Build a File Server

Share files with Linux, Windows, and Macintosh machines.

There are many different file-sharing protocols, each with strengths and weaknesses and each coming from different development backgrounds. The traditional file-sharing protocol for Unix is NFS (Network File System); for Mac OS, it's AppleShare; and for Windows, it's SMB (Server Message Block). Running a mixed-environment file server used to require supporting a multitude of protocols simultaneously, but in recent years, there has been a convergence on the use of CIFS (Common Internet File System) across all platforms. CIFS is derived from SMB and is the standard file-sharing method in recent versions of Windows. It is also extremely well supported under both Linux and Mac OS as a client and as a server, thanks to the Samba project.
The server component of Samba can even run as a domain controller for a Windows network and supports several authentication backends, including LDAP and TDB. Large installations may benefit from using LDAP, but it is far more complex to set up, so this hack will cover the use of TDB, which is quite suitable for networks up to several hundred users.


Enable Quota Support

To work with quotas, first install the quota package:
$ sudo apt-get install quota


Open /etc/fstab (the File System TABle) in your favorite editor and find the line that refers to the partition that will hold your shares. Add the usrquota and grpquota options. If you have /home on a separate partition, you will need to add the same options to that as well. The end result should look something like:

/dev/hda2 / ext3 defaults,usrquota,grpquota 0 1
/dev/hda3 /home ext3 defaults,usrquota,grpquota 0 2

Then set up the user and group quota files and remount the filesystem:
$ sudo touch /quota.user /quota.group
$ sudo chmod 600 /quota.*
$ sudo mount -o remount /


If you have a separate /home partition, do the same for that file:
$ sudo touch /home/quota.user /home/quota.group
$ sudo chmod 600 /home/quota.*
$ sudo mount -o remount /home


Since there is already data on the partitions, you will need to run the Quota Check tool to scan the filesystems and record current usage per user and group, then activate quota enforcement:

$ sudo quotacheck -avugm
$ sudo quotaon -avug


The mechanism is now in place to enforce quotas, but no users or groups have limits set, so there is no limit yet on how much of the disk they can use.

Install Samba

On your server, install Samba itself plus some additional packages for documentation, share browsing, and printer sharing:

$ sudo apt-get install samba samba-doc libcupsys2-gnutls10 \\
libkrb53 winbind smbclient


There are quite a few things to change in the default Samba config file, so open /etc/samba/smb.conf in an editor and go through it to adjust the settings to match the following example. Most of the example can be copied verbatim, but set WORKGROUP to the name of the Windows domain (you can even leave it at WORKGROUP) and set FILESERVER to the hostname of your Linux server:
[global]
workgroup = WORKGROUP
netbios name = FILESERVER
server string = %h server (Samba, Ubuntu)

passdb backend = tdbsam
security = user
username map = /etc/samba/smbusers
name resolve order = wins bcast hosts
domain logons = yes
preferred master = yes
wins support = yes

## Use CUPS for printing
printcap name = CUPS
printing = CUPS

## Set default logon
logon drive = H:
#logon script = scripts/logon.bat
logon path = \\\\fileserver\\profile\\%U

## User management scripts
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u
idmap uid = 15000-20000
idmap gid = 15000-20000

## Settings to sync Samba passwords with system passwords
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\\snew\\sUNIX\\spassword:* %n\\n *Retype\\snew\\s


UNIX\\spassword:* %n\\n .
passwd chat debug = yes
unix password sync = yes

## Set the log verbosity level
log level = 3

[homes]
comment = Home
valid users = %S
read only = no
browsable = no

[printers]
comment = All Printers
path = /var/spool/samba
printable = yes
guest ok = yes
browsable = no

[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
admin users = Administrator
valid users = %U
read only = no

[profile]
comment = User profiles
path = /home/samba/profiles
valid users = %U
create mode = 0600
directory mode = 0700
writable = yes
browsable = no

The commented-out line that says:
#logon script = scripts/logon.bat

defines a Windows batch script that will be executed by Windows workstations as soon as a user logs in. This can be really handy if you want to apply standard settings to all computers on your network; you may want to define server drive mappings, set up printers, or configure a proxy server. If you have a logon.bat script, uncomment that line.
Create directories to store domain logons and profiles:

$ sudo mkdir -p /home/samba/netlogon
$ sudo mkdir /home/samba/profiles
$ sudo mkdir /var/spool/samba
$ sudo chmod 777 /var/spool/samba/
$ sudo chown -R root:users /home/samba/
$ sudo chmod -R 771 /home/samba/


Make sure Samba has seen your new configuration:
$ sudo /etc/init.d/samba restart


