Ichimusai

Photos and other rants

Meny Stäng

Etikett: debian

More effective CIDR-blocking

Previously we have talked about how to block certain addresses using the firewall in Linux (iptables) but if you have a large number of CIDR blocks, say whole countries like China (about 7000 blocks) this will not be keen on the CPU in the server.

Especially the script that inserts it by repeatedly calling iptables. The first few hundred calls will be quit but then is slows down as the kernel won’t process so many insertions in the iptables lists.

There is another way that is just as effective called blackholing the ip ranges you wish to block from your server. This is done by adding routes for those packest that leads nowhere.

# ip route add blackhole <ip address>

This works quite beautifully with tens of thousands of addresses of course. As before we should read the CIDR files we want in order to create the null routes that is needed.

Here is a script that will read a directory of CIDR files and null route all of them.

for f in /etc/iptables/hosts-banned/*
do
    LINES=$(wc -l $f | awk '{print $1}')
    echo -n "Processing k-line file $f with $LINES blocks... "
    date +"%H:%M:%S"
    while read p
    do
        ip route add blackhole $p
    done < $f
done

The CIDR files in this case resides in /etc/iptables/hosts-banned/ an they can be gotten from online or you may add any address ranges you want, perhaps based on automatic firewalling.

To remove a certain blacholed range or ip you can do the same thing again changin the ip route add to an ip route del command instead.

ip route del <ip address>

You can produce a script that removes them by doing the following:

ip route | grep blackhoe | awk '{ print "ip route del " $2 }' >unblock
chmod 700 unblock
./unblock

That’s it, they are all now cleared.

 

Running Samba in Linux in less than 5 minutes

So you want to share files over the network with perhaps windows machines or you want to be able to have networked file systems that are not requiring Kerberos to become secure but there are something fishy going on with your Samba installation?

Read on, here is the recipe to get it going. First of all make sure you have samba installed. An easy way to check this is to type the following two comnmands:

# service smbd status
 smbd start/running, process 27562
# service nmbd status
 nmbd start/running, process 27540

If either of those are not running, please install the samba package on your machine according to your OS recommendations, it may differ slightly depending on Linux distribution.

When you are done with this it’s time to modify the configuration file for Samba. Use your favorite editor (as root) and start by backing up your original configuration file.

# cp -a /etc/samba/smb.cfg /etc/samba/smb.bak

Then start your favorite editor and start off with this configuration:

[global]
 workgroup = WORKGROUP # change this to be unique on your network
 domain master = yes # there can only be one master
 local master = yes
 preferred master = yes
 os level = 65

 server string = %h server (Samba, Ubuntu)
 name resolve order = bcast host

 interfaces = 127.0.0.1 lo eth0
 bind interfaces only = yes

 log file = /var/log/samba/log.%m
 max log size = 10000
 syslog only = no
 syslog = 0

 map to guest = bad user

[guest]
 comment = networked file system
 path = /mnt/guest # set this to your preferred place
 read only = yes
 guest ok = yes

[anders]
 comment = private file system for anders
 path = /home/anders # be careful with your home folders
 read only = no
 guest ok = no
 valid users = anders

[google-drive]
 comment = private file system anders
 path = /mnt/raid/google-drive # another folder requiring password
 read only = no
 guest ok = no
 valid users = anders

[upload]
 comment = put your upload here
 path = /mnt/raid/upload # something where anyone can upload
 read only = no
 valid users = %S

Make sure the folders you have pointed out are actually valid folders. Then create the users needed to access the system:

# smbpasswd -a username

Type the password and create the users needed as per the shares that you have defined above. The valid users = %S means any user in the system can use that if they give the right password. To delete users from your samba system when no longer needed

# smbpasswd -x username

Next thing is to restard the name server for Samba and the actual server daemon:

# service nmbd restart
nmbd stop/waiting
nmbd start/running, process 28297
# service smbd restart
smbd stop/waiting
smbd start/running, process 28309

When this is done you should be able to connect giving the right username/password or as a guest if you have created the shares for the guest accounts.

Mounting the smb file system on a command line is done like this:

# mount -t cifs //server.name.or.ip/share /mnt/share -o username=yourname

If needed it will ask for your password also.

To list shares on an SMB server, use the following:

# smbclient -L //server.name.or.ip/ -U user%pass

You can skip -U user%pass if you prefer working as guest.

This should get you up and running easily. It’s not sophisticated and you have to manually work the passwords and they are not synced with with the rest of the users on the local machine, that is more complex to set up, this was meant to be a quick starter to get you going.

If you need to list the users in the database (to remove any you do not want any more) you can use the command:

# pdbedit -L

Read the man page for more information.