Simple Network Shares With Samba

Samba is a mature, multi platform software package which provides file and print services using the SMB protocol. It can also be used for authentication as a Windows domain controller, and has other administrative tools built in, too. In my case, I'm going to be using Samba to share a folder from a small Linux server (an Asus EeePC in my closet) to the Windows machines on my home network.

For being such a featureful software package, installing and configuring Samba is very straightforward. Before I start to install, I want to be clear on what I'm trying to accomplish: I am creating a single location to store files on a trusted home network, where anyone on the LAN has read/write access. To begin, I'm going to create a new user on the Linux machine who will be running the Samba service-

root@asus-eeepc:/# adduser samba-user
Adding user `samba-user' ...
Adding new group `samba-user' (1002) ...
Adding new user `samba-user' (1002) with group `samba-user' ...
Creating home directory `/home/samba-user' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for samba-user
Enter the new value, or press ENTER for the default
    Full Name []:
    Room Number []:
    Work Phone []:
    Home Phone []:
    Other []:
Is the information correct? [Y/n] y
root@asus-eeepc:/#

Next, to install-

root@asus-eeepc:/# apt install samba
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
attr ibverbs-providers libboost-regex1.67.0 libcephfs2 libgfapi0 libgfrpc0 libgfxdr0 libglusterfs0 libibverbs1 librados2 libtirpc-common libtirpc3 python-dnspython
python-gpg python-ldb python-samba python-tdb samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules tdb-tools
Suggested packages:
bind9 bind9utils ctdb ldb-tools ntp | chrony smbldap-tools ufw winbind heimdal-clients
The following NEW packages will be installed:
attr ibverbs-providers libboost-regex1.67.0 libcephfs2 libgfapi0 libgfrpc0 libgfxdr0 libglusterfs0 libibverbs1 librados2 libtirpc-common libtirpc3 python-dnspython
python-gpg python-ldb python-samba python-tdb samba samba-common samba-common-bin samba-dsdb-modules samba-vfs-modules tdb-tools
0 upgraded, 23 newly installed, 0 to remove and 0 not upgraded.
Inst python-dnspython (1.16.0-1 Debian:10.0/stable [all])
Inst python-ldb (2:1.5.1+really1.4.6-3 Debian:10.0/stable [amd64])
Inst python-tdb (1.3.16-2+b1 Debian:10.0/stable [amd64])
Inst python-samba (2:4.9.5+dfsg-5 Debian:10.0/stable [amd64])
Inst samba-common (2:4.9.5+dfsg-5 Debian:10.0/stable [all])
Inst samba-common-bin (2:4.9.5+dfsg-5 Debian:10.0/stable [amd64])
Inst tdb-tools (1.3.16-2+b1 Debian:10.0/stable [amd64])
Inst samba (2:4.9.5+dfsg-5 Debian:10.0/stable [amd64])
Inst attr (1:2.4.48-4 Debian:10.0/stable [amd64])
Inst libibverbs1 (22.1-1 Debian:10.0/stable [amd64])
Inst ibverbs-providers (22.1-1 Debian:10.0/stable [amd64])
Inst libboost-regex1.67.0 (1.67.0-13 Debian:10.0/stable [amd64])
Inst librados2 (12.2.11+dfsg1-2.1 Debian:10.0/stable [amd64])
Inst libcephfs2 (12.2.11+dfsg1-2.1 Debian:10.0/stable [amd64])
Inst libtirpc-common (1.1.4-0.4 Debian:10.0/stable [all])
Inst libtirpc3 (1.1.4-0.4 Debian:10.0/stable [amd64])
Inst libglusterfs0 (5.5-3 Debian:10.0/stable [amd64])
Inst libgfxdr0 (5.5-3 Debian:10.0/stable [amd64])
Inst libgfrpc0 (5.5-3 Debian:10.0/stable [amd64])
Inst libgfapi0 (5.5-3 Debian:10.0/stable [amd64])
Inst python-gpg (1.12.0-6 Debian:10.0/stable [amd64])
Inst samba-dsdb-modules (2:4.9.5+dfsg-5 Debian:10.0/stable [amd64])
Inst samba-vfs-modules (2:4.9.5+dfsg-5 Debian:10.0/stable [amd64])
Conf python-dnspython (1.16.0-1 Debian:10.0/stable [all])
Conf python-ldb (2:1.5.1+really1.4.6-3 Debian:10.0/stable [amd64])
Conf python-tdb (1.3.16-2+b1 Debian:10.0/stable [amd64])
Conf python-samba (2:4.9.5+dfsg-5 Debian:10.0/stable [amd64])
Conf samba-common (2:4.9.5+dfsg-5 Debian:10.0/stable [all])
Conf samba-common-bin (2:4.9.5+dfsg-5 Debian:10.0/stable [amd64])
Conf tdb-tools (1.3.16-2+b1 Debian:10.0/stable [amd64])
Conf samba (2:4.9.5+dfsg-5 Debian:10.0/stable [amd64])
Conf attr (1:2.4.48-4 Debian:10.0/stable [amd64])
Conf libibverbs1 (22.1-1 Debian:10.0/stable [amd64])
Conf ibverbs-providers (22.1-1 Debian:10.0/stable [amd64])
Conf libboost-regex1.67.0 (1.67.0-13 Debian:10.0/stable [amd64])
Conf librados2 (12.2.11+dfsg1-2.1 Debian:10.0/stable [amd64])
Conf libcephfs2 (12.2.11+dfsg1-2.1 Debian:10.0/stable [amd64])
Conf libtirpc-common (1.1.4-0.4 Debian:10.0/stable [all])
Conf libtirpc3 (1.1.4-0.4 Debian:10.0/stable [amd64])
Conf libglusterfs0 (5.5-3 Debian:10.0/stable [amd64])
Conf libgfxdr0 (5.5-3 Debian:10.0/stable [amd64])
Conf libgfrpc0 (5.5-3 Debian:10.0/stable [amd64])
Conf libgfapi0 (5.5-3 Debian:10.0/stable [amd64])
Conf python-gpg (1.12.0-6 Debian:10.0/stable [amd64])
Conf samba-dsdb-modules (2:4.9.5+dfsg-5 Debian:10.0/stable [amd64])
Conf samba-vfs-modules (2:4.9.5+dfsg-5 Debian:10.0/stable [amd64])