To enable WINS (Windows Internet Name Service) host resolution, edit /etc/nsswitch.conf and look for a line similar to:
hosts: files dns mdns

Change it to:
hosts: files wins dns mdns

Since your file server is going to be the domain controller (DC) for your Windows domain, you need to specify the computers that will be part of the domain. Open /etc/hosts and add all the servers and workstations:
192.168.0.10 server1
192.168.0.101 workstation1
192.168.0.102 workstation2
...
192.168.0.107 workstation7

Windows typically has a special user named Administrator, which is akin to the root user on Linux, so add the root user to the Samba password database and set up an alias for it. This will allow you to use the Administrator username to add new computers to the Windows domain:

$ sudo smbpasswd -a root
$ sudo sh -c "echo 'root = Administrator' > /etc/samba/smbusers"


To make sure everything has worked up to this point, use smbclient to query Samba:
$ smbclient -L localhost -U%

...Read More

Download Power Defragmenter

Power Defragmenter description

This software will take the defragmentation process to a whole new level

Power Defragmenter is a very advanced GUI for the Sysinternals core application which takes defragmentation process to a whole new level.

Power Defragmenter is a GUI (Graphic User Interface) application for program Contig by Sysinternals.

Contig is a very powerful defragmentation application designed for Windows NT/2000/XP operating systems.

Contig created by Mark Russinovich and Bryce Cogswell.

Download mirror click here

reference soft-download-info.blogspot.com

...Read More

Install and Configure an Ubuntu Server

The Ubuntu installer makes it easy to do a clean and minimal server setup.
The Debian distribution has a well-deserved reputation as being extremely well suited for use in the datacenter, and Ubuntu builds on that by providing simplified installation and official commercial support, making it ideal for mission-critical server deployments.

Minimal Installation

A good principle when building servers is to install as few packages as possible, minimizing the number of things that can go wrong as well as the potential for security flaws. The Ubuntu installer offers a special "server" mode that makes it simple to create a basic server platform onto which you can install the software you require.
Before you perform the actual installation, boot up the server and enter the BIOS setup screen. Because servers typically run without a monitor attached, you will need to find the BIOS setting that tells the computer which errors it should consider fatal and make sure it won't fail on a "no keyboard" or "no monitor" error. The actual setting varies depending on the specific BIOS, so consult the manual for your computer or motherboard if necessary.
Save the BIOS changes and then boot the computer from the Dapper install CD, but don't proceed with the usual installation procedure. If you get a graphical menu, select Install a Server; otherwise, type server at the first prompt. Then, go through the installation procedure. This will give you a minimal selection of packages installed on the system. The server-mode installation doesn't include X or any services at all, giving you a clean platform to configure as you see fit.
One of the first services you will want to install is probably SSH, allowing you to use a secure shell to "Administer Your Server Remotely"

Static Network Configuration

You may have a DHCP server on your network already, in which case your server has been assigned an IP address, but most servers need to have static addresses assigned so they can be found on the network.
Open /etc/network/interfaces (as root) in your favorite editor and find a section that looks like this:

# The primary network interface
auto eth0
iface eth0 inet dhcp

The dhcp argument tells Ubuntu to use a DHCP server to assign the configuration to this interface, so change it to a static configuration and specify the address, netmask, and gateway (router) addresses. Here's an example:

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.3
netmask 255.255.255.0
gateway 192.168.0.1

You can now manually force networking to restart with the following command, but be warned that if the static address you have assigned the server is different from the current address, any SSH sessions will be dropped. You will then be able to log back in at the new address:

$ sudo /etc/init.d/networking restart

UPS-Triggered Shutdown

A uninterruptible power suppy (UPS) will keep your server running during a short power failure, but batteries don't last forever, and you risk corrupted filesystems if the batteries go flat and the server stops abruptly. Connect your server to your UPS with a null-modem serial cable and install a program to monitor UPS status and begin a clean shutdown in the event of a blackout. Different brands of UPS have different communication methods, and there are a variety of UPS-management packagesincluding genpower, apcd, apcupsd, powstatd, and nuteach of which supports different types of UPS. If you run multiple servers on a single UPS, then nut (Network UPS Tools) is a good choice because it can initiate a shutdown of all your servers at once via the network:

$ sudo apt-get install nut


The exact setup process will depend on your UPS type, so start by looking through /usr/share/doc/nut/README.Debian.gz for general background information, and then look at the example configurations in /usr/share/doc/nut/examples/.
Network UPS Tools also has a number of supporting packages available:

nut-cgi
Web interface subsystem

nut-dev
Development files

nut-snmp
Meta SNMP Driver subsystem

nut-usb

USB Drivers subsystem

Remember that if your server is shut down by the UPS-management software, it won't restart automatically when power returns.

