Site Navigation: Home Page1 Page2 Page3 Page4 Page5 Do more Word of Mouth Donate
Page 4 of 5:
Lets setup Quota’s for these new users
Setup restricted password change module
Show users how to map their My Documents folder to the server.
We should setup Quota’s for the following users
roommate1
roommate2
roommate3
roommate4
public
nobody
I left wood out, because wood is you
You will need some big Quota’s here, your users will get a lot of use out of these Samba shares.
Similar to what you did earlier
Set them up with a quota
We also need to be concerned about the OS drive.
Because we set some of these users up in the /home directory as well as the /mymounts directory.
We need to limit what they can put in /home
That’s on the OS drive, known as mount point " / "
Let’s just set them a ridiculously small quota, like 1MB, so they aren't storing data on the OS drive.
Quota isn’t enabled yet on the OS drive, so we need to enable it.
We just need to make a simple change to the Disk and Network Filesystem Module.
Navigate to the Disk and Network Filesystem Module.
And click on /
*sometimes listed as / (root filesystem)
You should see something like this
Change that from No to User only
And click save
Now the next time you navigate to the Quotas Module, the OS disk /
Should now be there
Click on Enable Quotas
Your computer will freak-out for a couple minutes while the Quota is checking the OS. Give it time, it will eventually finish.
Once it finishes, click on /
And limit these users to 1MB
roommate1
roommate2
roommate3
roommate4
public
nobody
*If you don’t see a name you’re looking for, you can click the “Edit Quota For” and browse for it.
Now let’s give them Usermin access, but restrict it to only password changes and Quota view.
Navigate to the Usermin Configuration Module.
And click on Module Restrictions
Then click Add a new user or group restriction
You should see something like this, make the following changes
Do these same steps for
roommate2
roommate3
roommate4
wood
You don’t have to worry about users public or nobody
After you have added those other four users, we need to allow them Usermin access.
Click on the Allowed Users and Groups icon
You should see something like this, start adding the users
Add the following users
roommate1
roommate2
roommate3
roommate4
wood
Click Save
Click Restart Usermin
Now you Samba users, from inside your network, should be able to change their own passwords and view their Quota, without seeing the File Manager like your internet users have.
To access Usermin, its http://your-ip-iaddress:20000
My ip is 192.168.2.1
So I would type http://192.168.2.1:20000
Login as username roommate1
And you should see something like this
As you can see, they only have two choices instead of four, because we don’t want them to have the File Manager or the Upload and Download modules.
This is a really convenient way for your users to change their own password
That’s it for the locked down Usermin config, now you can show your users how to map their My Documents folder to the server
(if you want)
That way when they save files to their My Documents folder on their PC’s and Laptop’s, they are actually saving them to their server share.
First have them login to their share, and make a folder per computer. Something like
my_dell_laptop and my_gateway_pc
Assuming this is roommate1 your working on, and assuming he has a Gateway Desktop PC and a Dell Laptop
And assuming your sitting in front of the laptop right now.
Just right-click on his My Documents folder, and choose Properties
And change the Target path from whatever it says to
\\192.168.2.1\roommate1\my_dell_laptop
Now everything roommate1 saves to his My Documents folder, will actually be on the server.
And now from his Gateway desktop, if he goes to \\192.168.2.1\ and logs in
He can get to his laptop files from his desktop
And vice versa, once both are setup this way
Just make sure to move the current data out of the My Documents first, and paste it back in after the target has been changed. If you change the target while their data is still in there, it will appear to the user like all the data is gone, because the My Document folder isn’t looking at their c:\Documents and Settings\user profile anymore.
For users doing the My Documents thing… you will probably want to set them up to pass through authenticate. Meaning you will want them logging into windows with the same username and password as their share. In this example, you would set the roommate1’s computer to login to windows as username roommate1.
That will allow him to pass-through his windows login credentials to the shares.
If this isn’t possible, then you will probably want to map a network drive, to a drive letter, and then move the My Documents target to that drive letter.
Either way works fine, the pass-through authentication is best.
That’s about it for Samba, it would have been better to set it up on a separate computer. A computer without internet access even.
