Site Navigation : Donations & Solutions Knowledge Base Woodel User Access (WUA) Word of Mouth !!

Setup \ Building a Linux Server using Webmin (Page 3of 5)

-By Kevin Elwood (version 3.88)

*Continue reading HTML version below. Or… Download the complete PDF !!

(From Server 1) (From Server 2)

Have questions? Got problems? Visit the Blog for (this) topic

Stuck on Page #1? Cant get Webmin to install? Try watching the video

Want to setup a software Raid for your Operating System? Try watching the video

woodel.com logo

Page Navigation : Page1 Page2 Page3 Page4 Page5 Do more

Page 3 of 5:

My stuff will always be free for personal use, but if you would still like to contribute, you can donate money towards this, or one

of my other how-to's

Let’s configure the FTP server (vsftp)

Using the File Manager module, edit the file /etc/vsftpd.conf

You should see something like this

You need to make the following changes to it

Change line 23 from anonymous_enable =YES to anonymous_enable =NO

Uncomment line 26 by removing the “#” so that it reads local_enable=YES

Uncomment line 29 by removing the “#” so that it reads write_enable=YES

Uncomment line 33 by removing the “#” so that it reads local_umask=022

On or around line 34, add the following entry file_open_mode=0755

Uncomment line 94 by removing the “#” and change the Welcome string to something custom of your own

Uncomment line 105 by removing the “#” so that it reads chroot_local_user=YES

You should eventually see something like this

When you have made all the changes, click save and close

The next time the computer is restarted, the FTP server will read the new changes, and will be ready to use. We haven’t added any users for it yet, we will get to that later, but we are done as far as its configuration.

If you don’t want to reboot, you can just restart the vsftp service instead.

Using the Bootup and Shutdown module, find vsftpd

Put a check in the box next to vsftpd and click the “Restart” button

This will restart the FTP service, without restart your computer. Either way is fine.

Now you have a fully functional FTP server. We will test it later, when we add some more users with less important passwords. Much like HTTP, passwords sent over FTP are also sent in plain text, that’s why I don’t want you to test it right now with your important accounts and important passwords.

That’s it for FTP for now

Next let’s see how to check local email messages and syslog. When something goes wrong with the system, or there is a change, or a scheduled job has failed, you can use one of these two messaging systems to check it. Similar to Windows Event Viewer, you can find a lot of helpful information here.

Using the Read User Mail module, you can see if you have any mail.

As you can see I have messages here.

In this configuration you can send and receive local emails to users of this server, using this module.

And to check the syslog, use the System Logs module

You can also find useful information in the View Module Logs module

A lot of the time the answer to your problems will be in one of those (3) places

And the homepage (also called the System Information module) does a good job of showing you your current usages.

As we can see above, even with everything we have added to the computer, it’s still only using 34MB of ram, 0MB of the Pagefile, and 0.02 of the processor. *** note, this particular computer is a only a P3 \ 450Mhz … a paper-weight at best. Isn’t Linux amazing?

These awesomely low numbers are because we are using the command line version of Linux, and not a GUI Operating System.

You can also see your Uptime and OS version, Disk-Space, and other important information.

Next let’s add some user accounts, these would be people you would give access to your server and its resources.

We will create the accounts, and setup their home directories to be on the data drive, and exposed to the network\internet.

Using the Users and Groups module

We are going to get a lot of use out of this module. It will allow us to make users, groups, set passwords, set home directories, and even setup their shell, where we can further restrict them if needed.

Click on “Create a new user”

You should see something like this, make the following changes

With the username jdoe and the real name jdoe.

I like to keep the username and the real name the same, but the only important one is the username, that will be the actual login name. You could set the real name to Mr. John Doe, or something more descriptive if you like. I personally like to keep them the same.

Un-check “Automatic” and set the Home directory to

/mymounts/vraid/users/xhomes/jdoe

If you aren’t using raid, and are using d2p1, you would type

/mymounts/d2p1/users/xhomes/jdoe

What these descriptive folder structures tell us is

-It’s a drive I mounted

-What drive its on

-Its user data

-Its and exposed home directory “xhomes”

-Its user jdoe

By exposed home directory, I mean that directory is exposed to the network or the internet. A constant reminder to me about security and confidentiality of what goes in there

We are later going to change the web server (Apache) to listen in those directories, so these home directories will be folders that are exposed and viewable over the network or internet.

That’s on purpose, to give them web space.

After you have set the username and home directory, choose “normal password” and let’s type in the password jdabc123

Set the Group to “New Group With Same Name As User”

Then click the “Create” button

If successful, you should see something like this

Little advice, careful if you ever click on a user, it will go into Edit User mode, and will try to reset the password.

Of course it won’t do it unless you hit apply

But try not to edit your users once they start using it, unless you know their password.

You probably noticed I didn’t have you put jdoe in a group, but instead created a group with the same name of jdoe. Groups are awesome, so that’s a good question. We will cover groups later, but for now let’s focus on users.

In this scenario you really don’t need groups, because your users will be accessing their own home directories. And the entire operating system is kind of built around that idea, and gets the right settings and permissions by default.

It’s when you venture outside the home directories that you will find yourself overwhelmed with permissions, and then groups are a wonderful thing. Also if you want your users to be able to edit each other’s files, then you would have a big need for grouping.

In our current configuration, every time you create an account the way we just did above. The users will have access to other user’s files, and shares, for like downloading and viewing and such, but won’t have the rights to change or deleting anything they didn’t create. Which is usually what you’re trying to achieve with non confidential user data. But is easily tweak-able to fit any need you might have.

Now that you have a user with a password we don’t care about, let’s make sure your FTP is working. Remember this password will be sent in plain text, if there is a hacker on your network, he is about to see it, so make sure you don’t type any of your important passwords in these next couple of steps.

We are going to use Windows Explorer to test our FTP. Not to be confused with Internet Explorer. Windows Explorer is not the same as Internet Explorer.

If you don’t know how to access Windows Explorer, open up “my computer”

In that address bar, you can type FTP address’s, and hit the Go button or the Enter key on your keyboard.

It’s important you are not in browser like Internet Explorer or Firefox, those are for viewing, and are not fully functional FTP clients.

