Skip to content

Category: Security

Setting up Samba Shares on RedHat Enterprise 5

Published by Will Chatham on 8/27/2008

My goal was to set up a network share on a RHEL5 server using Samba, so that our Windows users could access the shared folder from their desktops.  It was difficult to find any information on doing this and nothing else, such as setting up Samba as a domain controller, which I was not interested in.  Sometimes Google gives you more than you want.

If you are running RedHat Enterprise 5, and are interested in setting up Samba shares for Windows users to access, read on.  This may work for other flavors of Linux, and older versions of RHEL, but I can’t vouch for that.

First, make sure the correct Samba packages are installed:

#> rpm -qa |grep samba
samba-client-3.0.28-1.el5_2.1
samba-3.0.28-1.el5_2.1
samba-common-3.0.28-1.el5_2.1
system-config-samba-1.2.39-1.el5

If these are not installed, use yum to grab them and install them.

You may need to open ports in the system firewall so that all of this will work.  The ports that need to be open for Samba to work are:

139 and 445

It’s easiest to do this from your RedHat gui (System > Administration > Security Level and Firewall).

Next, set up the smb service to run at boot time:

#> chkconfig smb on

In RedHat, this will also cause the nmb service to run, which is fine.

Now, start Samba:

#> service smb start

Now, create the directory you want to share.  For this example, I will make it simple:

#> mkdir /dv1

Set permissions accordingly.  In my scenario, I wanted our developers to all be able to access this directory from Windows, and they were all part of the ‘developers’ group on my RedHat server, so I set the permissions like so:

#> chown developers.developers /dv1
#> chmod 755 /dv1

In order to get Samba to share this directory, I had to add the appropriate policies for SELinux, which are mentioned in the smb.conf file.  Assuming you are running SELinux (it’s default with RedHat Enterprise 5), these can be added at the command line.

Since you created a new directory that will be shared with Samba (the ‘dv1’ directory you created earlier), a label must be set for that as well.  Using ‘dv1’ as the directory name, run this:

To set a label use the following:

#>  chcon -t samba_share_t /dv1

Now to configure the Samba configuration file.  Always make a backup of the original before editing any config file!

#> cp /etc/samba/smb.conf /etc/samba/smb.conf.orig

To edit the config file, do this:

#> nano /etc/samba/smb.conf

Under [global] settings, uncomment the necessary lines and make changes so that it looks something like this:

workgroup = YourWindowsWorkgroupName
server string = YourRedhatServerName
netbios name = YourRedhatServerName
hosts allow = 127.0.0.1 192.168.1.

Leave everything else in that section the way it is.

Note:  the 192.168.1.  address needs to be that of your local network.

Then under Standalone Server Options:

    security = user
    passdb backend = tdbsam

I commented out all Printer sharing crap since I didn’t use any of that.

Lastly, under Share Definitions:

[homes]
        comment = Home Directories
        browseable = no
        writeable = yes
;       valid users = %S
;       valid users = MYDOMAIN%S

;[printers]
;       comment = All Printers
;       path = /var/spool/samba
;       browseable = no
;       guest ok = no
;       writeable = no
;       printable = yes

[dv1]
        comment = My dog has fleas
        path = /dv1/
        valid users = user1,user2,user3
        public = no
        writeable = yes
        create mask = 0765

Obviously, swap out user1,user2,user3 with the users who will be accessing this share.  You put the username for the RedHat box you are on, not the Windows username (unless it’s the same).

Save the file and go back to the command line. Test it out by running this:

#> testparm

You shouln’t see any error reported.  If all is good, run this:

#> service smb restart

You will see smb and nmb stop and restart.  There should be no errors or “FAILED” notices.

Assuming your users already have accounts on your RedHat box, you need to add them to Samba like so:

#> smbpasswd -a username
New SMB password:
Retype new SMB password:

I set a temporary password here, then ask them to change it next time they log into the server at the command line by running this:

#> smbpasswd

It will prompt them for their old password (the temporary one you just gave them), and for the new one.

Once all that is done and you have set your own Samba password, you should be able to do this from Windows:

Go to Start and select Run.  Type in the hostname of your RedHat server (which you specified in the smb.conf file) like so:

\YourRedhatServerName

You will be prompted for a username and password, and you should enter the RedHat server login name and the Smaba password that you just created.

If all goes well, a window will appear which shows the dv1 directory.  You can now drag, drop, copy, and paste to and from this folder as if it were on your Windows machine!