...Read More

Build a DHCP Server

Use a DHCP server to automatically configure the network settings for all computers on your network.
DHCP (Dynamic Host Configuration Protocol) dramatically simplifies the connection of new computers to your network. With a properly configured DHCP server, any new computers you connect will automatically be assigned an IP address, the address of your router, and nameserver addresses. And, to really make things easy on yourself, you can link your DHCP server to the BIND9 DNS server and have new computers automatically assigned a hostname that maps correctly to its dynamically assigned IP address.

Install the DHCP Daemon

First, make sure you don't already have a DHCP server running on your network; two servers providing conflicting information is a recipe for obscure network problems! Install the Internet Software Consortium (ISC) DHCP server:
$ sudo apt-get install dhcp3-server



Basic Configuration
Open the configuration file /etc/dhcp3/dhcpd.conf, where you will see various configuration options that apply both globally and to specific subnets. The majority of the sample options included in the file are quite self-explanatory, so put appropriate entries in the global settings, and then add a basic stanza for your network:

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.20 192.168.0.50;
option routers 192.168.0.1;
}

The range setting specifies the pool of IP addresses to use when new computers connect to your network, and the routers option is passed on so they can add a default route to use to connect to the Internet.
Assign Addresses to Specific Hosts
Sometimes it can be helpful to force specific IP addresses to be associated with certain hosts, such as printers. When a host connects to the DHCP server, it provides the MAC (Media Access Control) address of the network interface, and the DHCP server can then use that to associate the host with a specific configuration.
If you don't know the MAC address of your computer, you can find it printed on a label on most Ethernet cards; network printers often have it labeled somewhere near the Ethernet connector. On Linux, you can obtain it using ifconfig:

$ /sbin/ifconfig eth0 | grep HWaddr


Back on the DHCP server, open /etc/dhcp3/dhcpd.conf and add a stanza near the end for each host:
host workstation51 {
hardware ethernet 08:00:07:26:c0:a5;
fixed-address 192.168.0.51;
}

Make sure the fixed-addresses you set don't fall within a range that has been nominated for general assignment.
Finally, restart the DHCP server so your configuration will take effect:
$ sudo /etc/init.d/dhcp3-server restart



Hacking the Hack
DNS provides a hostname-to-IP-address resolution service so you don't need to care what actual IP address has been assigned to a computer, but DHCP allows IP addresses to be dished out semi-randomly to machines on your network, which makes it very hard to maintain sensible DNS entries. However, if you use BIND9 to build a domain name server, you can link it to your DHCP server and have DNS records updated automatically each time a computer joins or leaves your network.
First, get your DNS and DHCP servers functioning correctly independently. Once you are happy that they are doing what they are meant to, open the BIND9 configuration file (/etc/bind/named.conf.options) and add a new stanza at the end:

controls {
inet 127.0.0.1 allow {localhost; } keys { "rndc-key"; };
};

The localhost setting specifies that only local processes are allowed to connect, and rndc-key is the name of a secret key that will be used to authenticate connections. The actual key is stored in /etc/bind/rndc.key, which is pre-populated with a randomized key value when the bind9 package is installed. If your DNS and DHCP servers are on the same physical machine, these settings will work nicely, but if they are on different machines, you will need to tell BIND to allow connections from your DHCP host and copy the key file across. Open /etc/bind/named.conf.local, add forward and reverse zones for your local network, and specify that these zones can be updated by clients that know the secret key:

zone "example.com" {
type master;
file "/etc/bind/zones/example.com.hosts";
allow-update { key "rndc-key"; };
notify yes;
};

zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/192.168.0.hosts";
allow-update { key "rndc-key"; };
notify yes;
};

Set up the zone files for example.com.hosts and 192.168.0.hosts as usual, including any statically assigned hostname values.
You also need to tell BIND to load the key file, so after the zone stanzas, add an include line:

include "/etc/bind/rndc.key";

Once you restart BIND, it will be ready to accept dynamic zone updates:
$ sudo /etc/init.d/bind9 restart


Your DHCP server now needs to be told to send update notifications to your DNS server. Open /etc/dhcp3/dhcpd.conf and add these entries to the top of the file:

server-identifier server;
ddns-updates on;
ddns-update-style interim;
ddns-domainname "example.com.";
ddns-rev-domainname "in-addr.arpa.";
ignore client-updates;
include "/etc/bind/rndc.key";

zone example.com. {
primary 127.0.0.1;
key rndc-key;
}

You may need to comment out existing settings that conflict, such as the ddns-update-style none; option included in Ubuntu's default DHCP configuration.
Restart DHCP to apply your changes:

$ sudo /etc/init.d/dhcp3-server restart


From now on, any hosts that register themselves with DHCP will also be automatically added in-memory to your DNS zone.