Make sure you’re in a My Computer like window

Type ftp:// followed by your IP address

Mine would be ftp://192.168.2.1

And would look like this

If your IP was 192.168.2.178, then you would type

ftp://192.168.2.178

Hit go or enter, and you should be prompted for a username and password

Use the username and password you created earlier

Username: jdoe

Password: jdabc123

And click the “Log on” button

It should login, and you should see something like this

(if not, re-read this section, and fix it before moving on)

It’s empty because we haven’t put anything in there yet. Uploading file this way is as easy as copy \ paste. You should be able to copy a file and or folder from your Windows Desktop and paste it right into the FTP window above.

Copy something

And paste it

And you should see something like this

That folder or file that you pasted in there is now in user jdoe home directory.

You can see that in a more familiar view by using the File Manager module.

(If you don’t see it, hit the refresh button)

Those files are now exposed to the network \ internet. We are going to make it even easier to get to by changing Apache to listen in those folders. We will use the password protected FTP way you just did to upload files, we will use a no-password-needed webpage approach to view and download them.

Everyone will be able to view and download these files, but only user jdoe will be able to upload, modify, and delete.

Well… jdoe and you (root). Logged into the File Manager as root you can do anything you want.

Ok, so let’s redirect the apache listening folder to our data drive, deep enough to expose our external users home directories.

Open the File Manager module and create the following folder

/mymounts/vraid/users/xhomes/no_auth

Or, if you’re not raided

/mymounts/d2p1/users/xhomes/no_auth

Then click once to highlight the newly created no_auth folder, and click the info button

You should see something like this, make the following changes

Un-check all the boxes, make sure username root are the User and Group, and then click save.

We want this folder to be totally locked down, this is where apache is going to dump people if they don’t know where they are going. And with these super strict permissions, they won’t be able to use the back button, or do anything we don’t want them to.

These permissions are a little over-kill, but we can get away with that because we are root.

Next, using the file manager, navigate to the folder

/etc/apache2/sites-available

Highlight the file default by clicking on it once

And then click the edit button

You should see something like this, make the following changes

That third line can be a little hard to type, if you want to copy and paste it, here it is below.

RedirectMatch ^/$ /no_auth/

Make those three changes and click save

We have to restart apache for it to realize the changes

Using the Bootup and Shutdown module, restart apache2

Now when you try to go to your webpage, you should get what looks like an error. This is what we want.

Open Internet Explorer, and navigate to your Linux box IP address

Mine is 192.168.2.111

So I would type http://192.168.2.111

You should see something like this

This would be an example of someone who didn’t know where they were going. We are creating disk space on the internet for people who know where they going. Notice there is no back button or Parent Directory buttons above the word forbidden, this keeps people from browsing your directories. There is still a back button at the top left of the page, but that back button is ok, it takes them back to the last page they visited. The back button we prevented is the one that is used to move back and forth through your directories.

So unless someone knows where they are going, your website would seem down, or not available to them.

But… if you were a user of the system, (like jdoe) you would know where you were going, you would know that your homepage or your web space is

http://192.168.2.111/jdoe

Type that into internet explorer, and you will arrive at user jdoes home directory.

You should see something like this

Notice if jdoe had files he wanted to share over the internet, people could download them from this page. Or if user jdoe uploaded a file called index.html

Then he would have a webpage, that people could visit

And if someone gets snoopy, and clicks on that Parent Directory button, they get dumped back to the no_auth folder, and won’t be able to snoop around. This isn’t secure by any means, but at this point we are not putting confidential data in there, so this is tight enough for now.

Now you can start providing web space and or webpages to people. All you have to do is make them an account. Make sure to put their home directory in folder

/mymounts/vraid/users/xhomes/

/mymounts/d2p1/users/xhomes/ depending on your setup

And that user can now ftp files to their space, requiring a password. And share them with the world via their webpage (http) without a password

The secret behind all of that is

We told apache to listen in the folder xhomes

Then we told apache, if anyone lands here, immediately redirect them to the no_auth folder

jdoe would never land in xhomes, because he knows to specify the path

/jdoe

http://192.168.2.111/jdoe

Therefore skipping the redirect to no_auth, because he never actually landed in xhomes, he landed deeper in the jdoe folder, where he wanted.

If you made a new user account called kevin

Kevin could do the same thing

http://192.168.2.111/kevin

And so on and so on, for all your exposed users. Hence the name xhomes

That’s it for redirecting apache, just remember to make their home directory in the xhomes folder, and teach them that these files are in no way confidential.

You can also make yourself folders in here, without needing to keep making new accounts. Because anything you put inside the xhomes folder will be exposed to the web.

So if you made a few new folders like

/mymounts/vraid/users/xhomes/public

/mymounts/vraid/users/xhomes/vegas09pix

/mymounts/vraid/users/xhomes/rex-the-dog

/mymounts/vraid/users/xhomes/website-for-mom

You could send internal people links like these, and later when we setup port forwarding you can send them to external users as well

http://192.168.2.111/public (internally) or http://your-public-ip-address/public (externally)

http://192.168.2.111/vegas09pix (internally) or http://your-public-ip-address/vegas09pix (externally)

http://192.168.2.111/rex-the-dog (internally) or http://your-public-ip-address/rex-the-dog (externally)

http://192.168.2.111/website-for-mom (internally) or http://your-public-ip-address/website-for-mom (externally)

And people could access the files and or webpages inside

And later on in the how-to, when we give your server a public hostname, you can send people links that look like

http://MyWebsite/vegas09pix

That has a name, that makes sense, instead of those confusing numbers. But they couldn’t look at your other users folders, unless they knew where they were going. This isn’t a very secure way of keeping people out, but these are not confidential files, so it works great!

And just like you did earlier, you could add a password to the /mymounts/vraid/users/xhomes/vegas09pix directory using the

Protetced Web Directories module, and limit who could see those pictures.

This is a little off topic. I am not a Macintosh fan, but if you find yourself having to support some. You can also use this Linux box to image Macintosh boxes. Mac lets you uni-cast images of desktops and laptops from a web-server. So now that you have a fully functioning web-server. You can use the Disk-Utility on the CD that came with your Mac, and create a .dmg image of the computer to a USB or Firewire drive…. Upload it to your web-server, and dump it to other Macintoshes.

Once you have the dmg file uploaded

It should be available with 755 permissions, and look something like this

http://192.168.2.5/macs/g6.dmg

And that’s it, the other Macs can download that as an image when booted of the Mac CD and running the Disk-Utility

And viola, it will reboot fully imaged.

