Montando servidor Master

Ferramentas úteis:

sudo apt-get install nautilus-gksu nautilus-open-terminal bridge-utils wpasupplicant  
sudo apt-get install wpagui aircrack-ng

Configurar o ntpdate para sincronizar hora diariamente:

sudo bash
echo ntpdate ntp.ubuntu.com pool.ntp.org > /etc/cron.daily/ntpdate
sudo chmod 755 /etc/cron.daily/ntpdate

Configurar o ntp para atualizar a hora do sistema

sudo apt-get install ntp

sudo cp /etc/ntp.conf /etc/ntp.conf.back

Configure dois servidores do ntp:

server ntp.ubuntu.com
server pool.ntp.org
restrict 192.168.0.0 mask 255.255.255.0 notrust
broadcast 192.168.0.255

Driver Madwifi

Checar se o chipset é Atheros:

sudo lspci | grep Atheros

Instalar pacotes:

sudo apt-get install linux-restricted-modules madwifi-tools 

Edite o arquivo /etc/modprobe.d/madwifi.conf para:

sudo cp /etc/modprobe.d/madwifi.conf /etc/modprobe.d/madwifi.conf.back 
## ath5k (mac80211)
## Comment out the following line, and uncomment all of the
## madwifi modules below to use the athk module
#blacklist ath5k

## madwifi (non-free)
blacklist ath_hal
blacklist ath_pci
blacklist ath_rate_amrr
blacklist ath_rate_onoe
blacklist ath_rate_sample
blacklist wlan
blacklist wlan_acl
blacklist wlan_ccmp
blacklist wlan_scan_ap
blacklist wlan_scan_sta
blacklist wlan_tkip
blacklist wlan_wep
blacklist wlan_xauth
options ath_pci autocreate=ap

Depois inicie o módulo:

sudo modprobe ath5k 

Para carregar este módulo no startup inclua ele no /etc/modules:

sudo cp /etc/modules /etc/modules.back  
ath_pci 

Para investigar as interfaces disponiveis

sudo airmon-ng 

Gerando senha Wep:

dd if=/dev/random bs=1 count=13 2>/dev/null | xxd -p 

Configurando as interfaces:

sudo cp /etc/network/interfaces /etc/network/interfaces.back
#Wan DHCP 
auto eth0
iface eth0 inet dhcp

#Wan Static
#auto eth0
#iface eth0 inet static
# address xxx.xxx.xxx.xxx
# netmask xxx.xxx.xxx.xxx
# gateway xxx.xxx.xxx.xxx

# Lan
auto eth1
#iface eth1 inet manual
# up /sbin/ifconfig ath0 up
# down /sbin/ifconfig ath0 down
# up /sbin/ifconfig eth2 up
# down /sbin/ifconfig eth2 down

auto eth2
#iface eth2 inet manual
# up /sbin/ifconfig ath0 up
# down /sbin/ifconfig ath0 down
# up /sbin/ifconfig eth1 up
# down /sbin/ifconfig eth1 down

auto eth3
#iface eth3 inet manual
# up /sbin/ifconfig ath0 up
# down /sbin/ifconfig ath0 down
# up /sbin/ifconfig eth1 up
# down /sbin/ifconfig eth1 down

# Wireless WLan
auto ath0
iface ath0 inet manual
wireless-mode master
# wireless-essid "master.casa.lan"
# wireless-channel 1
# wireless-key 6117ee068a849d17e718f655be
# up /sbin/ifconfig eth1 up
# down /sbin/ifconfig eth1 down
# up /sbin/ifconfig eth2 up
# down /sbin/ifconfig eth2 down

# Lan - interface interna
auto br0
iface br0 inet static
address 192.168.0.1
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
}
sudo cp /etc/default/dhcp3-server /etc/default/dhcp3-server.back
INTERFACES="br0"

