Site Navigation:       Home       Page1       Page2       Page3       Page4       Page5       Do more       Word of Mouth       Donate



Page 4 of 5:



Lets setup Quotaís for these new users

Setup restricted password change module

Show users how to map their My Documents folder to the server.



We should setup Quotaís for the following users










I left wood out, because wood is you



You will need some big Quotaís here, your users will get a lot of use out of these Samba shares.




Similar to what you did earlier

Set them up with a quota



We also need to be concerned about the OS drive.

Because we set some of these users up in the /home directory as well as the /mymounts directory.

We need to limit what they can put in /home

Thatís on the OS drive, known as mount point " / "

Letís just set them a ridiculously small quota, like 1MB, so they aren't storing data on the OS drive.


Quota isnít enabled yet on the OS drive, so we need to enable it.

We just need to make a simple change to the Disk and Network Filesystem Module.



Navigate to the Disk and Network Filesystem Module.


And click on   /     


*sometimes listed as     / (root filesystem)






You should see something like this






Change that from        No       to     User only



And click save



Now the next time you navigate to the Quotas Module, the OS disk   /   

Should now be there






Click on     Enable Quotas



Your computer will freak-out for a couple minutes while the Quota is checking the OS. Give it time, it will eventually finish.


Once it finishes, click on   /






And limit these users to 1MB










*If you donít see a name youíre looking for, you can click the ďEdit Quota ForĒ and browse for it.




Now letís give them Usermin access, but restrict it to only password changes and Quota view.



Navigate to the Usermin Configuration Module.









And click on Module Restrictions


Then click    Add a new user or group restriction  



You should see something like this, make the following changes




Do these same steps for








You donít have to worry about users public or nobody


After you have added those other four users, we need to allow them Usermin access.


Click on the    Allowed Users and Groups    icon




You should see something like this, start adding the users




Add the following users









Click Save



Click Restart Usermin





Now you Samba users, from inside your network, should be able to change their own passwords and view their Quota, without seeing the File Manager like your internet users have.


To access Usermin, its   http://your-ip-iaddress:20000


My ip is



So I would type



Login as username    roommate1






And you should see something like this






As you can see, they only have two choices instead of four, because we donít want them to have the File Manager or the Upload and Download modules.



This is a really convenient way for your users to change their own password





Thatís it for the locked down Usermin config, now you can show your users how to map their My Documents folder to the server

(if you want)


That way when they save files to their My Documents folder on their PCís and Laptopís, they are actually saving them to their server share.


First have them login to their share, and make a folder per computer. Something like

my_dell_laptop  and my_gateway_pc






Assuming this is roommate1 your working on, and assuming he has a Gateway Desktop PC and a Dell Laptop


And assuming your sitting in front of the laptop right now.



Just right-click on his My Documents folder, and choose Properties




And change the Target path from whatever it says to


Now everything roommate1 saves to his My Documents folder, will actually be on the server.


And now from his Gateway desktop, if he goes to \\\    and logs in



He can get to his laptop files from his desktop


And vice versa, once both are setup this way


Just make sure to move the current data out of the My Documents first, and paste it back in after the target has been changed. If you change the target while their data is still in there, it will appear to the user like all the data is gone, because the My Document folder isnít looking at their c:\Documents and Settings\user profile anymore.



For users doing the My Documents thingÖ you will probably want to set them up to pass through authenticate. Meaning you will want them logging into windows with the same username and password as their share. In this example, you would set the roommate1ís computer to login to windows as username roommate1.



That will allow him to pass-through his windows login credentials to the shares.



If this isnít possible, then you will probably want to map a network drive, to a drive letter, and then move the My Documents target to that drive letter.


Either way works fine, the pass-through authentication is best.


Thatís about it for Samba, it would have been better to set it up on a separate computer. A computer without internet access even.


In the more advanced parts of this how-to, we are going to setup a VMware Server, which can run multiple virtual machines off this one machine, all managed over a webpage. This can also be a helpful way to separate Samba from FTP into two machines, just have them running on different virtual machines.


There are countless ways to do it, depending on your security philosophies.