Later in the how-to, we setup a DHCP server, this also helps with MAC imaging, as MAC doesn’t let you use a static IP address in the disk utility GUI.

That’s about it for apache

Next we are going to make another user, who’s password we don’t care about, and who’s home directory is not inside the website listening folder. Because right now, anything we upload is instantly exposed to the web-server. And sometimes we will want to upload files without them being exposed to the web. And sometimes on a LAN, FTP is the best way to do this.

The Upload and Download module you have been using in Webmin is awesome, it’s easy to use and keeps your passwords safe… but at a price. Because of the https encryption it’s really slow, it doesn’t understand all file type headers, and sometimes it has problems with really large files.

So we will us FTP or Samba for those needs, large files, weird file types, etc…

Just remember that password is sent in plain text, so make sure it’s a password you don’t care about.

Same steps as before

Using the Users and Groups module

Click on Create a new user

You should see something like this, make the following changes.

Name the user uploadman

Do not change the Home directory option, leave it at Automatic this time

Set the password to umabc123

Click “Create”

That’s it, this users home directory can now be found under

/home/uploadman/

(If you don’t see it, hit the refresh button)

Now you should be able to ftp in as user uploadman

Remember to use Windows Explorer, not Internet Explorer, when FTP’ing

Using copy \ paste, let’s upload a large file

Copy something big, like a CD iso

And paste it

Close the FTP window, and go look at it in the Webmin File Manager

(If you don’t see it, hit the refresh button)

Then using the buttons at the top, you could cut that file, and paste it into the

/options/ directory

And that would be an example of how to get huge files uploaded to your server, and put into the /options folder. Much later in the how-to we will use this method heavily to upload .iso’s to the Datastore (advanced)

Or even easier, if the file you’re after is on the internet, you could just use the wget command you learned earlier. By using the ssh2 module or putty, login as root, then change directory to the options directory

cd /options

Then type wget http://the-website-that-has-it/debian503.iso

That would accomplish the same thing, but the file would have to be on the internet or a web-server for that option to work.

Either way, now you have a couple work-arounds, for large files, if the Upload and Download Webmin module gives you problems

(and it sometimes will)

And now you have an ftp account “uploadman” who’s home directory isn’t exposed to the web-server. And a user “jdoe” who’s home directory is exposed to the web-server.

Now let’s setup disk space restrictions, called Quotas. These are very important, because without them, there isn’t anything stopping your users from uploading too many files, eating up your bandwidth, disk space, and ultimately crashing your server.

Let’s think of user uploadman as an account probably only you, the administrator would use. And let’s think of jdoe and an account you made for your friend or your client

(John Doe)

You most likely wouldn’t put a quota restriction on yourself (uploadman) but you should restrict jdoe. And because of the way we have been mounting the hard drives, quota is almost already setup.

Just go into Webmin, and click on System in the left menu, and then click on the Disk Quotas module

Notice mine says Filesystem /mymounts/vraid

Yours will either say that or /mymounts/d2p1/

Depending on if you followed the raid how-to, or not.

I will continue to call it /mymounts/vraid but you will know I mean either one.

Click on Enable Quotas

Don’t get clicky, this can take a good 10 minutes or longer to respond.

And you should finally see something like this…

Click on “Users” not groups

You should see something like this

There is a lot of good info here. Notice username uploadman is not listed here.

That’s because he doesn’t live on this hard drive, and hasn’t been given any access to it.

uploadman lives on /home/uploadman which is the main hard drive. This is drive number 2. So only jdoe shows up, and of course root, because root has access to everything.

Let’s setup a quota for user jode

To limit the amount of space he can use on /mymounts/vraid

Click on jdoe

You should see something like this

Make the following changes

Soft Limit = 2GB

Hard Limit = 3GB

Then click the “Update” button.

That’s it

This means the user (jdoe) has 3 Gigs of storage space he can use.

You will start to get warned above 2GB, and he will get cut off after 3GB

We don’t change the file limit, just the overall size limits. I don’t really care how many files he puts on there, just as long as the overall size of his home directory doesn’t exceed 3GB.

When you get back to the main quota screen, you should see something like this.

There is all the information you could need right there. You can see user jdoe is using 26MB. He is allowed to use 3GB. You will be warned when he reaches above 2GB. And I put red x’s through the file limits, because I don’t care how many files he puts on there.

You don’t want to set a quota for root, because root is un-stoppable, and root is you. And you don’t want to set a limit for user uploadman because that is also you.

But always set quotas for your users

Lets make another user called testuser with a password of abc123

With a home directory of /mymounts/vraid/users/xhomes/testuser

*or /mymounts/d2p1/users/xhomes/testuser depending on your setup

We will use this user to test things your setup for your users. Because once you go live with this and start giving people access, you won’t know their passwords, and will need an account of your own to test user settings with.

So navigate to the Webmin Users and Groups module, and create a new user

And very similar to what you did for user jdoe

setup user testuser

Click the Create button

And using the Disk Quotas module, give him a limit of 5GB, warned at 4GB.

Similar to what you did earlier

Click on testuser

Setup the quota, and click update

That’s it for quotas, and now you have a user name testuser you can use for testing

Next we are going to setup Usermin.

Usermin, is a Webmin like interface you can give your users access to. Remember, you never want to give them Webmin access, that’s for you, so Usermin is a great medium.

After we install it, we have to do a lot to lock it down. It’s a little too powerful, so we have to configure to only allow access to the things we want your users to see.

First we need to download the Usermin installer from http://webmin.com

So let’s navigate to our Upload and Download module, so we can download it.

Make sure you are on the download from web tab

Paste this link into the URLs to download field

http://prdownloads.sourceforge.net/webadmin/usermin_1.490_all.deb

Eventually these links will stop working due to new versions, so you may have to use the versions from my server, or go to webmin.com and find the newest link.

My server

http://t3.woodel.com/my-linux-how-to/usermin_1.490_all.deb

This will download the installer to the /options folder for you.

And we will install it using the Software Packages module

Chose From local file, provide the path, and click the install button

You should see something like this

Click the install button

If successful, you should see something like this

Ignore the fact it’s telling you to login above, we are not ready for that yet.

Usermin is now installed, we have to lock it down now, because its default install give the user way more control than we want them to have.