In the more advanced parts of this how-to, we are going to setup a VMware Server, which can run multiple virtual machines off this one machine, all managed over a webpage. This can also be a helpful way to separate Samba from FTP into two machines, just have them running on different virtual machines.
There are countless ways to do it, depending on your security philosophies.
Anyway, back to work
Next we are going to connect to a file share running on a Windows machine. Let’s say the IP address of the Windows machine is 192.168.2.6 and its allowing Admin$ shares on C.
We will mount this on our Linux box as folder /mymounts/samba2dot6
This folder naming to me means
I mounted it (hence the folder mymounts)
And that it’s a samba connection to machine 192.168.2.6
In this example, the entire contents of 192.168.2.6 hard drive will be accessible and useable from your Linux box.
Navigate to the Disk and Network File systems and click on Mount type smbfs
I have had many users say that option isn’t there. If it isn’t there, the following three steps should make it show up.
First, make sure you didn’t miss the page that talked about apt-get install smbfs
*This how-to isn’t written to be able to skip pages
Second upgrade Webmin to the latest version
Navigate to the Webmin Configuration module, and click on Upgrade Webmin
You should see something like this
Choose Latest Version from www.webmin.com
And then click Upgrade Webmin
If successful you should see something like this
Third click on Refresh Modules
*Note, remember you can also upgrade Usermin the same way
After the refresh is finished you should have smbfs as a mount type in the Disk and Network Filesystems Module
Add the mount type smbfs, and you should see something like this
Give some thought to mounting it at boot or not. If 192.168.2.6 is on all the time, this shouldn’t be a problem. But for the most part, you wouldn’t want to choose to mount it at boot time.
Also give some thought to the account you use. Because that password will be saved in the file /etc/fstab
This isn’t a security risk at all, nobody should have that kind of access to your machine to be able to read that file. Linux is already setup to not allow that. But without local file encryption, and a couple security guards, there is always a chance it can happen.
(like if the computer was stolen, or booted off a live cd)
We talk about file system encryption later in the how-to. But giving a lot of thought to the passwords you put in that file is important to.
As you can see, I’m accessing computer 192.168.2.6 admin share on c$
Which should mean you have to provide an admin level password of that machine to access that share. But a work around is that Windows Backup Operators can also access admin shares. So if you make and account on the Windows PC your wanting to connect to, and you made that account a Backup Operator, and not an admin, it would still work.
Or even better, create an actual share that a user level account can access, instead of using the admin share C$. I’m just lazy and use the admin shares, as a Backup Operator, so I can access the entire drive without giving up the admin password.
But putting a less important password in the box is smart anyway you look at it.
After you create the mount, you can view the Windows PC files on your Linux box by navigating to the folder
/mymounts/samba2dot6/
Next we are going to create some scheduled backup schemes.
Using the File Manager, create a folder called
/mymounts/vraid/osbackups
We are going to create one schedule for Operating System related stuff, and another for our data. For the Operating System scheduled backup, we are going to use the Backup Configuration Modules module.
Navigate to the Backup Configuration Modules module, and click on scheduled backups.
And then click on “Add a new scheduled backup”
Notice there is also a Restore Now tab at the top. In the event something goes horribly wrong, or your setting up a new system, you can restore them using these backups and the restore now tab.
Click on Add a new schedule backup, you should see something like this
Notice how you are able to click on multiple choices in the modules to backup box. You can do this by holding down the control key (Ctrl) on your keyboard, while clicking on the choices.
Click on all the modules you would like to be part of this scheduled backup. Select as many as you want.
Notice I selected backup destination local file
/mymounts/vraid/osbackups/bcf.tar
That’s bcf.tar
That means to me, Backup Configuration Files
And it’s important we put it on disk2 (/mymounts/vraid/)
That way if disk 1 goes bad, we have a backup on disk 2
Check all three boxes under Include in backup
And list system files you want a backup of, that didn’t have a module associated with it.
Operating System stuff only ( / ), don’t include anything from the second hard-drive
(The data drive /mymounts/vraid/)
We will make a different kind of backup scheme for that data, using a different module.
Put your local email address, username-created-on- page 18 @localhost
So mine is wood@localhost
If you select Simple schedule
You don’t have to use the minutes\hours\days schedule below
Click the Save button, and it will schedule the backup job, every month, on the 1st.