Anyway, back to work


Next we are going to connect to a file share running on a Windows machine. Letís say the IP address of the Windows machine is and its allowing Admin$ shares on C.

We will mount this on our Linux box as folder /mymounts/samba2dot6


This folder naming to me means


I mounted it  (hence the folder mymounts)

And that itís a samba connection to machine


In this example, the entire contents of hard drive will be accessible and useable from your Linux box.


Navigate to the Disk and Network File systems and click on Mount type    smbfs





I have had many users say that option isnít there. If it isnít there, the following three steps should make it show up.


First, make sure you didnít miss the page that talked about apt-get install smbfs


*This how-to isnít written to be able to skip pages



Second upgrade Webmin to the latest version


Navigate to the Webmin Configuration module, and click on     Upgrade Webmin







You should see something like this




Choose     Latest Version from


And then click    Upgrade Webmin


If successful you should see something like this





Third click on      Refresh Modules


*Note, remember you can also upgrade Usermin the same way



After the refresh is finished you should have smbfs as a mount type in the Disk and Network Filesystems Module






Add the mount type  smbfs, and you should see something like this






Give some thought to mounting it at boot or not. If is on all the time, this shouldnít be a problem. But for the most part, you wouldnít want to choose to mount it at boot time.


Also give some thought to the account you use. Because that password will be saved in the file /etc/fstab


This isnít a security risk at all, nobody should have that kind of access to your machine to be able to read that file. Linux is already setup to not allow that. But without local file encryption, and a couple security guards, there is always a chance it can happen.

(like if the computer was stolen, or booted off a live cd)


We talk about file system encryption later in the how-to. But giving a lot of thought to the passwords you put in that file is important to.


As you can see, Iím accessing computer admin share on c$


Which should mean you have to provide an admin level password of that machine to access that share. But a work around is that Windows Backup Operators can also access admin shares. So if you make and account on the Windows PC your wanting to connect to, and you made that account a Backup Operator, and not an admin, it would still work.


Or even better, create an actual share that a user level account can access, instead of using the admin share C$. Iím just lazy and use the admin shares, as a Backup Operator, so I can access the entire drive without giving up the admin password.


But putting a less important password in the box is smart anyway you look at it.


After you create the mount, you can view the Windows PC files on your Linux box by navigating to the folder





Next we are going to create some scheduled backup schemes.


Using the File Manager, create a folder called





We are going to create one schedule for Operating System related stuff, and another for our data. For the Operating System scheduled backup, we are going to use the Backup Configuration Modules module.


Navigate to the Backup Configuration Modules module, and click on scheduled backups.




And then click on  ďAdd a new scheduled backupĒ



Notice there is also a Restore Now tab at the top. In the event something goes horribly wrong, or your setting up a new system, you can restore them using these backups and the restore now tab.


Click on Add a new schedule backup, you should see something like this





Notice how you are able to click on multiple choices in the modules to backup box. You can do this by holding down the control key (Ctrl) on your keyboard, while clicking on the choices.

Click on all the modules you would like to be part of this scheduled backup. Select as many as you want.



Notice I selected backup destination         local file




Thatís   bcf.tar

That means to me, Backup Configuration Files


And itís important we put it on disk2 (/mymounts/vraid/)

That way if disk 1 goes bad, we have a backup on disk 2


Check all three boxes under       Include in backup

And list system files you want a backup of, that didnít have a module associated with it.


Operating System stuff only ( / ), donít include anything from the second hard-drive

(The data drive /mymounts/vraid/)


We will make a different kind of backup scheme for that data, using a different module.


Put your local email address, username-created-on- page 18   @localhost

So mine is wood@localhost


If you select         Simple schedule

You donít have to use the minutes\hours\days schedule below


Click the   Save   button, and it will schedule the backup job, every month, on the 1st.

Or better yet, click    Save and Backup now    so you can make sure it works.



It will overwrite that file every month, which is probably what you want. But if you rather keep every backup job it makes, you can change the filename from








This will add the current date to the filename, which will be different every month, and so it wonít overwrite your backups.