You should have a Usermin Configuration module within your Webmin screen now, towards the top, under Webmin

If you don’t see it, you may have to hit Refresh Modules at the bottom on the screen

Usermin has a lot of features we need to disable for our users.

Starting from the top and working to the right lets click on User Interface

You should see something like this, make the following changes, and click save.

Next click on Upgrade Usermin, but don’t click anything else

This is how you would check for updates for Usermin, but resist doing this now if you can, that way our screens continue to look the same.

Click Return to Usermin configuration

Next click on SSL Encryption

And change Enable SSL if available to No

And click save

This will disable https for Usermin, and force it run un-encrypted, using http

This would normally be a horrible idea, https is awesome. It’s what keeps your passwords and transactions safe on the internet. We just disabled one of Usermins best features. But we are going to use Usermin as an FTP alternative for our users. We have already told our users to not put files on the internet they don’t want others to see, and have already told our users not to use important passwords (meaning don’t use the same password here as you do for your bank or for your email)

Since this is just an alternative to FTP we are offering, and since FTP isn’t safe, we can go ahead and disable https.

This only affects your users and Usermin, your Webmin is still https, so no worries there.

Again that was a terrible change we just made. Hopefully someday you will turn it back on. We disabled it for ease of use for our users, as that https certificate warning will get in the way of a lot of stuff they will try to do, and running non https will speed up their downloads.

With a little training you could teach them (your users) how to interact with the certificate warning, or better yet, buy your own ssl certificate from http://dyndns.org and not get any warnings at all.

If you ever buy one, you could return to this page and insert it here, and change it back to SSL mode

But this how-to is focused on the free and easy, so we will continue with non https for Usermin, and instruct our users to not use re-use important passwords and not put confidential files onto the web.

And to make sure I didn’t confuse you, do not ever disable SSL for Webmin, I am strictly referring to Usermin and non confidential user files.

Next click on Usermin Module Configuration

Then click on Upload and Download

And make the following changes

Then click save

You should be returned to this screen, click on File Manager

Make the following changes

Then click save

You should be returned to this screen, click on File Manager again, there is another change we need to make to it.

Click on the Default users preferences tab, on the top right, and make the following changes.

Click save

You should be returned to this screen

Click Return to Usermin Configuration

Then click on Available Modules

Make the following changes

Make sure you un-check everything except

File Manager, Disk Quotas, Upload and Download, and Change Password.

Everything else needs to be unchecked

Then click save

Next click on Allowed Users and Groups

And make the following changes

Then click save

Next click on Access Control Options

And make the following changes

Then click save

That’s it for Usermin, you can login as see the fruits of your labor

To login, open your browser and type http://your-linux-box-IP-address:20000

My IP address is 192.168.2.111

So I would type http://192.168.2.111:20000

You should see something like this

Here your users can use the Browse button to choose and upload files over the internet or network, directly to their home directories.

This is the FTP alternative we were talking about. Most users will find this a lot easier to use than FTP. Especially those using a lot of different computers \ operating system. Since it’s web-based, it will always look the same, no matter if they are on a Mac, PC, Linux, or something else. FTP is still available, and they both still work, side by side.

It isn’t anywhere near as fast as FTP, but your internet users and non-computer savvy users will like it.

For extremely large files, you will want to use FTP or Samba

(we will cover Samba later in this how-to)

This Upload and Download module will load as the homepage for your users, but they can also click on the menu items on the left.

Here they can check their disk space usage and quota, use the File Manager module, and even change their own passwords.

Just remember to tell your users about the dangers of entering passwords over a non https connection.

That’s it for Usermin, your users will really like how easy and flexible it is.

Hopefully you will change it back to https \ SSL mode, and teach your users about the certificate prompts, disabling that is always a bad idea.

Or purchase your own ssl certificate, and have the best of both worlds.

If you’re going to be offering this server to internet users, you’re going to need to setup a dynamic hostname, so you can give your users a website name to go to, instead of an IP address that they will never remember.

So instead of telling user jdoe this is his website, which he will never remember

http://123.123.123.123/jdoe

You can do something like

http://example.com/jdoe Or http://jdoe.example.com

And instead of telling jdoe this to manage his account http://123.123.123.123:20000

You could do http://members.example.com or http://my.example.com

Your users are already accustom to website names like this, most of their other online accounts will start with members, or cardholders, or my. And then the website name

In all of these examples, you would replace example.com with the unique name you chose as your dynamic hostname. It’s dynamic because, your IP address will change over time, but the name will not.

There are many sites that will do this for you. In this example we will use is http://dyndns.org

I use them, and I think they do a great job.

You can go to their website, and chose either a paid dynamic hostname, like example.com.

Or you can choose a free dynamic hostname, but the free ones put a little advertisement in the name, like example.drink-beer.com

It’s a small price to pay, but every time you tell your users their link, your advertising for beer.

I would go with the paid version, the support is better, the names are shorter, and your users will take you more seriously.

http://dyndns.org calls their paid version custom dns

Start by going to their website http://dyndns.org

Chose a free one, or a paid one

I use the paid one, the names are easier to remember, its more robust and the support is better. With the paid one you can email them, and a real tech will answer you. If you go with the free one, I think email is disabled and you have to use the knowledge base.

Both works great, I have a couple free ones I have never had a problem with as well.

Chose your poison, type the name you want in the example box, and click the add button.

For example, we will say you selected kevin.gotdns.org

*Don’t use kevin.gotdns.org, that’s an example

If the name isn’t available, it will ask you to pick a different name. Once you find one your happy with, click add.

The website will walk you through everything you need to do, and you will leave with a dynamic hostname and a username \ password for making changes.

Then all you need to do is tell your router at home that information, so it can dynamically update the IP address at your house, to match the hostname you picked out.

Your routers management interface should have a tab call DDNS. Log into your router and fill in the information.

You should see something like this, make the following changes.

*Don’t use kevin.gotdns.org, that’s an example, use the name you picked at the dyndns website.

Now your router will tell the dyndns.org website if ever your home IP address changes, so that your hostname will always point back to your router at home, even if your IP address changes (and it will)

Now your router will always respond to the hostname you picked.

Now all you have to do, is tell your router what computer, inside your house, to send the traffic to.

So far we have a need to port forward ports 20, 21, 22, 80, 10000, 20000 to be directed to the Linux box inside your house. Today mine is ip address 192.168.2.111.