Checar roteamento:

sudo /etc/init.d/dhcp3-server restart
route -n

Se quiser ver que máquinas receberam IPs :

cat /var/lib/dhcp3/dhcpd.leases 

Configurando firewall

sudo apt-get install ufw gufw 

Utilize o script do link: https://help.ubuntu.com/community/Router/Firewall

Outra forma é a seguinte:

sudo cp  /etc/sysctl.conf  /etc/sysctl.conf.bak

descomente a linha com a string net.ipv4.ip_forward

Depois execute o comando:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Esta regra fará com que as requisições das máquinas na subrede sejam enviadas para fora como se fossem provenientes do gateway, que por sua vez retornará as respostas para os clientes apropriados.  Do jeito que fizemos as regras serão perdidas na primeira reinicialização do servidor. Então vamos usar o comando iptables-save e colocá-las a salvo num arquivo em local apropriado.

iptables-save > /etc/network/iptables.rules

Então criamos um script para carregar as regras durante a inicialização. Salve-o com o nome iptables no diretório /etc/network/if-up.d, que é onde ficam os scripts relacionados com "levantar" as interfaces de rede; em contraste com if-down.d, onde estão os de "derrubar".

#!/bin/sh
# script: iptables
/sbin/iptables-restore /etc/network/iptables.rules

 Como opção pode-se criar o seguinte script no diretório if-up.d :

#!/bin/sh
# https://help.ubuntu.com/community/Router/Firewall
# zenity --warning --text="Configurando FireWall"
IPTABLES=/sbin/iptables
AWK=/usr/bin/awk
IFCONFIG=/sbin/ifconfig
# External (Internet-facing) interface
EXTIF="eth0"
# External IP address (automatically detected)
EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
  Internal interface
INTIF="br0"
# Internal IP address (in CIDR notation)
INTIP="192.168.0.1/32"
# Internal network address (in CIDR notation)
INTNET="192.168.0.0/24"
# The address of anything/everything (in CIDR notation)
UNIVERSE="0.0.0.0/0"
echo "External: [Interface=$EXTIF] [IP=$EXTIP]"
echo "Internal: [Interface=$INTIF] [IP=$INTIP] [Network:$INTNET]"
echo
echo -n "Loading rules..."
# Enabling IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Clear any existing rules and set the default policy to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
# Delete all User-specified chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
###################################################
# INPUT: Incoming traffic from various interfaces #
###################################################
# Loopback interface is valid
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# Local interface, local machines, going anywhere is valid
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
# Remote interface, claiming to be local machines, IP spoofing, get lost
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j REJECT
# External interface, from any source, for ICMP traffic is valid
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
# Allow any related traffic coming back to the MASQ server in.
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# Internal interface, DHCP traffic accepted
$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
# External interface, HTTP/HTTPS traffic allowed
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT
# External interface, SSH traffic allowed
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT
# Catch-all rule, reject anything else
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j REJECT
####################################################
# OUTPUT: Outgoing traffic from various interfaces #
####################################################
# Workaround bug in netfilter
$IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP
# Loopback interface is valid.
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# Local interfaces, any source going to local net is valid
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
# local interface, MASQ server source going to the local net is valid
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j REJECT
# anything else outgoing on remote interface is valid
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
# Internal interface, DHCP traffic accepted
$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j REJECT
###########################
# Packet Forwarding / NAT #
###########################
# ----- Begin OPTIONAL FORWARD Section -----
#Optionally forward incoming tcp connections on port 1234 to 192.168.0.100
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1234 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 1234 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.100:1234
# ----- End OPTIONAL FORWARD Section -----
# Accept solicited tcp packets
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED  -j ACCEPT
# Allow packets across the internal interface
$IPTABLES -A FORWARD -i $INTIF -o $INTIF -j ACCEPT
# Forward packets from the internal network to the Internet
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Catch-all REJECT rule
$IPTABLES -A FORWARD -j REJECT
# IP-Masquerade
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
# Salvando
/sbin/iptables-save > /etc/network/iptables.rules
# Recuperando
/sbin/iptables-restore /etc/network/iptables.rules
echo " done."