Thatís pretty much it, you can import these backups as a restore, and be back up in running in minutes instead of days.



The backups will be compressed into a single file using the TAR format, you can extract them and see them using

the File Manager module.


Just navigate to where the backup jobs are, and you should see a .tar file.


Extracting can be messy if you donít contain it to a folder. So create a new folder called






And copy the .tar file in there.





Then highlight it, and click extract


Say yes if prompted


Once they extract, you will see all the configuration files you selected to be backed up were indeed backed up.



The folder structure will be a little confusing at first. If you told it to backup /etc/vsftpd.conf . It will copy the folder structure.


You wonít just see the file vsftpd.conf


You will see the folder etc, and the file vsftpd.conf inside of it.



Thatís about it, if you ever need to restore the file or refer to it, you can find them here.


And you should have a local email, telling you all about it.



Now we will setup a scheduled backup for the data drive. That uses a different module called Filesystem Backup.


Navigate to the Filesystem Backup Module





Select     in TAR format


And browse to user jdoeís home directory

Then click the      Add a new backup of directory      button



You should see something like this





Expand the two green arrows so you can see everything, and make the following changes





The   Backup to field reads         /options/%m_%d_%Y_jdoe.tar




Keep the backup label name short and sweet, they donít allow it to be very long.



You only need to change the Minutes, Hours, and Days. Thatís because we want it to run every month, so we donít want to specify

A month, or it will only run on that particular month.




This particular schedule says at 23:01  (11:01pm)

On the second day of every month, run the backup.


I did the second day, because we already have Operating System backups schedule on the first. You donít want to schedule them at the same time, that is too much work for the server to handle, so I did the second on every month.


Careful to not select more than one number, like this



Because it will let you, if you not careful. Holding down the Control key on your keyboard will help you deselect them if this happens.



Thatís about it, except the backup directory (/options) I selected would be a horrible place for your backups.




You would want to installed a third or fourth disk for these backup jobs, or maybe even a large USB drive. Or even better, take advantage of that SSH button, and do offsite backups. Meaning the backups exist on a different computer. A separate Linux box somewhere.


Earlier we talked about having a second computer setup only with Samba and SSH. You could use that SSH option to send the backups to that computer. This is the best form of backups, as it gets the files off the computer, and in a second location. Just in case that computer catches fire or is stolen or something.


This second computer doesnít even have to be on your same network, it can be on the internet somewhere, and SSH will encrypt the transfer and the passwords for you.


Click the Create Button and it should return you to the main screen.



If you get an error like this one below




Then just click on the Module Config link at the top of the page



You should see something like this





And change the following two options to yes.


Then click save.



You should be return to the main page



Notice the TAR option is gone, because we set it as the default. Also that red error message should be gone as well.






Letís make another backup, they get easier after the first one, because instead of choosing a specific time, you can tell it to start after the one before it finishes.




Select the home directory for user    testuser

Notice now there is an         Enable after          option now




So instead of picking times, and guessing when you think they will be done by. Just tell it do start the next job, after the previous one finishes.


You can keep building on this, have the third job start after the second job finishes, and the fourth job after the third finishes, and so on and so on. Donít forget about your samba users (nshares folder)


As your list starts to grow, you can see the schedule on the right







Here we can see that second job starts after the first one finishes.





Thatís pretty much it for the backups, just set it and forget it. And you should get local emails with the statuses.


Just remember /options/ is a horrible place, I just used that as an example. Get some more hard drives, or an external drive, or better yet use SSH to another computer.



You can also export your users and their passwords to a file, this is really useful if youíre planning on upgrading to a new server, but donít want to have to reset all your users password.


Navigate to the Users and Groups module



Take note of the User ID numbers your interested in


(They will usually be over 1,000)


And then click on       Export to batch file






You should see something like this


Make the following changes, tweak your UIDs range






Click Export now



If successful, you should see something like this






And be a nice admin, and consider that file extremely confidential.


Now you can build a new server, import those accounts using the run batch file button under the users and groups module, and your users will never know anything has changed.