I'm going to confirm Samba is running-

root@asus-eeepc:/# service smbd status
● smbd.service - Samba SMB Daemon
Loaded: loaded (/lib/systemd/system/smbd.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2019-08-04 22:44:31 EDT;
Docs:   man:smbd(8)
        man:samba(7)
        man:smb.conf(5)
Process: 13393 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 12798 (smbd)
Status: "smbd: ready to serve connections..."
Tasks: 5 (limit: 4915)
CGroup: /system.slice/smbd.service
├─12798 /usr/sbin/smbd
├─12799 /usr/sbin/smbd
├─12800 /usr/sbin/smbd
├─12802 /usr/sbin/smbd
└─12804 /usr/sbin/smbd

And it is. Using Samba's smbpasswd (similar to passwd), I'm going to add a new user to the service-

root@asus-eeepc:/# smbpasswd -a samba-user

Using Samba's pdbedit, I can manage user accounts stored in Samba's user database. This would be a useful tool for someone managing a larger number of users.

root@asus-eeepc:/# pdbedit -w -L
samba-user:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:0910F7894D10FB3E2C4CF51D09CCE6FB:[U          ]:LCT-5D4C7364:

Now that I've got my user added, I'm going to configure the service itself. Since I've decided that I'm going to be sharing just one folder for everyone, I'm going to create a folder named "asus-eeepc" in samba-user's home directory. Afterwards, I'm going to configure the smbd daemon by editing /etc/samba/smb.conf.

root@asus-eeepc:/# mkdir /home/samba-user/asus-eeepc
root@asus-eeepc:/# cp /etc/samba/smb.conf /etc/samba/smb.conf.old

Just like other mature packages, Samba offers many options to configure in smb.conf. Because my install is fairly simple, I can keep the default values for the majority of the file save for a few minor changes. In the [global] block, I want to confirm that the nt-domain/workgroup specified matches what my samba share will be a part of (I have a default Windows 7 value)-

workgroup = WORKGROUP

By default, the home directory of the Samba user will be shared (which is a surprising default, imo). I'd rather that not be the case, so I need to comment out the entire [homes] block (every line up to the next block).

; [homes]
; ...

Next, I'm going to define my share. Note that if I did not include the 'guest ok = yes' directive, then every time a user wanted to connect he/she would have to enter samba-users user/password.

