In this lab, you will install and configure the basic settings of Samba and FTP services.

Software Installation

Install the samba, smbclient, and vsftpd packages:

sudo apt update
sudo apt install samba smbclient vsftpd

sudo apt update
sudo apt install samba smbclient vsftpd

Check the status of the services:

sudo service smbd status
sudo service nmbd status
sudo service vsftpd status

sudo service smbd status
sudo service nmbd status
sudo service vsftpd status

Firewall Rules

Add UFW rules to allow smb, nmb, and ftp service through your firewall:

sudo ufw allow 21/tcp
sudo ufw allow 137,138/udp
sudo ufw allow 139,445/tcp

sudo ufw allow 21/tcp
sudo ufw allow 137,138/udp
sudo ufw allow 139,445/tcp

Sharing with Samba

Configure Samba to share user home directories in read-write mode by editing /etc/samba/smb.conf. The default configuration provides sufficient information in the comments to help you get started. Note that # and ; indicate commented-out items. Look for "Share Definitions" in the comments to get to the section you need to modify.

sudo nano /etc/samba/smb.conf

# Test and review your configurations:
testparm

# Restart the service if everything seems OK. 
sudo service smbd restart

sudo nano /etc/samba/smb.conf

# Test and review your configurations:
testparm

# Restart the service if everything seems OK. 
sudo service smbd restart

Verify you can see your shares:

smbclient -L localhost

smbclient -L localhost

You can attempt to browse to the IP address of your server using your file manager from your host OS. Depending on what configurations you have enabled, you may need to provide your Linux username and password.

Make your Linux account is available for Samba use. Essentially, we are creating a Windows user account.

# Add your user account
sudo pdbedit -a -u yourfirstname

# Review the user accounts information by listing them using -L and 
sudo pdbedit -L -v

# Add your user account
sudo pdbedit -a -u yourfirstname

# Review the user accounts information by listing them using -L and 
sudo pdbedit -L -v

Notice that you can create Windows user accounts in your Linux machine. These users are in a separate database and do not need to be linked to Linux users. Samba supports different kinds of user databases, from local authentication to directory services such as LDAP. Refer to pdbedit man pages in your system or on samba.org.

Use the smbclient to make sure your SMB share is working

smbclient -U yourfirstname //localhost/yourfirstname

# Use `ls` to list files, `cd` to navigate, and `exit` to close
smb: \> ls
smb: \> exit

smbclient -U yourfirstname //localhost/yourfirstname

# Use `ls` to list files, `cd` to navigate, and `exit` to close
smb: \> ls
smb: \> exit

Add a Share and a Windows User for Client Access

Create a Linux user named student with a shell of /bin/nologin and a home directory to be used to hold files for a Windows-only user:

# Use `useradd` to skip configuring some items for this user account. 
# We want to leave the account locked without a Linux password
sudo useradd -m -s /bin/nologin student

# Use `useradd` to skip configuring some items for this user account. 
# We want to leave the account locked without a Linux password
sudo useradd -m -s /bin/nologin student

Do not set a password on the account; leave it locked. Use pdbedit to add that user to Samba:

# Set password to be "Password01"
sudo pdbedit -a -u student

# Set password to be "Password01"
sudo pdbedit -a -u student

Note: student samba password must be set to Password01 so that the server-check.sh script can test it. Check that the student user has valid SMB access to their home directory hosted on your Linux server:

smbclient -U student //localhost/student Password01 --command "ls;"

smbclient -U student //localhost/student Password01 --command "ls;"

FTP service

1. Edit your /etc/vsftpd.conf.
   1. Verify that you have anonymous enabled (anonymous_enable) but set to no anon_upload_enable.
   2. Verify that local users are allowed to log in (local_enable) and write files (write_enable).
   3. When you make changes to the settings, restart the vsftpd service.
2. Verify you can access your ftp server with your personal account using the ftp command.

ftp localhost
<login to the ftp server using your personal account>
ftp> ls
ftp> exit

ftp localhost
<login to the ftp server using your personal account>
ftp> ls
ftp> exit

Create a file named index.html in the anonymous ftp directory (~ftp). Make the content something that clearly identifies the file (e.g. This is the index file from the ftp server).

# For convenience
sudo su
echo "this is the index file from the ftp server" > ~ftp/index.html

#Make sure the file is owned by the user `ftp`.
chown ftp ~ftp/index.html

# Exit the root shell
exit

# For convenience
sudo su
echo "this is the index file from the ftp server" > ~ftp/index.html

#Make sure the file is owned by the user `ftp`.
chown ftp ~ftp/index.html

# Exit the root shell
exit

Verify you can see the document using wget or curl or with a web browser using the URL ftp://your-ip-address/index.html.

curl ftp://your-server-ip/index.html

curl ftp://your-server-ip/index.html

FTP Security Notice

This configuration is very insecure and is not fit for most internet deployments. If you are planning to configure FTP properly, consider hardening this service by (not limited to) controls such as:

• Enable and enforce SSL/TLS (FTPS)
• Enable and enforce chroot jails
• Enable authentication (at least using local users)
• Limit access to known IP addresses via the service configurations AND using the firewall (layered security)
• Use tools such as Fail2Ban to protect against brute-force attacks
• Set quotas for storage, limit user login, and limit connections to protect availability
• If FTP is being accessed by users behind NAT, generally you should configure passiveftp

Evaluate Your Server

• Run sudo /root/server-check.sh -l 9 firstname lastname studentnumber.
• Review any problems detected and correct as necessary.