That would look like this

Now your router will send web traffic (that’s port 80) to 192.168.2.111 (your Linux box)

Now your router will send ftp traffic (that’s ports 20 and 21) to 192.168.2.111

Now your router will send ssh \ putty traffic (that’s port 22) to 192.168.2.111

Now your router will send webmin traffic (that’s port 10000) to 192.168.2.111

Now your router will send usermin traffic (that’s port 20000) to 192.168.2.111

This way your Linux box (192.168.2.111) isn’t totally exposed to the internet, you control what traffic is allowed to get to it.

Now if a user types http://kevin.gotdns.org into a browser window, browsers talk on port 80, and you router will know where that is supposed to go.

Now if you type kevin.gotdns.org into a putty window, putty talks on port 22, and your router will know where that is supposed to go.

And so on and so on.

That’s pretty much it for the dynamic hostname and the firewall \ port forwarding configuration. If everything is working but ftp, you could be having a min_passv, max_passv problem with your firewall. Or a modprobe ip_conntrack_ftp problem. Those are advanced problem, and we will cover that much later in the how-to. But if everything is working beside ftp, you will want to keep reading into the advanced section.

You should now be able to get to your Linux box from the internet. Meaning you should be able to get to it from work, a friend’s house, etc… using your dynamic hostname.

Next we are going to setup Samba. This isn’t something that’s going to benefit your internet users, but you’re going to love Samba for your network users. Meaning people inside your same small business network or home network. It’s basically File Shares for Linux.

It has very few limitations, and is really an all in one solution for your LAN. Once you go Samba you will never go back. Everything you do from a Samba share is streamed and or ran live, directly off the server, not downloaded to the user’s PC. So when you play music or movies from the Samba share, you don’t have to wait for them to download first, they play right off the server. Same with documents, they live on the server, and you work on them live, never downloading to your PC.

We need to disable one of Sambas coolest feature, the home shares. By default Samba shares every user’s home directory, with the correct permissions, so only that user can see his or her files over the network.

Home shares are awesome, they work perfectly with very little configuration. But we need to disable them because we have ftp enabled on everyone’s home directories. We are going to consider the data in peoples Samba shares to be confidential. So we do not want them accessible via ftp.

We are even going to use Samba to put a users “My Documents” folder on the server, so when they save to their My Documents folder on the windows PC, it actually saves to the server. There will surely be confidential data in there, so we don’t want FTP and Samba listening in the same folders.

FTP is not secure, and is provided for our external users. So we need to move our shares to a different directory, only accessible by our internal users. Plus once your internal users experience Samba’s awesomeness, they will never want to FTP again anyway.

It’s our fault for running both FTP and Samba on the same server. Realistically you would want two servers, one private, and one public. But this how-to assumes you have limited resources, and wish to run both FTP and Samba on the box.

So unfortunately, we will need to delete all the share’s listed below.

And then we are going to setup the defaults for all new shares. That way when we create new ones, they already have most the right settings, kind of like a template.

Click on Unix Networking

*Reminder, much earlier in this how to, I changed my IP address from 192.168.2.111 to 192.168.2.1 so when

You see me refer to 192.168.2.1 im just talking about the local IP address of your Linux box.

Make the following changes

For the listen on address, use your local IP address.

Mine is 192.168.2.1 use your IP address of your Linux box

This is important later on in the how-to, we when add another network card.

Next click on Windows Networking

You should see something like this, make the following changes

Click Save

Next click on File Share Defaults

There are a few sub menus under File Share Defaults, if you get lost, just click File Share Defaults again from this main screen

The “Other Share Options” are the sub menus I was talking about, if you get lost, just click the File Share Defaults icon on the main menu again.

Click the Security and Access Control icon, and make the following changes

Under Host to allow, allow only 127.0.0.1 and your subnet

If you’re on a 192.168.2.xxx network, then use the settings above

If you’re on a 192.168.1.xxx network, use 192.168.1.0/24

If you’re on a 192.168.0.xxx network, use 192.168.0.0/24

If you’re on a 10.10.10.xxx network, use 10.10.10.0/24

Don’t be worried that we just set the default value to writeable. We are going to fix that later. All that will mean by the time we are done is that they are all writeable by their owner, and not really everyone, the way it appears now.

Setting up these defaults will save you a lot of steps, and pre-fill in some information for you when making new shares. So they come up as kind of like a template, where you just have to make a few changes, and it will make more sense.

After you click save, you should be returned to the sub-menu, where you can click on

File Permissions

Click on File Permissions

You should see something like this, make the following changes

There is a ton of good information right there, and I will explain what it all means as soon as we finish these sub menus.

Click save, and you should be returned to the sub menu

We don’t need to change anything under the File Naming icon, so we will skip to the

Miscellaneous Options icon.

Click on the Miscellaneous Options icon

You should see something like this, make the following changes.

This should return you to the sub menu, make the following changes

And then click save

This should finally return you to the main share menu

Now that we are back at the main share menu, and are done with the confusing sub menus, I wanted to take a moment to explain these settings, knowledge of what these mean are pretty important…

Here is what 700 permissions mean, we will be using 700 the most, and now is a good time to talk about it.

Its unlimited rights for the user. (wood)

In our setup the user is the owner of the file. The owner of the file is the person that uploaded it to the server. So when your users upload a file, they own it, because it’s theirs.

There are no rights for anyone else, to others it would appear as if the file isn’t there.

In the group field you see root, it’s just filling a blank space for us. You have to put something there, we aren’t using groups just yet, we will be covering that later. So putting root there just fills in the spot for us. All the rights are unchecked anyway, it’s just filling the field for us.

There is one exception, root doesn’t need rights. Root is too cool for that. Using the File Manager module, or being logged in as root, you can see and do anything you want. So as long as you’re logged in as root, or using the Webmin File Manager module, then these rules don’t apply to you. But try to forget that, it’s an exception to the rule. You should consider that 700 example above as only being accessible by user wood. And you’re the only one that can Webmin anyway. This isn’t any less secure, it’s just so you don’t lock yourself out.

So if user wood uploads a file, he is the user, he owns it, he can do whatever he wants to it. This is pretty standard, it’s his file, he can do what he wishes to it.

Here is where we forced that all to happen by default when we create a share

Any files uploaded to the shares will get the 700 permissions we talked about. Meaning only that user can see and use those files.

We don’t allow the following of shortcuts (symlinks)

And we allow deleting of read only files, because that user put that file there, they own it, they should be able to delete it if they want.