See why you should change your password more often :- )

Thatís pretty much all there is to it



Next we will talk about disk maintenance and trouble shooting. Every so often you should run fsck (File System Check) on your hard drives, itís a lot like scandisk. There are few things you need to know before running this. The hard-drive canít be mounted, it first needs to be un-mounted. Some Google searched will tell you the Ėoptions to force it to check mounted drives, donít ever do that. Never scan a drive that is mounted. It only takes a second to un-mount it, take the time to do that, itís well worth it.


You canít really scandisk your OS drive, because youíre not able to un-mount it. Some Google searches will tell you have to use Single-User-Mode to do it, which is similar to a Windows Safe-Mode, donít ever do that either. Itís do-able, but not worth the repercussions of typing something wrong. If you want to scan your OS drive, you should boot off a Linux Live CD, and run the commands below. Being booted of the Live CD will ensure the drive is not in use. Itís worth the extra effort.


Your data drives are a lot easier to scan, because you can easily un-mount them


Letís say you want to run a quick scan on the hard drive /dev/sdb1


You would launch a Putty or SSH2 module session, and type


umount /dev/sdb1

That will un-mount the partition


Then type


fsck.ext3 Ėy /dev/sdb1


This command assumes your checking a drive formatted as EXT3. If you have been following this how-to, your drives are ext3. Running this on a non EXT3 formatted drive will cause major problems, and you wonít get the warning, because of the Ėy will answer yes to any prompts.


This will run a quick scan on the hard drive, and the Ėy tells it to answer yes to any questions.


If you wanted to do a more in-depth scan, you could run

fsck.ext3 -c -p -v -f /dev/sdb1


The Ėc tells it to look for bad blocks on the hard drive, this scan will take a very very long time.


And if you wanted to take it ever further, maybe you have a drive youíre having problems with, you could run the following command


fsck.ext3 -c -c -p -v -f /dev/sdb1


Specifying Ėc Ėc  twice like that, will do a read and then write test to every spot on the partition.


It claims to be non-destructive. Iím not sure I would feel comfortable doing this command on a drive that I didnít have a backup of. Iíve personally never done it on a drive that had data on it that I cared about. Iím sure itís safe, Linux is amazing, itís just the ďwriteĒ part of that scares me. Do yourself a favor and make a backup first.


Options Ėc and Ėc Ėc will note any bad blocks that are found, and mark them as not useable. At this point the disk is ďfixedĒ a couple bad blocks is bound to happen. But if you have this problem more that once on the same disk, I would consider replacing it, and making sure your backups are up to date for that drive.


If you already have a backup, and you want to really want to try reviving the disk, you can do the following. Note these are destructive, and your data will for sure be gone.


Type the following commands (this series of commands will take many days to complete)

Do yourself a favor and just buy another hard-drive :- )



fdisk /dev/sdb








dd if=/dev/zero of=/dev/sdb



fdisk /dev/sdb













mkfs.ext3 /dev/sdb1



fsck.ext3 Ėc Ėc Ėy /dev/sdb1


You just used fdisk to delete the partition. Then you used dd to zero out the drive. Then you used fdisk to create a new partition. Then you mkfs to format it with the EXT3 file system. Then you checked the file system both read and write using fsck


Thatís extremely thorough, and will take many days to complete those steps. You may even want to hookup a keyboard and monitor, because it will take so long, you will probably be tempted to close your Putty or SSH2 connection. This would make it hard to watch the progress. This is pretty extreme, with todayís prices and warranties, you may want to consider replacing the drive when fsck finds problems more than once.


You can then use the Disk and Network Filesystem Module to remount the drive. And thatís about it for disk maintenance.



Next we are going to setup the Firewall, using IPTables. This is optional at this point because youíre behind the firewall of your router. So this would, at this point, just be a firewall inside your LAN. But in some cases, especially small business networks, not everyone on your internal network is trusted. So if you donít completely trust all the traffic inside your network, then you would want to setup the firewall.



Navigate to the Linux Firewall Module






Choose block all except SSH and IDENT on external interface eth0





Do not click the Enable firewall at boot time option. We eventually will enable that, but not yet. Since we are doing this remotely, we need a way to un-do it if we mess something up, so for now, donít start it at boot time.