[asus-eeepc]
    path = /home/samba-user/asus-eeepc
    read only = no
    locking = no
    guest ok = yes
    hosts allow = 192.168.
    hosts deny = ALL

After saving my changes, I have to restart the Samba service in order for changes to take effect-

root@asus-eeepc:/# service smbd restart

On my Windows machines, if I've done everything correctly, clicking the start orb and entering the ip address of my Asus EeePC in the run dialogue should open Explorer at the location of my network share-

Location of the network share.

Tags: [System Administration] [Linux] [Samba]

Category: [Blog]

Using fail2ban With ssh

In a previous post I said that had I set up ssh differently, I would have used fail2ban. Because it is such a featureful application, I want to walk through installing and lightly configuring fail2ban on a Debian box.

fail2ban is an application that monitors your logs and responds to any specified criteria by adding rules to your firewall. In this instance, I'm going to add the fail2ban package to help in securing my ssh service.

After installing, I'm going to make a local configuration file for fail2ban to use.

root@twentymachines.net:/etc/fail2ban# cp jail.conf jail.local

It's pretty intense looking through jail.conf and seeing all of the other services I could monitor with this tool! I'm going to clear the majority of /etc/fail2ban/jail.local to focus on sshd, but before I do I'm just going to lay out some default behavior-

[INCLUDES]

before = paths-debian.conf

[DEFAULT] # default behavior

# the following addressed will not be banned
ignoreip = 127.0.0.1/8

In the DEFAULT block, I want to make sure localhost is never banned. Note that if I want to manually add other ips to a whitelist, I can do so using fail2ban-client-

root@twentymachines.net:/# fail2ban-client set JAIL addignoreip 12.345.678

Now to configure how fail2ban will monitor/respond to sshd-

[sshd] # the actual jails

# even though sshd is enabled by default
enabled = true

# name of service is fine if using the default port
port = ssh

# name of the filter located in /etc/fail2ban/filter.d
filter = sshd

# location of the service’s logs
logpath  = /var/log/auth.log

# number of seconds a host is banned
bantime = 600

# frame of time when the maximum number of failed login attempts occur
findtime = 600

# maximum number of failed login attempts before a host in banned
maxretry = 4

After saving the changes to /etc/fail2ban/jail.local I'm going to restart the fail2ban service and check my firewall rules-

root@twentymachines.net:/# service fail2ban restart
root@twentymachines.net:/# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-sshd   tcp  --  anywhere             anywhere             tcp dpt:rsh-spx

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-sshd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

And we can see that fail2ban has been added as a rule. In testing, if someone were to make four failed login attempts in a single ten-minute time frame then their ip address should be added to my firewall. Let's test that-

kieran@thinkpad:/# ssh twentymachines.net
kieran@twentymachines.net's password:
Permission denied, please try again.
kieran@twentymachines.net's password:
Permission denied, please try again.
kieran@twentymachines.net's password:
Permission denied, please try again.
kieran@twentymachines.net's password:
Permission denied, please try again.
...

And the terminal hangs. Checking my firewall rules-

root@twentymachines.net:/# iptables -L | grep f2b-sshd
Chain f2b-sshd (1 references)
target     prot opt source               destination
DROP       all  --  10.100.0.3           anywhere
RETURN     all  --  anywhere             anywhere

Great! Any connection coming from the ip address associated with my Thinkpad will be dropped, which is the expected behavior.

And that sums up a quick install and demo of fail2ban. When used with ssh, I think this tool is most useful for protecting against automated bruteforce attacks. Thanks for reading!


Tags: [System Administration] [Linux] [fail2ban]

Category: [Blog]

Getting started with OpenSSH

From the console, I'm going to stop the SSH service-

root@twentymachines.net:/# service ssh stop

Since a default installation of Debian includes the OpenSSH package with the ssh service running, it also means that host keys have already been generated. Since I didn't generate them, I'm going to get rid of the existing keys as a precaution.

root@twentymachines.net:/# cd /etc/ssh
root@twentymachines.net:/etc/ssh# ls
moduli      sshd_config         ssh_host_ecdsa_key.pub  ssh_host_ed25519_key.pub  ssh_host_rsa_key.pub
ssh_config  ssh_host_ecdsa_key  ssh_host_ed25519_key    ssh_host_rsa_key
root@twentymachines.net:/etc/ssh# rm ssh_host_*