Configurando servidor DNS

sudo apt-get install bind9

Crie forward para outros servidores de DNS no arquivo /etc/bind/named.conf.options:

sudo cp /etc/bind/named.conf.options /etc/bind/named.conf.options.back
 forwarders {
    201.6.0.113;
    201.6.0.43;
     };

Altere o arquivo /etc/resolv.conf para:

nameserver 127.0.0.1
search casa.lan  

Altere o arquivo /etc/dhcp3/dhclient.conf incluindo a seguinte linha:

sudo cp /etc/dhcp3/dhclient.conf /etc/dhcp3/dhclient.conf.bak

supersede domain-name "casa.lan";
prepend domain-name-servers 127.0.0.1;

Crie uma chave para que o DNS altere as configurações do BIND automaticamente:

sudo dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
sudo cat Kdhcp_updater.*.private|grep Key

Adicione as zonas locais em /etc/bind/named.conf.local e inclua a chave que permite alterações no arquivo:

 sudo cp /etc/bind/named.conf.local /etc/bind/named.conf.local.back
# The secret key used for DHCP updates.
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;

# Important: Replace this key with your generated key.
# Also note that the key should be surrounded by quotes.
secret "asdasddsaasd/dsa==";
};
zone "casa.lan" IN {
type master;
file "/var/lib/bind/casa.lan.db";
# Tell this zone that we will allow it to be updated from anyone
# that knows the secret specified in the DHCP_UPDATER key.
allow-update { key DHCP_UPDATER; };
};
zone "0.168.192.in-addr.arpa" {
type master;
file "/var/lib/bind/rev.0.168.192.in-addr.arpa";
# Tell this zone that we will allow it to be updated from anyone
# that knows the secret specified in the DHCP_UPDATER key.
allow-update { key DHCP_UPDATER; };
};

Configure o DHCP para alterar o DNS alterando o arquivo /etc/dhcp3/dhcpd.conf :

 

# Make sure to change the ddns update style to interim:
ddns-update-style interim;
ignore client-updates; # Overwrite client configured FQHNs
ddns-domainname "casa.lan.";
ddns-rev-domainname "in-addr.arpa.";
# option definitions common to all supported networks...
option domain-name "casa.lan";
option domain-name-servers master.casa.lan;
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
# Important: Replace this key with your generated key.
# Also note that the key should be surrounded by quotes.
secret "asdasddsaasd/dsa==";
};

zone casa.lan. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
zone
0.168.192.in-addr.arpa. {
primary 127.0.0.1;
key DHCP_UPDATER;
}

Crie os arquivos das zonas:

Arquivo /var/lib/bind/casa.lan.db

; Use semicolons to add comments.
; Do NOT add empty lines.
; Host-to-IP Address DNS Pointers for home.lan
; Note: The extra “.” at the end of addresses are important.
; The following parameters set when DNS records will expire, etc.
; Importantly, the serial number must always be iterated upward to prevent
; undesirable consequences. A good format to use is YYYYMMDDII where
; the II index is in case you make more that one change in the same day.
casa.lan. IN SOA master.casa.lan. hostmaster.casa.lan. (
2009061001 ; serial
8H ; refresh
4H ; retry
4W ; expire
1D ; minimum
)
; NS indicates that master is the name server on casa.lan
; MX indicates that master is (also) the mail server on casa.lan
casa.lan. IN NS master.casa.lan.
casa.lan. IN MX 10 master.casa.lan.
; Set an alias (canonical name) for master
www IN CNAME master.casa.lan.
router IN CNAME master.casa.lan.
dns IN CNAME master.casa.lan.
mail IN CNAME master.casa.lan.
; Set the address for localhost.casa.lan
localhost IN A 127.0.0.1
; Set the hostnames in alphabetical order
master IN A 192.168.0.1

Arquivo /var/lib/bind/rev.0.168.192.in-addr.arpa

; IP Address-to-Host DNS Pointers for the 192.168.0.0 subnet
@ IN SOA master.casa.lan. hostmaster.casa.lan. (
2009061001 ; serial
8H ; refresh
4H ; retry
4W ; expire
1D ; minimum
)
; define the authoritative name server
IN NS master.casa.lan.
; our hosts, in numeric order
1 IN PTR master.casa.lan.

