304Settings - amagerard/FreeRadius GitHub Wiki
| 01- Synoptic | 02- SambaAD | 03- PdnsRecursor | 04- Settings |
|---|---|---|---|
| 05- Maintenance | 06- Selinux | 07- GnomeShell | |
| FreeRadius | DaloRadius | OpenLdap |
https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_active_directory_higher_security_tips.html
Add in smb.conf.
vi /etc/samba/smb.conf
[global]
# Restrict null session
restrict anonymous = 2
Add in smb.conf.
vi /etc/samba/smb.conf
[global]
# Disable Netbios
disable netbios = yes
smb ports = 445
Add in smb.conf.
vi /etc/samba/smb.conf
[global]
# Disable printer support
printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd
Add in smb.conf.
vi /etc/samba/smb.conf
[global]
# Disable NTLMv1
ntlm auth = mschapv2-and-ntlmv2-only
I need:
/etc/ssl/certs/thot.crt (to be created).
/etc/ssl/certs/CA.crt (to be created).
/etc/ssl/private/thot.key (to be created).
This domain is : dw.learn.lan
To be created under Windows admin DNS RSAT:
Alias(CNAME): dns.dw.learn.lan with the host target thot.dw.learn.lan
Server for CA.csr is dns.dw.learn.lan
Server for thot.csr is thot.dw.learn.lan
Repeat the TemplateVM/certificate chapter 6.2.1 procedure to create CA.key and CA.crt.
Repeat the TemplateVM/certificate chapter 6.3.1 procedure to create thot.key and thot.crt.
Generate certification Authority.
Generate private key (RSA type key.
openssl genrsa -out /etc/ssl/private/CA.key 4096
Generate Certificate Signing Request (RSA type key).
openssl req -new -days 1460 -key /etc/ssl/private/CA.key -out /etc/ssl/certs/CA.csr
CountryName (2 letter code) [XX]:FR
State or Province Name (full name) []:France
Locality Name (eg, city) [Default City]:Versailles
Organization Name (eg, company) [Default Company Ltd]:dw.learn
Organizational Unit Name (eg, section) []:office
Common Name (eg, your name or your server's hostname) []:dns.dw.learn.lan
Email Address []:[email protected]
Generate SSL certificate With self signed CA (RSA type key).
openssl x509 -req -days 1460 -in /etc/ssl/certs/CA.csr -out /etc/ssl/certs/CA.crt -signkey /etc/ssl/private/CA.key
You get 3 certificates.
/etc/ssl/private/CA.key
/etc/ssl/certs/CA.csr
/etc/ssl/certs/CA.crt
Server Self-signed certificate.
Generate private key.
openssl genrsa -out /etc/ssl/private/thot.key 4096
Generate Certificate Signing Request.
openssl req -new -days 365 -key /etc/ssl/private/thot.key -out /etc/ssl/certs/thot.csr
Country Name (2 letter code) [XX]:FR
State or Province Name (full name) []:France
Locality Name (eg, city) [Default City]:Versailles
Organization Name (eg, company) [Default Company Ltd]:dw.learn
Organizational Unit Name (eg, section) []:office
Common Name (eg, your name or your server's hostname) []:thot.dw.learn.lan
Email Address []:[email protected]
Generate SSL certificate with self signed CA.
openssl ca -config /etc/ssl/openssl.cnf -out /etc/ssl/certs/thot.crt -in /etc/ssl/certs/thot.csr
You get 3 certificates.
/etc/ssl/private/thot.key
/etc/ssl/certs/thot.csr
/etc/ssl/certs/thot.crt
chmod 400 /etc/ssl/certs/CA.crt
chmod 400 /etc/ssl/certs/thot.crt
chmod 600 /etc/ssl/private/thot.key
Add in smb.conf.
vi /etc/samba/smb.conf
[global]
# Certificats
tls enabled = yes
tls keyfile = /etc/pki/tls/private/thot.key
tls certfile = /etc/pki/tls/certs/thot.crt
tls cafile = /etc/pki/tls/certs/CA.crt
Add in smb.conf.
vi /etc/samba/smb.conf
[global]
# Generate additional password hashes
password hash userPassword schemes = CryptSHA256 CryptSHA512
samba-tool dns add `hostname -s` `hostname -d` wpad A 127.0.0.1 -P
samba-tool dns add `hostname -s` `hostname -d` isatap A 127.0.0.1 -P
Add in smb.conf.
vi /etc/samba/smb.conf
[global]
#limit dynamic plage
rpc server dynamic port range = 50000-50500
Reconfigure the firewall
vi /etc/ufw/applications.d/ufw-custom
[SRVADS]
title=SRVADS
description=Firewall access Educpedia
ports=88,135,389,445,464,636,3268,3269,50000:50500/tcp|88,389,464/udp
Delete SRVADS and add again.
ufw reload
ufw allow IN SRVADS
ufw allow OUT SRVADS
ufw status verbose
Edit krb5.conf.
vi /etc/krb5.conf
Add these lines in
[libdefaults]
allow_weak_crypto = false
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
systemctl restart samba
Check administrator password.
kinit administrator
From a computer joined to the domain dw.learn.lan.
By default the duration is 41 days.
Go to windows administrator.
Start button
Windows Administravive Tools
Active Directory Users And Computers
Users
Administrator
Properties
Account
Password never Expire
Apply
From a computer joined to the domain dw.learn.lan.
Declare as time server The domain controller for all computers in the domain.
Create a new GPO.
Start button.