Most of the shares we are going to make will use this 700 setting.

We will be making a couple that use 755, that looks like this

Above you can see this folder would be usable by everyone, in a read only like mode. This is not the kind of permissions you would want on confidential files. They can download files, run files, view documents, they just can’t add files or delete files, because they can’t write. Only user wood can write, modify, and delete.

So this kind of access would be ideal for providing your users the ability to download files you put in there. But you don’t want them to delete anything, add anything, or change anything. At home this may be your media share, with your playlist, music, pictures, moves, etc. In a small business this might be where users could download installers, pdf’s, forms, and non confidential data, etc.

These permissions only pertain to files uploaded via Samba. If you interact with these folders using the File Manager (or some other module other than Samba) they won’t get the permission we specified, as Samba wouldn’t even know it was put there.

If you accidently mess up a file\folder permission, you can use the File Manager to fix it.

You just have to highlight the file or folder in question and hit the info button

Just be careful, you’re un-stoppable this way. You won’t be warned if you’re doing something wrong. Good rule of thumb is never do this to a file or folder that you didn’t create. That way you’re not messing with system folders ever.

We had to go through all of this with Samba because we disabled the home directory shares. So we caused the problem :- ) but it was necessary for our particular setup, because we have internet exposed home directories. If this were a server only running Samba, and we didn’t have so many different ways to access it, we could have avoided a lot of these lock downs.

Ok, back to work.

We are almost ready to start making shares, we just have to configure the server to automatically make a samba account every time you make a new user account.

Linux treats samba accounts and user accounts as two different accounts, so we need to tell it to stop doing that.

Scroll down on the main share page until you see

Configure Automatic Unix and Samba user synchronization

You should see something like this, make the following changes

This will only work on newly added users, and only if you keep using the Webmin module “User and Groups” to add them.

I say that because at the end of the how-to, im going to encourage you to learn the command-line way of doing everything. This would be the exception. For adding users and groups, keep using this module.

So all of the users we add from here on out will automatically get a samba account.

Which means we missed user wood

As he was created we back before we even installed Samba

This is really easy to fix, just launch the ssh2 module, and run the following command

smbpasswd –a wood

Remember to replace wood with the name you picked during install

And use the same password

This will create him a Samba account, and you will be all set

You should see something like this, you can now exit the SSH2 module

That should be the only time you need to do that, as now they are being created automatically every time you make a new account. (using the Webmin module)

You might be wondering… what about user jdoe and user testuser…

Those are internet users, they don’t apply here, you don’t need to add them.

We don’t want them to Samba, because they are examples of people who are not on your local network.

Let’s make (5) example users, these will be examples of people on your network, in the same house, building, or network as you.

Using the Users and Groups module, create the following (5) users

Username: roommate1 Password: roommate1

Username: roommate2 Password: roommate2

Username: roommate3 Password: roommate3

Username: roommate4 Password: roommate4

Username: public Password: public

When creating them, leave their home directories at the default setting, don’t specify a custom home directory for them.

I used roommate as an example, meaning that they are in the same building as you, meaning same internal network.

Continue on, and make all (5) accounts

You should see something like this, notice their home directories are in the default location.

Once you have all (5) accounts created, We are finally ready to start making some shares.

Open the File Manager Module, and navigate to /mymounts/vraid/users/

(Or /mymounts/d2p1/users/ depending on your setup)

Create a folder called nshares

To me this means internal shares

You should now have something like this

/mymounts/vraid/users/nshares

Your users folder now contains an xusers folder and a nshares folder

This folder structure reminds you that

It was mounted by you (mymounts)

It’s on a virtual raid (vraid)

It contains user data (data)

xhomes = exposed homes (exposed to the internet, and the web-server)

nshares = internal shares (internal to your network)

*Always remember your xhomes folder is exposed to the internet, because apache and FTP are listening in there, so triple check you’re not making any shares inside that folder, you want to be at least one directory higher, in the nshares directory.

Like this

/mymounts/vraid/users/nshares/ …

Not this !

/mymounts/vraid/users/xusers/nshares/ …

We won’t be using the File Manager to make any folders deeper than

/mymounts/vraid/users/nshares/

Because the File Manager won’t make the file permissions the way we want.

Here is how you can tell, click on the nshares folder once to highlight it, then press the info button

As you can see, these are not the ideal file permissions for our shares.

It is the ideal set of permissions for the nshares folder. But not for the shares inside it, the deeper sub-folders we are going to make inside of them need to be created by Samba. And these sub-folders will be the actual shares.

So once you have create the nshares folder, you can exit out of the File Manager, and return to the Samba Windows File Sharing Module

And click on Create a new file share

You should see something like this every time you create a new share

You were probably expecting that box to say 700

This screen is talking about creating the share. All that 700 template stuff we setup earlier was for the files that will be uploaded by your users, and eventually populate the share.

This screen is talking about something else, it’s talking about creating the share.

Let’s make the following changes, this will be the share for user roommate1

We are considering this a confidential share, as it will house roommate1 personal data.

That’s why we need to change the permissions to 700

You probably noticed the directory /mymounts/vriad/users/nshares/roommate1 doesn’t exist yet.

That’s perfect, that’s what we want. This way Samba creates that folder, with the permissions we filled in here.

You probably feel like you have entered this information twice. That’s not true. All that default share stuff we did pertains to the files roommate1 will later be uploading and using. This screen is setting up the correct permissions for his share.

For the directory put

/mymounts/vraid/users/nshares/roommate1

Click the Create button

You should be returned to the main screen, and see something like this.

Click on Create a new file share

And make all of the following shares

Notice that the fields all say roommate2

Click Create

Create another one

Notice that the fields all say roommate3

Click Create

Create another one

Notice that the fields all say roommate4

Click Create

Create another one

Notice that the fields all say wood

Click Create

Create another one

Notice this one is a little different, this one is using 755.

As you can probably tell, this one is going to be readable by all, but only writable by you (wood)

Click Create

Create another one

Notice this one is a little different. Set the owner to username nobody

That isn’t an example, really use the name nobody

And the permissions to 755

We are going to do something different with this one, make sure to type the word nobody in there, just as you see it.

This is going to be a publicly writable share, so your users can share files with each other.

Right now they probably email everything as an attachment, this will help cut that down a lot.