Then click the       Setup Firewall      button


You should see something like this, stay away from that Apply button for awhile, if you click it now you will lock yourself out of Webmin



If you lock yourself out, rebooting will let you back in


We can get away with this only because we are not setting the firewall to start at boot time (yet)

Also stay away from that Apply button for now.


Next delete the following conditions by putting a check box next to them, and clicking    Delete Selected







Make sure to delete all the ones I have checked. We will add ICMP (ping) later on, but for this test it needs to be gone.



You should see something like this

Change the default action for forwarded packets to Drop 

Then click the    Set Default Action To    button





Stay away from Apply button.



Click on the green word   Accept   next to port 22







You should see something like this, donít make any changes






We arenít making changes to this screen, we are going to press the Clone Rule button at the bottom, this will save us lots of typing.


Press   Clone Rule   the screen will refresh and youíre now looking at a ďcopyĒ of the port 22 firewall rules





Make the following changes







Change the Rule Comment

From      Allow connections to our SSH Server

To          Allow connections to our Webmin Server


Change Destination TCP or UDP port

From      22

To          10000

Now scroll down and press the    Create   button

You should see something like this






Note the port 22 exception is still there, because we didnít change it, we only cloned it.

And now we have a port 10000 firewall exception as well



Keep doing that for ports




20       (ftp20)




21       (ftp21)




80       (web80)





445    (samba)




20000  (usermin)




Donít forget to click     Clone     every time you click on port 22, you donít want to make changes to port 22, you just want to keep cloning it.




You should eventually see something like this




Stay away from the apply button



Click on the green word accept next to port 445





We are going to lock Samba down a little further, itís a little overkill for this setup, but its expected later on in the how-to



You should see something like this






Make the following changes





This will tell the firewall to only let in Samba clients that have a ip address. The /24 tells it to allow any 3 numbers, up to 254


If youíre on a network, you would use

If youíre on a network, you would use

If youíre on a network, you would use


Again, a little overkill right now, but we need it later on.     Click on Save

You should see something like this






Youíre now ready to hit Apply at the bottom, but make sure Active at Boot still says     no







Test everything, except FTP (there is another change we have to make for FTP before it will work)

Make sure you can still get to Webmin, Usermin, Putty, Samba, your websites, etcÖ


If everything is working, return to the Linux Firewall module and tell to be active at boot time. Click yes, and then click the       Activate at boot      button






Then hit the Apply Configuration but, and navigate to the Bootup and Shutdown module.



Using the Bootup and Shutdown module, reboot the Linux box.





Wait a couple minutes and make sure you can still get back into everything.



Now from your Windows PC, try to ping your Linux box

This should fail



If it fails, then thatís good, it means your firewall is loading at startup and doing its job.




If it replies like this







Then something isnít right, go back and fix it.



Once you have it working, you will probably want to allow pings. Pinging is very useful for trouble-shooting.



So once youíre sure your firewall is working, you can allow ping by going back to the Linux Firewall module and adding the following input rule







Click on Add Rule


Make the following changes





Then click the Create button


Then click the Apply button


You should now be able to ping the Linux box




Now letís make sure you are still able to access the internet



Using the Command Shell module, run the following command










I like to use tracert instead of ping from a Linux box, because I can never remember the ping limit commands off the top of my head.

By default ping never gives up in Linux unless you give it extra instructions. So from this view donít use ping, because it will

run forever in the background. If you want to use ping, make sure youíre using Putty or the SSH2 module, where you can interact

with ping, and stop it. (using Control + C on your keyboard) Or include the extra command line options to tell ping to give up after

like 5 attempts      ping Ėc 5



If successful, you should see something like this with a bunch of numbers. Itís ok if you have more than or less than

13 hops, we are just looking to see that it is hoping outside your network.







If you get a bunch of fails, go back and figure it out. Your firewall is blocking everything incoming, unless you request it. Here your requesting it, so it Established \ Related, and your firewall should be letting that through, as it originated from you, inside the firewall first.



