This is an article dealing with:
1. Installation of Samba File Server on Ubuntu Server
2. Hardening Samba File Server
3. Setting up FTP using vsftpd
4. Hardening FTP server
Prerequisites
- Installation of Ubuntu OS
- A client-side OS system with FileZilla installed. It is an open-source application that can be downloaded from the link below
- Run the OS and elevate privileges to root user before starting. This can be done with the command:
sudo su
Installation of Samba File Server
- Install Samba using the following command
apt install samba
- Create a sample directory that will be used to share. In this case, the directory will be located at root and edit the permissions to allow read, write and execution. Run the following commands to do this:
mkdir /samba-share
chmod 777 /samba-share
- Next, you will edit the configuration file to make a few changes. Begin by making a copy of the same file by running:
cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
- Edit the configuration file using your preferred editor and add the following lines at the bottom of the file
[sample-samba-share]
path = /samba-share
public = no
valid users = tom, harry
read list= tom
write list= harry
browseable= yes
comment = “My Samba File Server”
The first line defines the name that will appear on the client side when a connection is initiated
The second line defines the path of the shareable directory
The path indicates that the server is not public
The next lines define the users that are allowed access via samba and the various actions they can perform on the directory. For example, tom only has read access while harry has read and write access
The browsable value is to allow all users to discover network share
If you wish to customize a workgroup, you can change the value of workgroup below to the name of your preferred workgroup
- Next, run the testparm command to validate there is no error with the configuration:
testparm
- Add the users specified in the configuration file while assigning them an sbin/nologin shell:
useradd tom -s /sbin/nologin
useradd harry -s /sbin/nologin
- Assign the users secure passwords as well that will be needed on the client side to log in:
smbpasswd -a tom
smbpasswd -a harry
- Start the smbd service and nmbd service:
systemctl start smbd
systemctl start nmbd
- Finally, enable smbd and nmbd:
systemctl enable smbd nmbd
Now we can attempt from the client side to see if we can access the directory. We will do this from both Linux and Windows
From Linux OS:
- Open the File Explorer and go to Browse Networks under Network and click on it
- Input the smb://<ip address> in the address bar similar to the command below:
smb://192.168.100.221
- A window similar to the one below should appear with the name we already set in the configuration file
- Click on sample-samba-share and fill in the credentials of one of the users we created. In this case we will fill tom.
- Attempting to login as anonymous will fail because the configurations already specified users to login
- As we can see, the file is blank because we have not created anything
- If we attempt to create anything, the system responds by telling us the permission is denied. This is because tom does not have any write access, hence we cannot currently do anything beyond viewing the director
- Next we will login with harry via windows and add a file then we will come back and check Linux to confirm if the file was uploaded successfully.
On Windows OS:
- Open the run utility by pressing Windows + R.
- In the address bar, put in \\<ip address> as shown below and click OK:
\\192.168.100.221
- A window similar to the one below should appear and you can double click on sample-samba-share to open the shareable directory.
- We will login as harry this time to see if we can create a directory then proceed to see if similar directory can be viewed from the Linux machine.
- The access is denied at the bottom is because Windows attempted to login as anonymous which is not enabled on this system.
- Upon logging in, create a file named Created_in_Windows. The window should now look similar to the one below
- On the Linux OS, refresh the page and now we see the folder created. This confirms the Samba File Share is working successfully
Hardening Samba File Server
Some of the common ways to harden Samba include:
1. Setting strong passwords that are not dictionary words and difficult to brute-force
2. Limiting read/write access to only specific authorized users
3. Refusing Null passwords by setting the value to No
4. Setting browseable to No to disable easy network discovery
5. Configuring your firewall to block ports associated with Samba including TCP/135, UDP/135, UDP/137, UDP/138, UDP/139 and TCP/139
Setting up FTP using VSFTPD
- Install vsftpd and check the status of the service by running:
apt install vsftpd
service status vsftpd
- Modify firewall if it is active and allow ports you will be using including port 21,22,990 and range of ports between 4000 and 5000. This is done by running the following command if you are using ufw firewall.
ufw allow 20/tcp && ufw allow 21/tcp && ufw allow 990/tcp && ufw allow 4000:5000/tcp
- Create a user called ftpuser who we will use to login. Fill in the details requested with a strong password that we will use to login on the client side. You can leave the fields from Full Name downwards blank.
adduser ftpuser
- Create a shareable directory in the user’s home folder called ftp and change the ownership of this directory to nobody:nogroup. Change the permissions as well to allow for only read and execute functions on this directory. This is done by running:
mkdir /home/ftpuser/ftp
chown nobody:nogroup /home/ftpuser/ftp
chmod 555 /home/ftpuser/ftp
- Next make a directory in the current directory that will be named files. This is where the client will perform any modifications or any file they want to share. Change the ownership of this file to belong to ftpuser:ftpuser
mkdir /home/ftpuser/ftp/files
chown ftpuser:ftpuser /home/ftpuser/ftp/files
- Next, we can make changes to the configuration file found at /etc/vsftpd.conf. Begin by making a backup first then replacing the contents of the configuration file with the following input
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_mask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
force_dot_files=YES
pasv_min_port=400000
pasv_max_port=500000
user_sub_token=$USER
local_root=/home/$USER/ftp
- Finally, restart the vsftpd service and now we can attempt to see if it is accessible from the client side.
- Launch the FileZilla Application from your client-side Operating System. In this case, we will be using Windows but any system supporting FileZilla can be used.
- Fill in the IP address of your server and username and password configured and click Quickconnect. In case the connection fails, attempt providing port 22 for sftp connection.
- Upload a sample folder with any arbitrary name to the server on the right side of the screen.
- Finally, go back to the server and check on the same directory to see if the folder uploaded from FilaZilla can be viewed. If successful, then the FTP server is functioning properly.
Hardening FTP Server
Various methods can be used to harden an FTP server and make it less vulnerable to attacks. These may include
1. Using an SFTP server that is more secure than regular FTP
2. Using SSL/TLS encryption on the server to ensure all communication is encrypted and not susceptible to a MITM attack
3. Limiting client access to specifically only shareable directory by making changes to the configuration file. This also involves deleting unused files after an arbitrary amount of time
4. Using blacklists and whitelists of IP’s allowed to connect via FTP
5. Disabling Anonymous login
6. Configuring Firewall rules to only allow access through specific specified ports
Resources
The following can be used incase of errors during the installation or to supplement the knowledge provided here.