E autorize BIND para alterar os arquivos:

sudo chown bind:bind /var/lib/bind/*

Reinicie os serviços:

sudo /etc/init.d/bind9 restart
sudo /etc/init.d/dhcp3-server restart

Limpar a chave criada:

sudo rm Kdhcp_updater.*

Testando:

host ping.sunet.se

Resulta em:
ping.sunet.se has address 192.36.125.18
ping.sunet.se has IPv6 address 2001:6b0:7::18

 host -l casa.lan

Resulta em:
casa.lan name server master.casa.lan.
localhost.casa.lan has address 127.0.0.1
master.casa.lan has address 192.168.0.1

 host 192.168.0.1

Resulta em:
1.0.168.192.in-addr.arpa domain name pointer master.casa.lan.

Depois utilize o comando host xxx.casa.lan para testar a atualização automática pelo DHCP (xxx é o hostname do cliente conectado).

 Configurando Dynamic DNS (DDNS):

sudo apt-get remove --purge ddclient
sudo apt-get install ssh libio-socket-ssl-perl
sudo apt-get install ddclient

Antes crie uma conta em um dos seguintes serviços:

http://www.dyndns.com
http://www.easydns.com
http://www.zoneedit.com
http://www.no-ip.com
http://www.afraid.org
http://www.namecheap.com
http://www.dnspark.com

Altere o arquivo /etc/default/ddclient :

sudo cp /etc/default/ddclient /etc/default/ddclient.back 
run_daemon="true" 

Altere o arquivo /etc/ddclient.conf :

sudo cp /etc/ddclient.conf /etc/ddclient.conf.back

Algumas sugestões de configuração:

pid=/var/run/ddclient.pid
use=if, if=eth0
protocol=dyndns2, server=no-ip.org, login=login@email.com, password='senha' mydns.no-ip.org
protocol=dyndns2, server=members.dyndns.org, login=login, password='senha' mydns.dyndns.org
##
## dyndns.org dynamic addresses
##
## (supports variables: wildcard,mx,backupmx)
##
# server=members.dyndns.org,        \
# protocol=dyndns2            \
# your-dynamic-host.dyndns.org
##
## dyndns.org static addresses
##
## (supports variables: wildcard,mx,backupmx)
##
# static=yes,                \
# server=members.dyndns.org,        \
# protocol=dyndns2            \
# your-static-host.dyndns.org
##
##
## dyndns.org custom addresses
##
## (supports variables: wildcard,mx,backupmx)
##
# custom=yes,                \
# server=members.dyndns.org,        \
# protocol=dyndns2            \
# your-domain.top-level,your-other-domain.top-level
##
## ZoneEdit (zoneedit.com)
##
# server=dynamic.zoneedit.com,         \
# protocol=zoneedit1,            \
# login=your-zoneedit-login,          \
# password=your-zoneedit-password    \
# your.any.domain,your-2nd.any.dom
##
## EasyDNS (easydns.com)
##
# server=members.easydns.com,         \
# protocol=easydns,            \
# login=your-easydns-login,          \
# password=your-easydns-password    \
# your.any.domain,your-2nd.any.domain
##
## dnspark.com
## (supports variables: mx, mxpri)
##
# use=web, web=ipdetect.dnspark.com, web-skip='Current Address:'
# protocol=dnspark,            \
# server=www.dnspark.com,        \
# your-host.dnspark.com
##
## NameCheap (namecheap.com)
##
# protocol=namecheap,                \
# server=dynamicdns.park-your-domain.com,    \
# login=my-namecheap.com-login,            \
# password=my-namecheap.com-password        \
# myhost.namecheap.com