Apple Doesn’t Understand This “Secure” Thing

Published by Will Chatham on 8/21/2008

For years, people have loved Apples and Macs because of their relative security when compared to the likes of Microsoft, who are the target of tens of thousands of viruses, worms, trojans, and other types of malicious programming.

A large part of this has been because of the prevalence of Microsoft Windows, and the fact that Macs make up a tiny little percentage of the home or office computer realm.  However, ever since Apple released the iPhone, it would seem as if they have taken a step out into the world of the unknown, venturing into new territories where no one has gone before.

The problem is, many people have already been in these territories for many years, and Apple obviously has not been paying attention.  It’s like they never considered the thought that once they started venturing outside of the obscure marketshare into the eye of the general public, they too would become targeted by script kiddies, spammers, and all-around evildoers.

The fact of the matter is, Apple, Macs, iThings, and everything else they are doing IS being targeted more now than ever before, and unfortunately, Apple is sitting around wondering why instead of doing anything about it.

Take, for example, this new TechCrunch article explaining a simple way for spammers to harvest all the email addresses of MobileMe users.

From the article:

Apple knows about the problem but insists it isn’t an issue because no one has complained publicly. An Apple representative said to one of our readers: “We’ve never had a complaint from a customer about people spamming them because of their iDisk public folder name. There is no way to remove your account name from the iDisk folders. I’m very sorry.”

Um…ok.  So if I use MobileMe, I can expect a lot of spam.  Maybe they think I’ll get used to it.

TechCrunch goes as far as suggesting that Apple is falling apart at the seams.  They suggest failures with customer service and security exploits as warning signs.  The sad part is, Apple seems to either not care about fixing things, or just not get it, both of which are starting to come off as being arrogant.

Look at the recent ‘patching’ Apple did with the widely-publicized DNS spoofing vulnerability last month.  While every other vendor quickly tackled the problem, Apple released a patch that fixed only their server products, leaving their entire desktop user base still vulnerable.  It took them two more weeks, but on August 15 they finally patched it for everyone.

The nature of being secure, in my opinion, relies upon being open, recognizing vulnerabilities, and taking them head-on.  That’s why there is such a large, active community of security-aware researchers, vendors, and system administrators out there.  Apple seems to be shying away from all of this, perhaps out of naivity, perhaps out of conceit.

Whatever the case, I sincerely hope they come to their senses before it is too late.

Practical Security: Secure Email on Public Wifi Spots

Published by Will Chatham on 8/8/2008

In my revised capacity at my current job, I’ve been handling a lot of
security issues: hardening of systems, software, and processes. I’ve
also been studying for the Security+ certification, so needless to say,
security has been at the top of my mind the last 5 months, and I wish it
would be at least a little closer to the tops of the general public’s
mind.

I’m going to start a new series of blog posts here called Practical
Security in which I will pass on some of the more relevant best
practices relating to the typical internet user, in hopes of helping to
raise awareness amongst anyone who happens to read this blog. (Yes, all
4 of you).

Using Email on Public Wifi
(and the high level of risks therein)

Question:
How often do you stop at a coffee shop to check your email with your
laptop, or leech that open ‘linksys’ network while sitting at a traffic
light with your PDA to shoot off a quick note to your boss? OK, maybe
I’m the only one who does that at traffic lights, but you get my point.

If you have a portable device that can access the Internet, my guess is
that your answer is “quite often”.

Question:
How many of you have configured your email to use some sort of
encryption? (Cue the crickets chirping).

As this excellent StopDesign article explains:

What you may not realize is how easy these low security settings
allow someone else on the same network to spy on the data passing around
on that network. Just because you’re the only person who can see your
laptop screen, doesn’t necessarily mean you’re the only one who can see
the email message you just got from a friend. Just as easily as someone
could sit near you in a quiet cafe or library and overhear your entire
verbal conversation with another person, so could they “listen in” on
all the usernames, passwords, and messages passing to and from your
computer. (And everyone else’s computer for that matter.)

Kinda scary, huh? If you think about it, once they have your email
account password, it’s not too hard to go to your bank and generate a
“lost password” request, which will get sent to your email address,
which they now have control of. Or they might simply decide to send a
breakup letter to your boyfriend on your behalf if they are not feeling
so malicious. Or maybe they thought it would be funny to email your
boss and tell him how good he looks when he gets out of the shower.

By default, email is not secure!

Yes, this includes you, Mac user. Yes, this includes you, Gmail/Yahoo/Hotmail/AOL user.

Make sure your email is on a secure connection!