Or better yet, click Save and Backup now so you can make sure it works.
It will overwrite that file every month, which is probably what you want. But if you rather keep every backup job it makes, you can change the filename from
/mymounts/vraid/osbackups/bcf.tar
To
/mymounts/vraid/osbackups/%m_%d_%Y_bcf.tar
This will add the current date to the filename, which will be different every month, and so it won’t overwrite your backups.
That’s pretty much it, you can import these backups as a restore, and be back up in running in minutes instead of days.
The backups will be compressed into a single file using the TAR format, you can extract them and see them using
the File Manager module.
Just navigate to where the backup jobs are, and you should see a .tar file.
Extracting can be messy if you don’t contain it to a folder. So create a new folder called
2bdeleted
And copy the .tar file in there.
Then highlight it, and click extract
Say yes if prompted
Once they extract, you will see all the configuration files you selected to be backed up were indeed backed up.
The folder structure will be a little confusing at first. If you told it to backup /etc/vsftpd.conf . It will copy the folder structure.
You won’t just see the file vsftpd.conf
You will see the folder etc, and the file vsftpd.conf inside of it.
That’s about it, if you ever need to restore the file or refer to it, you can find them here.
And you should have a local email, telling you all about it.
Now we will setup a scheduled backup for the data drive. That uses a different module called Filesystem Backup.
Navigate to the Filesystem Backup Module
Select in TAR format
And browse to user jdoe’s home directory
Then click the Add a new backup of directory button
You should see something like this
Expand the two green arrows so you can see everything, and make the following changes
The Backup to field reads /options/%m_%d_%Y_jdoe.tar
Keep the backup label name short and sweet, they don’t allow it to be very long.
You only need to change the Minutes, Hours, and Days. That’s because we want it to run every month, so we don’t want to specify
A month, or it will only run on that particular month.
This particular schedule says at 23:01 (11:01pm)
On the second day of every month, run the backup.
I did the second day, because we already have Operating System backups schedule on the first. You don’t want to schedule them at the same time, that is too much work for the server to handle, so I did the second on every month.
Careful to not select more than one number, like this
Because it will let you, if you not careful. Holding down the Control key on your keyboard will help you deselect them if this happens.
That’s about it, except the backup directory (/options) I selected would be a horrible place for your backups.
You would want to installed a third or fourth disk for these backup jobs, or maybe even a large USB drive. Or even better, take advantage of that SSH button, and do offsite backups. Meaning the backups exist on a different computer. A separate Linux box somewhere.
Earlier we talked about having a second computer setup only with Samba and SSH. You could use that SSH option to send the backups to that computer. This is the best form of backups, as it gets the files off the computer, and in a second location. Just in case that computer catches fire or is stolen or something.
This second computer doesn’t even have to be on your same network, it can be on the internet somewhere, and SSH will encrypt the transfer and the passwords for you.
Click the Create Button and it should return you to the main screen.
If you get an error like this one below
Then just click on the Module Config link at the top of the page
You should see something like this
And change the following two options to yes.
Then click save.
You should be return to the main page
Notice the TAR option is gone, because we set it as the default. Also that red error message should be gone as well.
Let’s make another backup, they get easier after the first one, because instead of choosing a specific time, you can tell it to start after the one before it finishes.
Select the home directory for user testuser
Notice now there is an Enable after option now
So instead of picking times, and guessing when you think they will be done by. Just tell it do start the next job, after the previous one finishes.
You can keep building on this, have the third job start after the second job finishes, and the fourth job after the third finishes, and so on and so on. Don’t forget about your samba users (nshares folder)
As your list starts to grow, you can see the schedule on the right
Here we can see that second job starts after the first one finishes.
That’s pretty much it for the backups, just set it and forget it. And you should get local emails with the statuses.
Just remember /options/ is a horrible place, I just used that as an example. Get some more hard drives, or an external drive, or better yet use SSH to another computer.
You can also export your users and their passwords to a file, this is really useful if you’re planning on upgrading to a new server, but don’t want to have to reset all your users password.