Check o status do ddclient:

sudo /etc/init.d/ddclient status

Para reiniciar o serviço:

sudo /etc/init.d/ddclient restart

Instalando Samba:

sudo apt-get install samba smbfs swat libpam-smbpass cups-pdf

Configurar o arquivo /etc/samba/smb.conf :

sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.back
[global]
workgroup = casa.lan
netbios name = master
   server string = Samba %h
   wins support = yes
   dns proxy = yes
   name resolve order = host lmhost wins bcast

   interfaces = br0 lo
   bind interfaces only = yes
   hosts allow = 127.0.0.1 192.168.0.0/24
   hosts deny = 0.0.0.0/0

   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog only = no
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

   security = user
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Digite\snova\s*\senha:* %n\n *Redigite\snova\s*\ssenha:* %n\n *Senha\salterada\scom\ssucesso* .
   pam password change = yes
   map to guest = bad user

   domain logons = yes
   logon path = \\%N\%U\profile
   logon drive = H:
   logon home = \\%N\%U
   logon script = logon.cmd
   add user script = sudo /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
   add machine script = sudo /usr/sbin/useradd -n -g machines -c Machine -d /var/lib/samba -s /bin/false %u
   add group script = sudo /usr/sbin/addgroup --force-badname %g

   load printers = yes
printing = cups
printcap name = cups

   socket options = TCP_NODELAY
   domain master = yes
   local master = yes
   preferred master = yes
   os level = 65
   usershare max shares = 0
   usershare allow guests = no

client code page = 850
master >> /etc/samba/lmhost

O arquivo /etc/samba/dhcp.conf pode ser configurado como:

sudo cp /etc/samba/dhcp.conf /etc/samba/dhcp.conf.bak 
wins server =br0:192.168.0.1 

Se utilizar firewall precisa configurar as seguintes portas:

Port 135/TCP - used by smbd
Port 137/UDP - used by nmbd
Port 138/UDP - used by nmbd
Port 139/TCP - used by smbd
Port 445/TCP - used by smbd

Criando um Certfication Autority (CA):

Crie os diretórios:

sudo mkdir /etc/ssl/CA
sudo mkdir /etc/ssl/newcerts

Crie os arquivos:

sudo sh -c "echo '01' > /etc/ssl/CA/serial"
sudo touch /etc/ssl/CA/index.txt

Atualize o arquivo /etc/ssl/openssl.cnf :

sudo cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.bak
[ CA_default ]
dir = /etc/ssl/                                                # Where everything is kept
database = $dir/CA/index.txt                   # database index file.
certificate = $dir/certs/cacert.pem           # The CA certificate
serial = $dir/CA/serial                               # The current serial number
private_key = $dir/private/cakey.pem    # The private key

Crie os arquivos cakey.pem  e cacert.pem do CA com o comando (responda as perguntas conforme solicitado e lembre da frase secreta):

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/

Crie o arquivo server.csr com os comandos abaixo:

openssl genrsa -des3 -out server.key 1024
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key
openssl req -new -key server.key -out server.csr

Criar certificado assinado pelo CA

sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf 

Copie os códigos entre BEGIN e END paraum arquivo com o nome master.casa.lan.crt

Copie os arquivos abaixo para os devidos diretórios:

sudo cp master.casa.lan.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private/master.casa.lan.key
sudo cp server.key.secure /etc/ssl/private/master.casa.lan.key.secure
sudo cp server.csr /etc/ssl/private/master.casa.lan.csr
sudo cp /etc/ssl/newcerts/01.pem /etc/ssl/certs/master.casa.lan.pem

Se preferir para emitir um certificado "self" assinado.