The Lowdown
If you use a webmail service such as Hotmail, Yahoo Mail, Gmail, or the
like, make sure your web browser (Internet Explorer, Safari, Firefox,
etc) is in “secure” mode by looking for the lock icon. Alternately (or
additionally), look at the address bar of your web browser to make sure
the address showing starts with https and not just http.

If you use Outlook, Outlook Express, Thunderbird, Mac Mail, or any other
‘program’ on your computer to manage your email, there are ways to set
up these applications to run only on secure connections using SSL, TLS,
SSH, and other methods. You may need to consult your local IT guru or
read the rest of the StopDesign article, or this well-written article entitled “5 Steps to Make Your Email Secure“.

Whatever you do, stop checking your email at Starbucks unless you know
it is secure!

Practical Security : Using Email on Public Wifi

Published by Will Chatham on 8/8/2008

In my revised capacity at my current job, I’ve been handling a lot of
security issues: hardening of systems, software, and processes. I’ve
also been studying for the Security+ certification, so needless to say,
security has been at the top of my mind the last 5 months, and I wish it
would be at least a little closer to the tops of the general public’s
mind.

I’m going to start a new series of blog posts here called Practical
Security in which I will pass on some of the more relevant best
practices relating to the typical internet user, in hopes of helping to
raise awareness amongst anyone who happens to read this blog. (Yes, all
4 of you).

Using Email on Public Wifi (and the high level of risks
therein)

Question:
How often do you stop at a coffee shop to check your email with your
laptop, or leech that open ‘linksys’ network while sitting at a traffic
light with your PDA to shoot off a quick note to your boss? OK, maybe
I’m the only one who does that at traffic lights, but you get my point.

If you have a portable device that can access the Internet, my guess is
that your answer is “quite often”.

Question:
How many of you have configured your email to use some sort of
encryption? (Cue the crickets chirping).

As this excellent StopDesign
 article explains:

What you may not realize is how easy these low security settings
allow someone else on the same network to spy on the data passing around
on that network. Just because you’re the only person who can see your
laptop screen, doesn’t necessarily mean you’re the only one who can see
the email message you just got from a friend. Just as easily as someone
could sit near you in a quiet cafe or library and overhear your entire
verbal conversation with another person, so could they “listen in” on
all the usernames, passwords, and messages passing to and from your
computer. (And everyone else’s computer for that matter.)

Kinda scary, huh? If you think about it, once they have your email
account password, it’s not too hard to go to your bank and generate a
“lost password” request, which will get sent to your email address,
which they now have control of. Or they might simply decide to send a
breakup letter to your boyfriend on your behalf if they are not feeling
so malicious. Or maybe they thought it would be funny to email your
boss and tell him how good he looks when he gets out of the shower.

By default, email is not secure!

Yes, this includes you, Mac user. Yes, this includes you,
Gmail/Yahoo/Hotmail/AOL user.

Make sure your email is on a secure connection!

The Lowdown
If you use a webmail service such as Hotmail, Yahoo Mail, Gmail, or the
like, make sure your web browser (Internet Explorer, Safari, Firefox,
etc) is in “secure” mode by looking for the lock icon. Alternately (or
additionally), look at the address bar of your web browser to make sure
the address showing starts with https and not just http.

If you use Outlook, Outlook Express, Thunderbird, Mac Mail, or any other
‘program’ on your computer to manage your email, there are ways to set
up these applications to run only on secure connections using SSL, TLS,
SSH, and other methods. You may need to consult your local IT guru or
read the rest of the StopDesign
 article, or this well-written article entitled “5 Steps to Make Your Email Secure“.

Whatever you do, stop checking your email at Starbucks unless you know
it is secure!

Internet Explorer

Published by Will Chatham on 3/28/2006

Still using Microsoft’s Internet Explorer browser on your Windows machine? Stop already!

With the most recent critical, unpatched security exploits running wild, reports are coming in regarding otherwise innocent web sites silently installing malicious programs that steal your passwords and other sensitive information.

Do yourself a favor and install Firefox or Opera, both free browsers that provide a much better, safer Internet experience. There is no reason not to do this now, unless you like other people having access to your computer and everything you do on it.

If you are still using Microsoft’s Internet Explorer on your Macintosh computer, well, you are missing out on the Internet as it is today. This browser is not subject to the same exploits that the Windows version is, but it is no longer updated or supported by Microsoft, and doesn’t take advantage of many of the newer features of the World Wide Web as we know it. You too can upgrade to Firefox for free.