704Settings - amagerard/Freeradius GitHub Wiki
| 01- Synoptic | 02- SambaAD | 03- PdnsRecursor | 04- Settings |
|---|---|---|---|
| 05- Maintenance | 06- Selinux | 07- GnomeShell | |
| FreeRadius | DaloRadius | OpenLdap |
https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_active_directory_higher_security_tips.html
Add in smb.conf.
vi /etc/samba/smb.conf
[global]
# Restrict null session
restrict anonymous = 2
Add in smb.conf.
vi /etc/samba/smb.conf
[global]
# Disable Netbios
disable netbios = yes
smb ports = 445
Add in smb.conf.
vi /etc/samba/smb.conf
[global]
# Disable printer support
printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd
Add in smb.conf.
vi /etc/samba/smb.conf
[global]
# Disable NTLMv1
ntlm auth = mschapv2-and-ntlmv2-only
I need:
/etc/ssl/private/CA-ecc.key (to be created).
/etc/ssl/certs/CA-ecc.crt (to be created ).
/etc/ssl/private/thot-ecc.key (to be created).
/etc/ssl/certs/thot-ecc.crt (to be created).
This domain is : dw.learn.lan
To be created under Windows admin DNS RSAT:
Alias(CNAME): dns.dw.learn.lan with the host target thot.dw.learn.lan
Example :
CountryName (2 letter code) [XX]:FR
State or Province Name (full name) []:France
Locality Name (eg, city) [Default City]:Versailles
Organization Name (eg, company) [Default Company Ltd]:dw.learn
Organizational Unit Name (eg, section) []:office
Common Name (eg, your name or your server's hostname) []:dns.dw.learn.lan
Email Address []:[email protected]
Edit a configuration file.
vi /etc/pki/tls/authority.conf
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
prompt = no
[ req_distinguished_name ]
C = FR
ST = France
L= Versailles
O = dw.learn
OU= office
CN = dns.dw.learn.lan
emailAddress = [email protected]
[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
IP.1 = 192.168.40.47
DNS.1 = dns.dw.learn.lan
IP.1 is the IP address of dns.dw.learn.lan.
Generate CA-ecc.key and CA-ecc.crt.
openssl ecparam -name prime256v1 -genkey -noout -out /etc/ssl/private/CA-ecc.key
openssl req -x509 -new -key /etc/pki/tls/private/CA-ecc.key -sha256 -days 1430 -out /etc/pki/tls/certs/CA-ecc.crt -extensions 'v3_ca' -config /etc/pki/tls/authority.conf
Check CA.
openssl x509 -in /etc/ssl/certs/CA-ecc.crt -text -noout
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:7E:C5:68:8C:D8:B2:94:A0:CA:B4:F5:9B:DA:36:FB:5B:29:D8:7F:7D
DirName:/C=FR/ST=France/L=Versailles/O=dw.learn/OU=office/CN=dns.dw.learn.lan/[email protected]
serial:4C:12:01:58:60:A9:05:A7:E0:91:C8:0A:A5:DB:06:E1:37:B3:1A:9A
chmod 400 /etc/ssl/private/CA-ecc.key
chmod 400 /etc/ssl/certs/CA-ecc.crt
Server Self-signed certificate.
Generate private key.
openssl ecparam -genkey -name prime256v1 -noout -out /etc/ssl/private/thot-ecc.key
Generate Certificate Signing Request.
openssl req -new -days 365 -key /etc/ssl/private/thot-ecc.key -out /etc/ssl/certs/thot-ecc.csr
Country Name (2 letter code) [XX]:FR
State or Province Name (full name) []:France
Locality Name (eg, city) [Default City]:Versailles
Organization Name (eg, company) [Default Company Ltd]:dw.learn
Organizational Unit Name (eg, section) []:office
Common Name (eg, your name or your server's hostname) []:thot.dw.learn.lan
Email Address []:[email protected]
Generate SSL certificate with self signed CA.