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private

Instalando servidor FTP:

sudo apt-get install vsftpd

Modificar diretório do FTP:

sudo mkdir /srv/ftp
sudo usermod -d /srv/ftp ftp

Configurando servidor FTP modificando arquivo /etc/vsftpd.conf :

sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.back
listen=YES
listen_address=192.168.0.1
listen_port=21
ftp_data_port=20
connect_from_port_20=YES
max_login_fails=1
delay_failed_login=3
anonymous_enable=YES
anon_max_rate=10
local_enable=YES
write_enable=YES
ftpd_banner=Bem vindo ao FTP de master.casa.lan.
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/master.casa.lan.pem
rsa_private_key_file=/etc/ssl/private/master.casa.lan.key
ssl_enable=YES
force_local_logins_ssl=YES
force_local_data_ssl=YES
force_anon_logins_ssl=YES
force_anon_data_ssl=YES
ssl_tlsv1=YES
allow_anon_ssl=YES

Note que estamos configurando como FTPES.

Reiniciando FTP:

sudo /etc/init.d/vsftpd restart

Instalando Servidor NFS:

sudo apt-get install nfs-kernel-server portmap

Configurando compartilhamentos com o arquivo /etc/exports:

sudo cp /etc/exports /etc/exports.back
/home 192.168.0.0/255.255.255.0(rw,sync,root_squash,no_subtree_check) 

Depois execute o comando (sempre que alterar o arquivo /etc/exports):

sudo exportfs -ra 

Segurança do NFS :

sudo cp /etc/hosts.deny /etc/hosts.deny.back
sudo cp /etc/hosts.allow /etc/hosts.allow.back

Incluir os seguintes itens em Hosts.deny :

portmap:ALL
lockd:ALL
mountd:ALL
rquotad:ALL
statd:ALL
gdm:ALL

Incluir os seguintes itens em Hosts allow :

portmap: 192.168.0.0/255.255.255.0
lockd: 192.168.0.0/255.255.255.0
mountd: 192.168.0.0/255.255.255.0
rquotad: 192.168.0.0/255.255.255.0
statd: 192.168.0.0/255.255.255.0
gdm: 192.168.0.0/255.255.255.0

Para iniciar o serviço utilize o comando :

sudo /etc/init.d/portmap restart
sudo /etc/init.d/nfs-kernel-server restart

No cliente, NFS precisa do seguinte pacote instalado:

sudo apt-get install nfs-common

No cliente, o NFS pode ser montado durante o boot incluindo em /etc/fstab o seguinte :

master.casa.lan:/home /mnt/home nfs rw,hard,intr 0 0 

Para montar manualmente:

sudo mkdir /mnt/home
mount master.casa.lan:/home /mnt/home

Um link para NFS é: http://nfs.sourceforge.net/nfs-howto/index.html

Para montar diretorios automaticamente pode-se instalar o pacote autofs:

sudo apt-get install autofs 

Modifique o arquivo /etc/auto.master :

sudo cp /etc/auto.master /etc/auto.master.bak
/home /etc/auto.home

Depois crie o arquivo /etc/auto.home :

sudo bash
echo * master.casa.lan:/home/& > /etc/auto.home

Reinicie o serviço com o comando:

sudo /etc/init.d/autofs start

Instalando o serviço cups para impressão :

sudo apt-get install cupsys 

Configurar cups modificando o arquivo /etc/cups/cupsd.conf :

sudo cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.back

Próximo de Listen localhost:631 inclua a seguinte linha:

Listen localhost:631
Listen 192.168.0.1:631

 Reinicie Cups com o comando:

sudo /etc/init.d/cupsys restart

Instalando servidor de email pop3, pop3s, imap e imaps com Dovecot e Postfix
link: https://help.ubuntu.com/9.04/serverguide/C/email-services.html

 

 

 

Por fim vale a pena limpar o cache do apt

sudo apt-get autoremove
sudo apt-get clean

 

 

TODO LIST:

Verificar como instalar NIS server de forma segura.
Alguns links:
https://help.ubuntu.com/community/SettingUpNISHowTo
http://tldp.org/HOWTO/NIS-HOWTO/index.html

Comments