I will explain the username nobody later

Click create

This should be returned to the main sharing screen, and you should see all the shares you just made listed.

Because of all the defaults you setup, roommates 1 through 4 are done.

We have to make a small change to media, and a few changes to public.

Click on media, and make the following changes

At the media sub-menu, click on File Permissions

Make sure you’re at the sub-menu for the media share, and not in the defaults for all shares.

It should say Edit File Share at the top, and not File Share Defaults.

Then click on File Permissions and make the following changes.

Click save

You will have to click save at the next screen too.

Do these exact same steps for the public share too, and click save.

There are a couple more changes we need to make to the public share.

Click on public and make the following few changes

You will see a sub menu

Click on Security and Access Control

Make the following two changes

And click save

User nobody isn’t an example, really use the name nobody

You will be returned to the sub-menu, where you need to click save again

You will be returned to the main screen, scroll down to the very bottom and click

Restart Samba Server (If you’re using Ubuntu you may need to reboot, as Ubuntu uses a different command to restart services)

Now all (7) shares are setup and ready to use, you now have a fully functional file server.

You can connect to them from your Windows PC now by typing

\\your-linux-box-IP-address\

Mine is 192.168.2.1

So I would type \\192.168.2.1\

Do this in an explorer window, like the my computer window.

You can click go or hit the enter key on your keyboard

You should be prompted to login

Let’s use

username: roommate1

password: roommate1

If successful, you should see something like this

Your logged in as username roommate1

So you should be able to do anything you want inside of the roommate1 folder

Here you are in the roommate1 folder, making a new folder

And you should be able to do anything inside of the public folder

If you double-click on any of the other roommates folders, you should get an error, and not be allowed in. This is what we want. That’s their confidential folders. Not yours.

You should also be able to see inside the media folder, there isn’t anything there yet, but you should be able to double-click it.

You shouldn’t be able to add or delete anything.

Only user wood can do that.

Once user wood uploads some files into there, your users should be able to access them, but not change or delete them.

That user nobody stuff we did is pretty cool.

It’s going to force all users as a “guest user” anytime you enter that folder.

That’s the magic behind everyone being able to edit that folder, even though it’s got 755 permissions. Because it thinks anyone inside that folder is user nobody, and user nobody is the owner.

The username public might never be used, but is needed because we require an account from anyone wanting to access a share. This would be one you could give to someone wanting temporary access to your shares.

It would be for someone on your network who doesn’t have an account.

You could tell them “just login as username public password public

And they would be able to access the media and public shares, but none of the confidential roommate’s shares.

This is extremely helpful at home, when you have LAN parties. Someone always has a patch or a cd key they need to share, you can tell all of them to use username public, and they can put the needed files up in the public folder for everyone to access.

Or in a small business, you might have a vendor stop by to show off a product, and they need share access. Just tell them to use username public password public, and they are in, with no work for you to do, and they can’t get to anything confidential.

It’s just a complete solution, once you have it you won’t be able to live without it.

You can combine these shares with this awesome backup utility. Cobian backup

It’s free, and amazing. You will throw away your paid backup software and use this one, it’s the best.

http://cobiansoft.com/cobianbackup.htm

Just install this on your user’s windows computers, and tell the backup destination to be the share on the server, and your done. It’s beautiful.

File permissions vs. share permissions, and why to do it the hard way.

There are both File Permissions, and Share Permissions at work whenever you attach to a share. File Permissions are the grand daddy of them all, if the File Permissions don’t allow it, its not going to happen, no matter what you tell the Share Permissions to do.

On the flip side, you could loosen up the File Permissions, (something greater than 700) and control access over the Share Permissions. There is a great amount of flexibility here, it’s always tempting, you can pretty much achieve anything this way, but let’s talk about why you shouldn’t use them.

As seen in the screen below, there are some very tempting choices

You probably see a ton of flexibility there. But the reason I don’t use this is because these share permissions only apply to Samba access, and in this how-to our Linux box has several different access methods. If someone logs in a different way, via FTP or SSH. They can explore all files and folder that are set to 755, completely ignoring the Samba rules \ checkboxes above. We are of course going to tighten this up later, but you see the point. Limiting users this way is only respected by Samba, and not any of the other modules. Whereas limiting access by Linux Filesystem Permissions keeps everybody out, no matter what access method they try.

That’s why I always try to make the Share Permissions match the File Permissions, because I’m telling myself this is the maximum access anyone could have, no matter what method they use to access it. And always keep confidential directories 700 or below. This won’t always be possible for all of your Samba needs, you may need more flexibility that this, but still another good rule of thumb.

It’s more work, and slightly less flexible, but it’s better to make a mistake and not let the right user in, then to make a mistake and let the wrong user in.

I always consider permissions on the bottom row to be public. That’s horribly inaccurate, especially on a private LAN… but it’s a good rule of thumb.

Other is basically everyone, not requiring an account on the server to access the file.

We used it on a couple of our public shares, just give that bottom row a lot of thought, make sure you really need it.

If you don’t want the Printers and Faxes folder to show up

Add these three entries to the Samba configuration file /etc/samba/smb.conf

# In the section that talks about printer

load printers = no

disable spools = yes

show add printer wizard = no

# These have to be in the printers section

You can do that with either the File Manger or the Edit Config button on the Samba screen below.

Click on Edit Config File

You should see something like this.

Scroll down to the printer’s area, and add these three lines

load printers = no

disable spoolss = yes

show add printer wizard = no

You should have something like this

And while you’re in there, scroll up and find the line that says include =

And comment it out with a #

Webmin doesn’t seem to like that include statement in there, so just comment it out if it’s there.

(it probably won’t be there, but look just in case)

Click Save.

Then just restart the Samba service, or restart the server and you should be good to go.

Sometimes the computer will prepend a domain name to your login, if you’re having that problem, 127.0.0.1\username or ./username as your username should fix that. Also make sure all your

Windows computers are in the same workgroup of “DIY.LAN” or whatever you used on page one during the samba install.

Username 127.0.0.1\roommate1

Example:

Samba is cross-platform, MAC, Unix, Windows. Windows boxes use \\ip-address and or \\server-name

GUI Linux clients and Macintosh use smb://ip-address and or smb://server-name

In Ubuntu, that’s under Go \ Location

Then just hit enter, and you should see a list of shares, Just as you did in Windows.