Navigate to the Users and Groups module
Take note of the User ID numbers your interested in
(They will usually be over 1,000)
And then click on Export to batch file
You should see something like this
Make the following changes, tweak your UIDs range
Click Export now
If successful, you should see something like this
And be a nice admin, and consider that file extremely confidential.
Now you can build a new server, import those accounts using the run batch file button under the users and groups module, and your users will never know anything has changed.
See why you should change your password more often :- )
That’s pretty much all there is to it
Next we will talk about disk maintenance and trouble shooting. Every so often you should run fsck (File System Check) on your hard drives, it’s a lot like scandisk. There are few things you need to know before running this. The hard-drive can’t be mounted, it first needs to be un-mounted. Some Google searched will tell you the –options to force it to check mounted drives, don’t ever do that. Never scan a drive that is mounted. It only takes a second to un-mount it, take the time to do that, it’s well worth it.
You can’t really scandisk your OS drive, because you’re not able to un-mount it. Some Google searches will tell you have to use Single-User-Mode to do it, which is similar to a Windows Safe-Mode, don’t ever do that either. It’s do-able, but not worth the repercussions of typing something wrong. If you want to scan your OS drive, you should boot off a Linux Live CD, and run the commands below. Being booted of the Live CD will ensure the drive is not in use. It’s worth the extra effort.
Your data drives are a lot easier to scan, because you can easily un-mount them
Let’s say you want to run a quick scan on the hard drive /dev/sdb1
You would launch a Putty or SSH2 module session, and type
umount /dev/sdb1
That will un-mount the partition
Then type
fsck.ext3 –y /dev/sdb1
This command assumes your checking a drive formatted as EXT3. If you have been following this how-to, your drives are ext3. Running this on a non EXT3 formatted drive will cause major problems, and you won’t get the warning, because of the –y will answer yes to any prompts.
This will run a quick scan on the hard drive, and the –y tells it to answer yes to any questions.
If you wanted to do a more in-depth scan, you could run
fsck.ext3 -c -p -v -f /dev/sdb1
The –c tells it to look for bad blocks on the hard drive, this scan will take a very very long time.
And if you wanted to take it ever further, maybe you have a drive you’re having problems with, you could run the following command
fsck.ext3 -c -c -p -v -f /dev/sdb1
Specifying –c –c twice like that, will do a read and then write test to every spot on the partition.
It claims to be non-destructive. I’m not sure I would feel comfortable doing this command on a drive that I didn’t have a backup of. I’ve personally never done it on a drive that had data on it that I cared about. I’m sure it’s safe, Linux is amazing, it’s just the “write” part of that scares me. Do yourself a favor and make a backup first.
Options –c and –c –c will note any bad blocks that are found, and mark them as not useable. At this point the disk is “fixed” a couple bad blocks is bound to happen. But if you have this problem more that once on the same disk, I would consider replacing it, and making sure your backups are up to date for that drive.
If you already have a backup, and you want to really want to try reviving the disk, you can do the following. Note these are destructive, and your data will for sure be gone.
Type the following commands (this series of commands will take many days to complete)
Do yourself a favor and just buy another hard-drive :- )
fdisk /dev/sdb
m
d
w
dd if=/dev/zero of=/dev/sdb
fdisk /dev/sdb
m
d
n
p
1
Enter
Enter
w
mkfs.ext3 /dev/sdb1
fsck.ext3 –c –c –y /dev/sdb1
You just used fdisk to delete the partition. Then you used dd to zero out the drive. Then you used fdisk to create a new partition. Then you mkfs to format it with the EXT3 file system. Then you checked the file system both read and write using fsck
That’s extremely thorough, and will take many days to complete those steps. You may even want to hookup a keyboard and monitor, because it will take so long, you will probably be tempted to close your Putty or SSH2 connection. This would make it hard to watch the progress. This is pretty extreme, with today’s prices and warranties, you may want to consider replacing the drive when fsck finds problems more than once.
You can then use the Disk and Network Filesystem Module to remount the drive. And that’s about it for disk maintenance.
Next we are going to setup the Firewall, using IPTables. This is optional at this point because you’re behind the firewall of your router. So this would, at this point, just be a firewall inside your LAN. But in some cases, especially small business networks, not everyone on your internal network is trusted. So if you don’t completely trust all the traffic inside your network, then you would want to setup the firewall.