See chapter 6.2.2.2: Server configuration for future CSR requests for the settings of the openssl.cnf file.
openssl ca -config /etc/ssl/openssl.cnf -out /etc/ssl/certs/thot-ecc.crt -in /etc/ssl/certs/thot-ecc.csr
chmod 600 /etc/ssl/private/thot-ecc.key
chmod 400 /etc/ssl/certs/thot-ecc.crt
Add in smb.conf.
vi /etc/samba/smb.conf
[global]
# Certificats
tls enabled = yes
tls keyfile = /etc/pki/tls/private/thot-ecc.key
tls certfile = /etc/pki/tls/certs/thot-ecc.crt
tls cafile = /etc/pki/tls/certs/CA-ecc.crt
Add in smb.conf.
vi /etc/samba/smb.conf
[global]
# Generate additional password hashes
password hash userPassword schemes = CryptSHA256 CryptSHA512
samba-tool dns add `hostname -s` `hostname -d` wpad A 127.0.0.1 -P
samba-tool dns add `hostname -s` `hostname -d` isatap A 127.0.0.1 -P
Add in smb.conf.
vi /etc/samba/smb.conf
[global]
#limit dynamic plage
rpc server dynamic port range = 50000-50500
Reconfigure the firewall.
vi /etc/ufw/applications.d/ufw-custom
[SRVADS]
title=SRVADS
description=Firewall access Educpedia
ports=88,135,389,445,464,636,3268,3269,50000:50500/tcp|88,389,464/udp
Delete SRVADS.
ufw status numbered
Example :
[12] SRVADS ALLOW IN Anywhere
ufw delete 12
Add again.
ufw allow IN SRVADS
ufw allow OUT SRVADS
ufw reload
ufw status numbered
ufw status verbose
Edit krb5.conf.
vi /etc/krb5.conf
Add these lines in
[libdefaults]
allow_weak_crypto = false
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
systemctl restart samba
Check administrator password.
kinit administrator
From a computer joined to the domain dw.learn.lan.
By default the duration is 41 days.
Go to windows administrator.
Start button.
All.
Windows Tools.
Active Directory Users And Computers.
Users
Administrator
Properties
Account
Password never Expire
Apply
From a computer joined to the domain dw.learn.lan.
Declare as time server The domain controller for all computers in the domain.
Create a new GPO.
Start button.
All.
Windows tools.
Group Policy Management.
Group Policy Objects.
New.
Name : force ntp server to domain controller
Edit
Computer configuration
Policies
Administrative templates
System
Windows Time Service
Time Providers
Configure Windows NTP Client enabled
NtpServer: thot.lean.dw.lan,0x9
Type: NTP
Enable Windows NTP Client enabled
Enable Windows NTP Server enabled
Position the GPO with Default Domain Policy.
Add "enforced".
Information.
Manually change provider.
Change provider.
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"thot.dw.learn.lan"
net start w32time
w32tm /query /peers /verbose
Check windows time service.
w32tm /stripchart /computer:thot.dw.learn.lan
w32tm /query /configuration
w32tm /query /status
w32tm /resync /force
https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_reset_krbtgt.html
It is recommended to change it regularly (e.g. every month or every two months).
The ANSSI recommendation is currently every 40 days.
It is preferable to do the password change on the machine that has the PDC role.
In my case, I don't have any secondary controllers.
If you have other secondary controllers .
Before changing the password, check that the replication works with all DCs:
samba-tool drs replicate thot-secondary thot dc=dw,dc=learn,dc=lan
Retrieving the KRBTGT password change script for Samba version.