Now to force the openssh-server package to generate new keys using dpkg-reconfigure-

root@twentymachines.net:/# dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
2048 SHA256://oRt9KLv3HhyQv48en61M/Ru+68M7MuXwOvqm4A8TY root@twentymachines.net (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:vu9A6d9kVnyfYASAR3o9+jmXHnwV2napmgcJTPSCne0 root@twentymachines.net (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:+Jmqmgm+LGk4XU0PwRd0Oun3o8CiLoD5wh0MZPEvDJY root@twentymachines.net (ED25519)

Next, I'm going to create a new user who does not have root privileges.

root@twentymachines.net:/# adduser kieran
Adding user `kieran' ...
Adding new group `kieran' (1001) ...
Adding new user `kieran' (1001) with group `kieran' ...
Creating home directory `/home/kieran' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for kieran
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] y

I'm going to end my console session and switch over to my laptop now, where the first order of business is generating a public/private key pair. For sport, I decided to use the new signature algorithm (ECDSA) with the maximum number of bits (521).

kieran@thinkpad:~$ ssh-keygen -b 521 -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/kieran/.ssh/id_ecdsa): /home/kieran/.ssh/id_ecdsa.thinkpad
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kieran/.ssh/id_ecdsa.thinkpad.
Your public key has been saved in /home/kieran/.ssh/id_ecdsa.thinkpad.pub.
The key fingerprint is:
SHA256:d/fAYW2lPNqKfgqMsJ2mb+PFuNXA2WORWhm+R2/R6NA kieran@thinkpad
The key's randomart image is:
+---[ECDSA 521]---+
|          .     .|
|         . + o =.|
|          * o E +|
|       . = + O = |
|    .   S * + O  |
|     + * = = + o |
|    . * * o .   .|
|     oo+ o  .    |
|    .++.  oo     |
+----[SHA256]-----+

In order to implement public key authentication I have to get the public key on to the server, and I'm going to use the ssh-copy-id command to perform this task. Note: this will be my first ssh connection to the server.

kieran@thinkpad:~$ ssh-copy-id -i ~/.ssh/id_ecdsa.thinkpad.pub twentymachines.net
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/kieran/.ssh/id_ecdsa.thinkpad.pub"
The authenticity of host '[twentymachines.net] ([158.69.215.97])' can't be established.
ECDSA key fingerprint is SHA256:vu9A6d9kVnyfYASAR3o9+jmXHnwV2napmgcJTPSCne0.
Are you sure you want to continue connecting (yes/no)? yes

I can see the hashed fingerprint of the host key matches what was in my console session a moment ago. For this reason I can be reasonably sure this is the entity I intend on connecting to.

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
kieran@twentymachines.net's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'kieran@twentymachines.net'"
and check to make sure that only the key(s) you wanted were added.

And now to make some configuration changes.

kieran@thinkpad:~$ ssh twentymachines.net
Enter passphrase for key: '/home/kieran/.ssh/id_ecdsa.thinkpad'
Linux 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Settings for the ssh server are located in the file sshd_config in the /etc/ssh folder. The first line I'm going to change is-

PermitRootLogin no

I don't have a reason for root to be able to use the ssh service, and it can be said that by disabling root you've become a less attractive target to a portion of attackers. The next line I'll actually have to add-

AllowUsers kieran

Because there are few users on this system, the AllowUsers directive is best suited. Like the AllowGroups directive, this policy hardens access by adding an additional authentication layer around access.

AuthenticationMethods publickey,password

Because the server already has my public key I can authenticate with 'something I have,' and by entering a password afterwards I can authenticate with 'something I know.' This chain of multifactor authentication is performed just as it appears in the directive. You must have the correct key pair, and if you do, then you must also know the correct password.

As an aside, I learned the difference between "password" and "keyboard-interactive" in the AuthenticationMethods directive. "keyboard-interactive" makes use of PAM, which can be utilized for more than just passwords (security tokens, one-time passwords, and more).

In order for my changes to take effect I have to restart the ssh service-

service sshd restart

To wrap up, I believe we have a secure remote access service now (provided that I keep my keys secure and check for updates regularly). Another approach I would consider using is a different combination of options for AuthenticationMethods (using PAM) and also making use of fail2ban. Thanks for reading.


Tags: [System Administration] [Linux] [OpenSSH]

Category: [Blog]

Page 1 / 1