Navigate to the Linux Firewall Module
Choose block all except SSH and IDENT on external interface eth0
Do not click the Enable firewall at boot time option. We eventually will enable that, but not yet. Since we are doing this remotely, we need a way to un-do it if we mess something up, so for now, don’t start it at boot time.
Then click the Setup Firewall button
You should see something like this, stay away from that Apply button for awhile, if you click it now you will lock yourself out of Webmin
If you lock yourself out, rebooting will let you back in
We can get away with this only because we are not setting the firewall to start at boot time (yet)
Also stay away from that Apply button for now.
Next delete the following conditions by putting a check box next to them, and clicking Delete Selected
Make sure to delete all the ones I have checked. We will add ICMP (ping) later on, but for this test it needs to be gone.
You should see something like this
Change the default action for forwarded packets to Drop
Then click the Set Default Action To button
Stay away from Apply button.
Click on the green word Accept next to port 22
You should see something like this, don’t make any changes
We aren’t making changes to this screen, we are going to press the Clone Rule button at the bottom, this will save us lots of typing.
Press Clone Rule the screen will refresh and you’re now looking at a “copy” of the port 22 firewall rules
Make the following changes
Change the Rule Comment
From Allow connections to our SSH Server
To Allow connections to our Webmin Server
Change Destination TCP or UDP port
From 22
To 10000
Now scroll down and press the Create button
You should see something like this
Note the port 22 exception is still there, because we didn’t change it, we only cloned it.
And now we have a port 10000 firewall exception as well
Keep doing that for ports
20 (ftp20)
21 (ftp21)
80 (web80)
445 (samba)
20000 (usermin)
Don’t forget to click Clone every time you click on port 22, you don’t want to make changes to port 22, you just want to keep cloning it.
You should eventually see something like this
Stay away from the apply button
Click on the green word accept next to port 445
We are going to lock Samba down a little further, it’s a little overkill for this setup, but its expected later on in the how-to
You should see something like this
Make the following changes
This will tell the firewall to only let in Samba clients that have a 192.168.2.xxx ip address. The /24 tells it to allow any 3 numbers, up to 254
If you’re on a 192.168.0.1 network, you would use 192.168.0.0/24
If you’re on a 192.168.1.1 network, you would use 192.168.1.0/24
If you’re on a 10.10.10.1 network, you would use 10.10.10.0/24
Again, a little overkill right now, but we need it later on. Click on Save
You should see something like this
You’re now ready to hit Apply at the bottom, but make sure Active at Boot still says no
Test everything, except FTP (there is another change we have to make for FTP before it will work)
Make sure you can still get to Webmin, Usermin, Putty, Samba, your websites, etc…
If everything is working, return to the Linux Firewall module and tell to be active at boot time. Click yes, and then click the Activate at boot button
Then hit the Apply Configuration but, and navigate to the Bootup and Shutdown module.
Using the Bootup and Shutdown module, reboot the Linux box.
Wait a couple minutes and make sure you can still get back into everything.
Now from your Windows PC, try to ping your Linux box
This should fail
If it fails, then that’s good, it means your firewall is loading at startup and doing its job.
If it replies like this
Then something isn’t right, go back and fix it.
Once you have it working, you will probably want to allow pings. Pinging is very useful for trouble-shooting.
So once you’re sure your firewall is working, you can allow ping by going back to the Linux Firewall module and adding the following input rule
Click on Add Rule
Make the following changes
Then click the Create button
Then click the Apply button
You should now be able to ping the Linux box
Now let’s make sure you are still able to access the internet
Using the Command Shell module, run the following command
tracert google.com
I like to use tracert instead of ping from a Linux box, because I can never remember the ping limit commands off the top of my head.
By default ping never gives up in Linux unless you give it extra instructions. So from this view don’t use ping, because it will
run forever in the background. If you want to use ping, make sure you’re using Putty or the SSH2 module, where you can interact
with ping, and stop it. (using Control + C on your keyboard) Or include the extra command line options to tell ping to give up after
like 5 attempts ping –c 5 google.com
If successful, you should see something like this with a bunch of numbers. It’s ok if you have more than or less than
13 hops, we are just looking to see that it is hoping outside your network.