...Read More

Use an Encrypted Filesystem to Protect Your Data

An encrypted filesystem keeps your data safe even if someone steals your computer and tries to mount the disk.
There are a number of techniques for creating encrypted filesystems, typically based on using some kind of loopback device with an encryption layer spliced in the middle. Popular systems include cryptloop and loop-aes, but a more recent development called dm-crypt has some interesting advantages, so that's what we use for this hack. It's faster than cryptloop, easier to implement than loop-aes, and able to operate on a wide range of block devices even when using RAID or LVM because it's built on a new feature in the 2.6 kernel called device-mapper. device-mapper is designed to provide a generic and flexible way to add extra virtual layers on top of real block devices, allowing developers to implement special handlers for mirroring, snapshotting, concatenation, and encryption. As far as filesystem tools are concerned, they are dealing with a real block device, and any special functionality is hidden away by device-mapper.
dm-crypt is a device-mapper target that uses the kernel crypto API to provide transparent encryption, and it's even backward-compatible with the on-disk format used by cryptloop

Kernel Setup

dm-crypt uses the kernel's crypto API to perform the actual encryption. The standard Dapper kernel loads crypto ciphers as modules, and this hack uses 256-bit AES encryption, so make sure that your kernel has AES support loaded:

$ cat /proc/crypto


256-bit AES is an extremely high-grade encryption algorithm that has been approved by the NSA for use in protecting classified information up to the TOP SECRET level, which is the highest security level, encompassing information that would cause exceptionally grave damage to U.S. national security if disclosed.

If AES support is loaded, you will see output like:
name : aes
module : aes
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32

If it's not loaded, you can force it to load manually using modprobe:
$ sudo modprobe aes


Cryptsetup should load this module automatically when required, but it's useful to know how to check for it and load the module manually if necessary.
Install the dmsetup package, which will provide the tools you need to configure the device-mapper target:

$ sudo apt-get install dmsetup cryptsetup


Check that the dmsetup package has created the device mapper:

$ ls -l /dev/mapper/control


Load the dm-crypt kernel module:

$ sudo modprobe dm-crypt


The dm-crypt module registers itself automatically with device-mapper when it's loaded, so next check that device-mapper has recognized it and added crypt as an available target:

$ sudo dmsetup targets


If everything has gone according to plan, you'll see crypt in the output:

crypt v1.1.0
striped v1.0.2
linear v1.0.1
error v1.0.1

Your system is now ready to mount encrypted devices. First, though, you need to create one!

Create an Encrypted Device

There are two options for creating a filesystem to mount as an encrypted device: create a disk image as a file and mount it as a loopback device, or use an actual block device (for example, /dev/hda3). In both cases, the procedure is almost identical, with the exception of some extra preparation required to create and bind the loopback device.

Create a loopback disk image

If you don't have a real device, such as a memory stick or extra disk partition, that you can encrypt, you can instead use dd to create an empty disk image and mount it as a loopback device. In this example, you'll call it secret.img and make it 100 MB in size. Just alter the count value if you want to make it a different size:
$ dd if=/dev/zero of=~/secret.img bs=1M count=

100



Use losetup to associate the image with a loopback device:

$ sudo losetup /dev/loop/0 ~/secret.img


You will now have a virtual block device at /dev/loop/0 that you can reference just like any other block device.

Set up the block device

Now you can set up either a real block device (for example, /dev/sda1) or a virtual block device, such as the loopback image created in the previous step, and mount it as an encrypted logical volume using device-mapper. Start by using cryptsetup to create a logical volume (called mysecrets) and bind the block device to it:
$ sudo cryptsetup -y create mysecrets

/dev/DEVICENAME



The last argument must be the block device that will be used as an encrypted volume, so if you're using the loopback image created in the previous step as a virtual block device, you would instead run something like:

$ sudo cryptsetup -y create mysecrets /dev/loop/0

In either case, you will be asked for a passphrase for the logical volume, and the -y flag indicates that cryptsetup should confirm the passphrase by asking you for it twice. It's critical that you get it right, because otherwise you'll find yourself locked out of your own data!

