guest ok=no
  read only=no
  writable=yes
  browsable=yes
  comment=SMB share

Comment out the [homes] section in the /etc/samba/smb.conf file if it is not already done.

_$: adduser share
_$: smbpasswd -a share
_$: smbpasswd -e share
_$: /etc/init.d/samba restart
_$: service smbd restart

_$: chmod u+rwx,g+rx,o+rx /srv/samba
_$: chown share:share /srv/samba

NFS

_$: mkdir -p /srv/share
_$: chmod 0777 /srv/share

/etc/hosts.allow:
-----------------
...
portmap: 192.168.1.*

_$: service portmap restart

/etc/exports:
-------------
...
# /srv/share
/srv       192.168.0.0/16(rw,root_squash,subtree_check)
/srv/share 192.168.0.0/16(rw,root_squash,subtree_check)

Check the idmapd.conf file:

/etc/idmapd.conf:
-----------------
[General]

Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

_$: service nfs-kernel-server restart

Logins, SSH access and SFTP access

We will name our host host and the share server share.example.com. But don’t grow too attached to any of them. They are just computers.

1) Create the key. If it is not going to be used for automation purposes, you can enter a password:

user@host_$: ssh-keygen

2) Copy the key to the share server:

user@host_$: ssh-copy-id .ssh/id_rsa.pub user@share.example.com

3) Disable password access for the user:

root@share.example.com_$: passwd -l <user>

4) Check that you can connect with the key we generated in step 1:

user@host_$: ssh user@share.example.com

5) Disable root login through ssh:

/etc/ssh/sshd_config:
---------------------
...
# Authentication:
LoginGraceTime 120
PermitRootLogin no      <===
StrictModes yes

6) Allow SFTP access but no SSH access for user share:

root@share.example.com_$: apt-get isntall rssh
root@share.example.com_$: chsh -s /usr/bin/rssh <user>

/etc/rssh.conf:
---------------
...
allowsftp
...