If you get a bunch of fails, go back and figure it out. Your firewall is blocking everything incoming, unless you request it. Here your requesting it, so it Established \ Related, and your firewall should be letting that through, as it originated from you, inside the firewall first.
That’s pretty much it, if you still using FTP instead of SFTP, you might have to make this tweak if FTP stops working. If your using SFTP or if FTP is workiing, you do not need to do this.
Navigate to the File Manager module, and edit the file /etc/rc.local
Add the following line
/sbin/modprobe ip_conntrack_ftp
You should see something like this
Save it, and reboot the computer.
That rc.local file executes every time the computer starts up, so it should load every time now.
Once the reboot is finished, try FTP
It should be working now, if not, go back and figure it out.
You now have an extremely powerful firewall running, doing per packet inspection and filtering. That’s just the tip of the iceberg of what IPTables can do, but it should be all you need for now. As you get more comfortable with it, you can enable logging, and start reading the log files of blocks and attempts.
Next we will setup etherwake
A Wake-On-Lan tool that will allow you to Wake On Lan computers on your network, from within Webmin.
Navigate to the Custom Commands and click on Create a new custom command
You should see something like this, make the following changes
Give it a description as to what computer it is (A computer on your LAN \ Subnet that you are trying to wake up)
And the actual command is etherwake –b mac address
Just make sure the MAC address is separated by colons :
For help finding the mac address of a computer, refer back to earlier pages (often referred to as hwaddress or physical address)
Click Save
Make one for every computer you think you would ever want to wake up
*Advanced* Later on in the how-to, you will have two NICs. One will be so strongly firewalled that it will stop etherwake from
working, there is a simple fix, just use the interface option –i to tell etherwake which NIC to use
example: etherwake -b –i eth1 00:1a:a0:a9:3b:bo
You should eventually see something like this
You can use these custom commands for just about anything you want. I like to use them for hard to remember commands, or commands I run a lot.
Eventually you will have an entire page of custom commands button, just point, click, and viola
I like to make tracert and ping buttons as well, because a Linux ping won’t stop unless you interact with it, so you can make a custom command button, with the / option to tell it when to stop and what to do.
*Advanced* If you have a smart phone with a browser, you can access these custom command buttons from your phone, and do tasks like wake-on-lan right from your cell phone, without the need for any kind of shell access. Just make sure your phone is not set to remember any passwords or web history. Make a lot of these custom command buttons, they are very cool.
That’s it for the basic setup, if you start to have stability problems with your server, you can use a program called monit, that will monitor services, and restart them if they fail. It also has a web interface with some cool functionality. Also if you start to see a lot of hack attempts in your log files you can use a program called fail2ban (apt-get install fail2ban). This program will block a user by their IP address for a configurable amount of time after a configurable amount of attempts. They are super easy to configure and you can find many excellent examples on Google and on http://ubuntuforums.org
Next is the optional \ advanced setup. Not that it’s any harder than anything you have done so far, it’s just we are going to move on to more dedicated uses, where the computer needs to be up 24 hours and day 7 days a week. We are going to turn the Linux box into your Router \ NAT \Firewall, a VMWare server, a Local DNS box with dynamically updating clients, a DHCP server, etc…
If you’re not interested in any of that, you can stop at the end of this page. You’re encouraged to continue, it’s all really cool stuff, but setting the Linux box up as your router is kind of a big commitment on your part, when its down, your internet connection is down. Setting up VMWare requires a powerful computer with lots of RAM.
DNS is a lot of work for small networks. You don’t need a DCHP server if you’re not replacing your router and you don’t need a DDNS update client if you’re not using Local DNS. So this may be a good time to stop if you’re not interested in virtualization and networking. Thanks for using my how-to, let me know how it goes.
If you’re stopping here, you may want to checkout my "Do More" section.
Remember to periodically check for updates with apt-get update followed by apt-get dist-upgrade
That will ensure you have the latest patches and upgrades
You can find my email address and blog link on my homepage http://woodel.com Thanks! KevinTheComputerGuy
Site Navigation: Home Page1 Page2 Page3 Page4 Page5 Do more Word of Mouth Donate