Windows administrative tools
Group Policy Management
Group Policy Objects.
New.
Name : force ntp server to domain controller
Edit
Computer configuration
Policies
Administrative templates
System
Windows Time Service
Time Providers
Configure Windows NTP Client enabled
NtpServer: thot.lean.dw.lan,0x9
Type: NTP
Enable Windows NTP Client enabled
Enable Windows NTP Server enabled
Position the GPO with Default Domain Policy.
Add "enforced".
Information.
Manually change provider.
Change provider.
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"thot.dw.learn.lan"
net start w32time
w32tm /query /peers /verbose
Check windows time service.
w32tm /stripchart /computer:thot.dw.learn.lan
w32tm /query /configuration
w32tm /query /status
w32tm /resync /force
https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_reset_krbtgt.html
It is recommended to change it regularly (e.g. every month or every two months).
The ANSSI recommendation is currently every 40 days.
It is preferable to do the password change on the machine that has the PDC role.
In my case, I don't have any secondary controllers.
If you have other secondary controllers .
Before changing the password, check that the replication works with all DCs:
samba-tool drs replicate thot-secondary thot dc=dw,dc=learn,dc=lan
Getting the KRBTGT password change script:
cd /root
# Samba 4.20
wget https://gitlab.com/samba-team/samba/raw/v4-20-stable/source4/scripting/devel/chgkrbtgtpass
Then run the script that was previously retrieved:
python3 chgkrbtgtpass
Ensure that the password has been updated by checking the last modification date:
pdbedit -Lv krbtgt
During a power outage or any other system crash,this is highly recommended on a DC.
vi /etc/fstab
Replace defaults by "defaults,acl,user_xattr,barrier=1"
/dev/mapper/vgl0-root / ext4 defaults,acl,user_xattr,barrier=1 1 1
/dev/mapper/vgl0-var /var ext4 defaults,acl,user_xattr,barrier=1 1 2
/dev/mapper/vgl0-varlog /var/log ext4 defaults,acl,user_xattr,barrier=1 1 2
https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_configure_rsyslog.html
There is a samba file for log rotation.
/etc/logrotate.d/samba
I changed the name audi_samba.log to log.audit_samba.
log.audi_samba will be processed by /etc/logrotate.d/samba
Add to the file /etc/samba/smb.conf:
vi /etc/samba/smb.conf
[global]
# rsyslog samba ad
log level = 1 auth_json_audit:3@/var/log/samba/log.audit_samba\
kerberos:3@/var/log/samba/log.audit_kerberos
systemctl restart samba
systemctl restart rsyslog
Create log rotation for log.audit_samba.
From a computer joined to the domain dw.learn.lan,
before, sign out session and sign in session for generate logs.
From SambaAD Server.
logrotate /etc/logrotate.d/samba --verbose --force
ls -l /var/log/samba/old/log.audit_*
https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_ad_fail2ban.html
By default the AD environment allows to define password strategies that protect the domain
by blocking accounts that have attempted multiple unauthorized accesses.
If it is not done yet, validate that log redirection is activated in the file smb.conf.
vi /etc/samba/smb.conf
[global]
# rsyslog samba ad
log level = 1 auth_json_audit:3@/var/log/samba/log.audit_samba\
kerberos:3@/var/log/samba/log.audit_kerberos
Install the utility fail2ban:
# RedHat9 and derived distributions
dnf install fail2ban
Disable the firewalld because it is ufw for me.
systemctl stop firewalld
systemctl mask firewalld
Edit the file 00-firewalld.conf.
cp /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.conf_ori
vi /etc/fail2ban/jail.d/00-firewalld.conf
[DEFAULT]
banaction = iptables-multiport
banaction_allports = iptables-allports
Create the configuration file /etc/fail2ban/filter.d/samba.conf:
vi /etc/fail2ban/filter.d/samba.conf
[Definition]
failregex = NT_STATUS_WRONG_PASSWORD.*remoteAddress": "ipv4:<HOST>:
Create the configuration file /etc/fail2ban/jail.d/samba.conf:
vi /etc/fail2ban/jail.d/samba.conf
[samba]
filter = samba
enabled = true
action = iptables-multiport[name=samba, port="88,135,389,445,464,636,3328,3329", protocol=tcp]
# mail[name=samba, [email protected]]
logpath = /var/log/samba/log.audit_samba
maxretry = 5
findtime = 600
bantime = 600
To exclude some IP addresses from fail2ban,
create the file /etc/fail2ban/jail.d/customisation.local:
vi /etc/fail2ban/jail.d/customisation.local
[DEFAULT]
#administrator computer
ignoreip = 192.168.80.50
Enable fail2ban:
systemctl enable --now fail2ban
To unlock an IP address:
fail2ban-client set samba unbanip <COMPUTER_IP>
Display blocked IP addresses:
fail2ban-client status samba
Add in /etc/samba/smb.conf:
vi /etc/samba/smb.conf
[global]
# Auditing to Sysvol and NetLogon
full_audit:failure = none
full_audit:success = pwrite write renameat
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local7
full_audit:priority = NOTICE
Then in the sections [sysvol] and [netlogon], add:
vfs objects = dfs_samba4, acl_xattr, full_audit
[sysvol]
path = /var/lib/samba/sysvol
vfs objects = dfs_samba4, acl_xattr, full_audit
read only = No
[netlogon]
path = /var/lib/samba/sysvol/dw.test.lan/scripts
vfs objects = dfs_samba4, acl_xattr, full_audit
read only = No
systemctl restart samba