Thatís pretty much it, if you still using FTP instead of SFTP, you might have to make this tweak if FTP stops working. If your using SFTP or if FTP is workiing, you do not need to do this.




Navigate to the File Manager module, and edit the file /etc/rc.local





Add the following line


/sbin/modprobe ip_conntrack_ftp


You should see something like this





Save it, and reboot the computer.


That rc.local file executes every time the computer starts up, so it should load every time now.



Once the reboot is finished, try FTP







It should be working now, if not, go back and figure it out.



You now have an extremely powerful firewall running, doing per packet inspection and filtering. Thatís just the tip of the iceberg of what IPTables can do, but it should be all you need for now. As you get more comfortable with it, you can enable logging, and start reading the log files of blocks and attempts.


Next we will setup etherwake

A Wake-On-Lan tool that will allow you to Wake On Lan computers on your network, from within Webmin.




Navigate to the Custom Commands and click on       Create a new custom command






You should see something like this, make the following changes






Give it a description as to what computer it is  (A computer on your LAN \ Subnet that you are trying to wake up)


And the actual command is                     etherwake  Ėb mac  address


Just make sure the MAC address is separated by colons    :

For help finding the mac address of a computer, refer back to earlier pages (often referred to as hwaddress or physical address)


Click Save


Make one for every computer you think you would ever want to wake up 



*Advanced* Later on in the how-to, you will have two NICs. One will be so strongly firewalled that it will stop etherwake from

working, there is a simple fix, just use the interface option   Ėi    to tell etherwake which NIC to use


example:   etherwake -b Ėi eth1 00:1a:a0:a9:3b:bo

You should eventually see something like this






You can use these custom commands for just about anything you want. I like to use them for hard to remember commands, or commands I run a lot.



Eventually you will have an entire page of custom commands button,  just point, click, and viola



I like to make tracert and ping buttons as well, because a Linux ping wonít stop unless you interact with it, so you can make a custom command button, with the / option to tell it when to stop and what to do.


*Advanced* If you have a smart phone with a browser, you can access these custom command buttons from your phone, and do tasks like wake-on-lan right from your cell phone, without the need for any kind of shell access. Just make sure your phone is not set to remember any passwords or web history. Make a lot of these custom command buttons, they are very cool.




Thatís it for the basic setup, if you start to have stability problems with your server, you can use a program called monit, that will monitor services, and restart them if they fail. It also has a web interface with some cool functionality. Also if you start to see a lot of hack attempts in your log files you can use a program called fail2ban (apt-get install fail2ban). This program will block a user by their IP address for a configurable amount of time after a configurable amount of attempts. They are super easy to configure and you can find many excellent examples on Google and on  


Next is the optional \ advanced setup. Not that itís any harder than anything you have done so far, itís just we are going to move on to more dedicated uses, where the computer needs to be up 24 hours and day 7 days a week. We are going to turn the Linux box into your Router \ NAT \Firewall, a VMWare server, a Local DNS box with dynamically updating clients, a DHCP server, etcÖ


If youíre not interested in any of that, you can stop at the end of this page. Youíre encouraged to continue, itís all really cool stuff, but setting the Linux box up as your router is kind of a big commitment on your part, when its down, your internet connection is down. Setting up VMWare requires a powerful computer with lots of RAM.  

*Note, if your planning a VMWare server (Page 5 \ advanced) or any kind of Hypervisor, see this disclaimer before you begin


DNS is a lot of work for small networks. You donít need a DCHP server if youíre not replacing your router and you donít need a DDNS update client if youíre not using Local DNS. So this may be a good time to stop if youíre not interested in virtualization and networking. Thanks for using my how-to, let me know how it goes.



If youíre stopping here, you may want to checkout my "Do More" section.


Remember to periodically check for updates with      apt-get update       followed by           apt-get dist-upgrade


That will ensure you have the latest patches and upgrades


You can find my email address and blog link on my homepage   Thanks!    KevinTheComputerGuy



                                                                                                           Continue to Page 5 >

Site Navigation:       Home       Page1       Page2       Page3       Page4       Page5       Do more       Word of Mouth       Donate