Example: Samba 4-23.
cd /root
# Samba 4.23
wget https://gitlab.com/samba-team/samba/raw/v4-23-stable/source4/scripting/devel/chgkrbtgtpass
Then run the script that was previously retrieved:
python3 chgkrbtgtpass
Ensure that the password has been updated by checking the last modification date:
pdbedit -Lv krbtgt
During a power outage or any other system crash,this is highly recommended on a DC.
vi /etc/fstab
Replace defaults by "defaults,acl,user_xattr,barrier=1"
UUID=bfcd6acc-5ee0-42a9-bd40-3f0a000ecbd5 / ext4 defaults,acl,user_xattr,barrier=1 1 1
UUID=811ea220-05f8-480a-b3df-72425dce8627 /var ext4 defaults,acl,user_xattr,barrier=1 1 2
UUID=dbf254e9-3fde-4490-a4fb-395efb7e2cd1 /var/log ext4 defaults,acl,user_xattr,barrier=1 1 2
For your information, Red Hat 10 has changed the script for partition mounting.
To find the corresponding UUID of a partition:
blkid | grep root
blkid | grep var
https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_configure_rsyslog.html
There is a samba file for log rotation in /etc/samba/smb.conf.
Add to the file /etc/samba/smb.conf:
vi /etc/samba/smb.conf
[global]
# rsyslog samba ad
log level = 1 auth_json_audit:3@/var/log/samba/log.audit_samba\
kerberos:3@/var/log/samba/log.audit_kerberos
systemctl restart samba
systemctl restart rsyslog
Create log rotation for log.audit_samba.
From a computer joined to the domain dw.learn.lan,
before, sign out session and sign in session for generate logs.
From SambaAD Server.
logrotate /etc/logrotate.d/samba --verbose --force
ls -l /var/log/samba/old/log.audit_*
https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_ad_fail2ban.html
By default the AD environment allows to define password strategies that protect the domain
by blocking accounts that have attempted multiple unauthorized accesses.
If it is not done yet, validate that log redirection is activated in the file smb.conf.
vi /etc/samba/smb.conf
[global]
# rsyslog samba ad
log level = 1 auth_json_audit:3@/var/log/samba/log.audit_samba\
kerberos:3@/var/log/samba/log.audit_kerberos
Install the utility fail2ban:
# RedHat10 and derived distributions.
dnf install fail2ban
Disable the firewalld because it is ufw for me.
systemctl stop firewalld
systemctl mask firewalld
Edit the file 00-firewalld.conf.
cp /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.conf_ori
vi /etc/fail2ban/jail.d/00-firewalld.conf
[DEFAULT]
banaction = iptables-multiport
banaction_allports = iptables-allports
Create the configuration file /etc/fail2ban/filter.d/samba.conf:
vi /etc/fail2ban/filter.d/samba.conf
[Definition]
failregex = NT_STATUS_WRONG_PASSWORD.*remoteAddress": "ipv4:<HOST>:
Create the configuration file /etc/fail2ban/jail.d/samba.conf:
vi /etc/fail2ban/jail.d/samba.conf
[samba]
filter = samba
enabled = true
action = iptables-multiport[name=samba, port="88,135,389,445,464,636,3328,3329", protocol=tcp]
# mail[name=samba, [email protected]]
logpath = /var/log/samba/log.audit_samba
maxretry = 5
findtime = 600
bantime = 600
To exclude some IP addresses from fail2ban,
create the file /etc/fail2ban/jail.d/customisation.local:
vi /etc/fail2ban/jail.d/customisation.local
[DEFAULT]
#administrator computer
ignoreip = 192.168.80.50
Enable fail2ban:
systemctl enable --now fail2ban
To unlock an IP address:
fail2ban-client set samba unbanip <COMPUTER_IP>
Display blocked IP addresses:
fail2ban-client status samba
Add in /etc/samba/smb.conf:
vi /etc/samba/smb.conf
[global]
# Auditing to Sysvol and NetLogon
full_audit:failure = none
full_audit:success = pwrite write renameat
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local7
full_audit:priority = NOTICE
Then in the sections [sysvol] and [netlogon], add:
vfs objects = dfs_samba4, acl_xattr, full_audit
[sysvol]
path = /var/lib/samba/sysvol
vfs objects = dfs_samba4, acl_xattr, full_audit
read only = No
[netlogon]
path = /var/lib/samba/sysvol/dw.test.lan/scripts
vfs objects = dfs_samba4, acl_xattr, full_audit
read only = No
systemctl restart samba