I have recently connected my network to a friend's network in order for us to share services between our infrastructures. However, when you have only you using the services within your network, security sometimes is a bit lax ( although not recommended ).
The presence of someone else lurking in your network creates a sense of insecurity and I am suddenly feeling paranoid about safeguarding my systems as much as I can.
Although, my friend himself is not a threat, we need to consider the possibility of him falling victim of a hack and we do not want to see the bad guys jumping from his network to ours.
With that in mind, I am going to redesign a system that has a couple of folders shared with network to accommodate access to my friend and be as secure as possible.
First, we need to create a new user in the linux system.
Let's break down the command to add the new user.
-c : Comment to describe the user.
-M : do not create the user's home directory.
-N : do not create a group with the same name as the user.
-s : login shell of the new account. It is set to false because the user do not need a shell on the system.
We now will define a password for the new user.
Let's confirm if the user has been created.
getent passwd | grep geraldo
geraldo:x:1001:132:Geraldo IPSECVPN Access:/home/geraldo:/bin/false
We can now add the user to the
sudo adduser geraldo sambashare
We need to make sure that the new user is part of the
getent group sambashare
Finally, we will lock the user to avoid that this samba user could login and reduce the security risks for the host system.
Since this tutorial is not an in depth explanation of how to install and configure Samba, I will paste my smb.conf file and briefly explains it.
valid users = @sambashare : only users that are members of the
sambashare group will be allowed login to this share.
force group = sambashare : We are forcing the group
sambashare to all new files and folders created on the shared folders.
create mask & directory mask : are forcing that all files and folders created have read, write and execute for the owner & group and others no permissions.
The permissions for the folder games are:
I had to create the folder
/media/gamesbecause it seems that the folder
/media/tiagowas created by the system and has special permissions that prevented the new user to browse due to lack of permissions.
Also, here's the fstab entries for the mounts :
We need to restart the Samba server after the changes.
sudo systemctl restart smbd
And finally, add the new user to the local Samba users list.
sudo smbpasswd -a geraldo
New SMB password: Retype new SMB password: Added user geraldo.
Let's test the connection :
tiago@desktop ~ (main)> smbclient \\\\192.168.25.10\\games -U geraldo Enter WORKGROUP\geraldo's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Oct 14 13:06:32 2021 .. D 0 Thu Oct 14 12:49:20 2021 games_01 D 0 Thu Oct 14 13:21:22 2021 games_02 D 0 Thu Oct 14 13:21:57 2021 134672104 blocks of size 1024. 41861420 blocks available smb: \> exit
We have now completed the creation of a new Samba user and adjusted the shares with some extra security.
A future project will be to create a central credentials systems like a database or radius server and instead of creating local users into the system we can add users to a centralised system that will make management much easier.