You want your Workgroup to match on all your computers if possible. On your Windows computers, you can change the workgroup in the same screen where you change the computer name. Just right-click on the “My Computer” icon, and select properties.

In the advanced tab, computer name, you can change the Workgroup to “DIY.LAN”

workgroup

Say OK, and reboot.

At this point SAMBA should be totally working, looking and behaving how you want it to.

============================= Troubleshooting ===========================

If you can access your Samba shares via the IP address, but not via the computer name, check these.

I will move fast through this because these settings are not the defaults, if you have these setting in place then you already know what I’m talking about.

Make sure your getting your DNS info from your local DHCP server.

dns wrong

dns 1

Or better yet

dns 2

If you have given your Linux box a static IP address. Edit the file /etc/hosts and replace the line that reads 127.0.1.1 with your new static IP address.

Should look something like this.

tshootsamba 1

Your /etc/resolv.conf should look something like this

tshootsamba 2

Also, reboot a few times, and make sure /etc/resolv.conf isn’t being changed by your dhcp client.

And double-check your computer name is right it /etc/hostname

tshootsamba 3

And reboot

I’m purposely going to keep moving fast through these next parts, using red font, because I don’t recommend you do it unless you have a real need for browsing by name, and aren’t planning on setting up a local DNS server. This is a manual band aid for not having a local DNS server, which is the real fix to all of this, and is covered later in the advanced section.

First, on your Windows computer, edit the file c:\windows\system32\drivers\etc\hosts

And add the IP address and name of your Linux box (there are examples in that file that make it easy to understand)

Second, on your Windows computers, if you’re using static IP addresses, you’re probably not getting the right DNS suffix for your local network. If you right-click on your network card, and choose properties. Then double-click on TCP\IP

(TCP\IP version 4 if you have two choices)

Then click on advanced, and click on the DNS tab at the top. Add the suffix diy.lan (or whatever you picked on page 1) to the field that says “DNS suffix for this connection”

Apply and reboot, and now your windows machines will add .diy.lan to the end of everything you’re searching for, which should fix any name resolution problems you may be having.

This is a manual band aid for not having a local DNS server and DHCP feeding the machines information about your local network. I don’t recommend doing it because it’s really easy to forget those setting are there, and will cause major headaches if you change your network setup and forget that it’s still hard coded at each machine.

Third, sometimes the following two settings can interfere with name browsing.

If you open up Webmin and navigate to the Samba Windows File Sharing module, and click on Unix Networking.

Setting the top one back to “Automatic” and the listen on address back to “All” can sometimes help. Just a warning though, these settings are needed later if you know you’re going to continue onto the advanced section where we add another network card and turn it into a router \ DDNS server. So you really shouldn’t change it if you’re going onto the advanced section.

third samba

The fourth fix is pretty extreme. If you open up Webmin and navigate to the Samba Windows File Sharing module, and click on Windows Networking. You should see a field that says “Remote announce to” Just click the button that says “from list” and enter an IP address on the left. And your workgroup name on the right (DIY.LAN)

You can play around with what IP address works best for you. You can put the IP address of your router, so the Samba server announces its name to the router. Most routers will block directed broadcasts like this, so will have to play around with it, you can put the IP address of certain computers you want the Samba server to announce its name to. You can announce it to all your machines by using 192.168.2.255 on the left and your workgroup name on the right. This is noisy and not recommended.

This ends the non-recommended troubleshooting part. It’s my opinion that these settings should not be used. Remote announce to: is very noisy on your network, and static DNS entries are way too easy to forget they are there. But if you have a browsing by computer name need, a combination of those should fix it.

============================= End Troubleshooting ===========================

Next we are going to setup Samba groups. On a small home network you probably won’t need this. But as your network grows, or if your setting up a small business network, this will become a must have.

Extremely similar to what we did early, when we told Samba and Webmin anytime a user account is made, also make a matching Samba account. We need to tell Samba anytime a group is made, also make a matching Samba group. This isn’t the law, but if you’re following my how-to exactly, we are requiring every user to have a system account, and a Samba account, and are matching filesystem permissions to share permissions. So for this to work right we have to have matching users and groups in both. But after a few clicks that will all be transparent anyway, and the system will automatically take care of all that for us.

Navigate to the Samba Windows File Sharing module, and scroll down towards the bottom and click on the

Configure automatic Unix and Samba group synchronization icon

You should see something like this, make the following changes and click apply

Just a reminder, you have to forever use the Webmin module for creating new users and groups, or this function won’t happen.

Next navigate to the Users and Groups module, and click on Local Groups.

And then click on Create a new group

You should see something like this, make the following changes.

Click Create

Now you have a group called mygroup1 that is both a Linux group and a Samba group

With the following members: roommates 1, 2, 3, and 4, and yourself (wood)

Next navigate to the Samba module, and click on Create a new file share

You should see something like this, make the following changes.

Notice the share is called pub4roomies

Which to me mean a public share, but only the roommates can access it (and you) everyone in the group mygroups1

Notice the Create with permissions are 770

That’s unlimited for the owner, unlimited for the group, and zero for anyone else.

Make sure the owner is you, and the group is mygroup1, and click Create.

You should have been returned to the main Samba screen, but there are few more changes we still need to make.

Click on the pub4roomies share

You should see something like this

Click on File Permissions

You should see something like this, make the following changes.

You will have to click save at this screen, and the next one.

You’re almost done, we just have to make one small change to the permissions of the pub4roomies folder.

Using the Webmin File Manger module, navigate to the pub4roomies folder, click on it, then click Info.

Click the Files inherit group checkbox, and then click save

You could also optionally click the only owners can delete files checkbox. If you didn’t want the roommates deleting each other’s stuff.

But this is a public share for them, so I wouldn’t recommend check that box, unless you have one jerk roommate :- )

That’s it, just navigate back to the Samba module and restart Samba.

Now any member of the mygroup1 group can access the pub4roomies share with full rights.

Newly uploaded files will get the uploading roommate as the owner, and mygroup1 as the group, and be fully accessible by all of that groups members.

That’s pretty much it for Samba, there is just a little preventive stuff we should do.

Continue >

Page Navigation : Page1 Page2 Page3 Page4 Page5 Do more

* This how-to is try at your own risk, with absolutely no warranty, no promises, and no guarantees. I cannot be held accountable for claims, statements, or damages of any kind. This how-to is for personal use only, and I reserve all rights.