You can then confirm that the logical volume has been created:

$ sudo dmsetup ls


You should see the logical volume listed, although the major and minor device numbers may vary:

mysecrets (254, 0)

device-mapper mounts its virtual devices under /dev/mapper, so you should now have a virtual block device at /dev/mapper/mysecrets that behaves just like any other block device but is transparently encrypted.
Just like a real block device, you can create a filesystem on it:

$ sudo mkfs.ext3 /dev/mapper/mysecrets

Create a mount point for the new virtual block device and mount it:

$ sudo mkdir /mnt/mysecrets
$ sudo mount /dev/mapper/mysecrets /mnt/mysecrets


You should now be able to see it mounted just like any other device:

$ df -h /mnt/mysecrets
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/mysecrets 97M 4.1M 88M 5% /mnt/mysecrets

Voil\x88 ! You now have a mounted filesystem that behaves just like any other filesystem, but any data you write to /mnt/mysecrets/ will be transparently encrypted before being written to disk, and anything you read from it will be decrypted on the fly.

Unmounting

Unmount the encrypted filesystem as usual:

$ sudo umount /mnt/mysecrets

Even after you have unmounted the block device, it's still configured in dm-crypt as a virtual device. You can confirm this by running sudo dmsetup ls again and seeing that the device is still listed. Because dm-crypt caches the passphrase, any other user on the computer can now remount the device without needing to know the passphrase. To prevent this, you need to explicitly remove the device from dm-crypt after unmounting it:

$ sudo cryptsetup remove mysecrets

After that, it will be truly gone, and remounting it will require the passphrase again.
You can simplify the process by creating a tiny script to unmount and remove the device:

#!/bin/sh
umount /mnt/mysecrets
cryptsetup remove mysecrets

Remounting

Since you'll probably want to mount the encrypted device as your normal user, it will make things easier if you add something like this to your /etc/fstab:

/dev/mapper/mysecrets /mnt/mysecrets ext3 noauto,noatime 0 0

You can also create a script that will take care of creating the dm-crypt device and mounting the volume for you (replace /dev/DEVICENAME with the actual device name or path to the file):

#!/bin/sh
cryptsetup create mysecrets /dev/DEVICENAME
mount /dev/mapper/mysecrets /mnt/mysecrets

If you're using a loopback device, you can also have the script bind the device for you:

#!/bin/sh
losetup /dev/loop/0 ~/secret.img
cryptsetup create mysecrets /dev/loop/0
mount /dev/mapper/mysecrets /mnt/mysecrets

If you get the message "ioctl: LOOP_SET_FD: Device or resource busy," it probably means that the loop device is still mounted. You can remove it with sudo losetup -d /dev/loop/0.

Hacking the Hack

You can even have your entire home directory encrypted if you configure the PAM (Pluggable Authentication Modules) subsystem to mount it for you when you log in. The libpam-mount module allows PAM to mount arbitrary devices automatically when a user logs in, so install it along with openssl:

$ sudo apt-get install libpam-mount openssl

Edit /etc/pam.d/common-auth and add this line to the end:

auth optional pam_mount.so use_first_pass

Then edit /etc/pam.d/common-session and add this line to the end:

session optional pam_mount.so

You need to configure PAM to know what volume to mount and where. In this example, the username is jon and you're using the device /dev/sda1, so substitute your username and device and add a line like this to /etc/security/pam_mount.conf:

volume jon crypt - /dev/sda1 /home/jon cipher=aes aes-256-ecb /home/jon.key

If you want to use a disk image, you need to specify the loop device (such as /dev/loop/0) here and ensure that the system has run losetup before jon has a chance to log in (for example, you could put losetup /dev/loop/0 /home/secret.img into /etc/rc.local).

Because the volume is encrypted, PAM needs access to the key to mount it. The last argument tells PAM to look in /home/jon.key for the key, so create the key file by encrypting your passphrase using OpenSSL:

$ sudo sh -c "echo
'

YOUR PASSPHRASE

'
| openssl aes-256-ecb >

/home/jon.key"



You will then be asked for a password, and you must enter the same password you use to log in as that user. The reason is that when you log in, PAM will take the password you provide, use it to decrypt the key file, and then use the passphrase contained in the key file to mount your home directory using dm-crypt.
Note, however, that the step above will leave your passphrase in plain text in your .history file, so clear your history (with history -c) or at least edit it to remove the command before proceeding.

Another approach that avoids storing your passphrase in an encrypted key file is to create your encrypted filesystem with the exact same password you use to log in. Then PAM can simply pass your password through to dm-crypt when you authenticate rather than extract it from the key file. In that situation, you can use a line like this in /etc/security/pam_mount.conf instead:

volume jon crypt - /dev/sda1 /home/jon cipher=aes - -

Finally, to make sure your encrypted home directory is unmounted automatically when you log out, edit /etc/login.defs and make sure the CLOSE_SESSIONS option is set:

CLOSE_SESSIONS yes

...Read More