Encrypting SWAT (SAMBA Configuration) - PART4

By default SWAT is configured via an unencrypted web link using the Linux root account. When running SWAT in the unsecured mode above you should take the added precaution of using it from the Linux console whenever possible.

You can configure SWAT to work only with securely encrypted HTTP (HTTPS) versus the regular HTTP method shown above. Here is how it's done. (Please refer to the VPN section of Appendix I, "Miscellaneous Linux Topics," for more details on encryption methods.)

Create An stunnel User

You can create a stunnel user via the useradd command:

[root@bigboy tmp]# useradd stunnel

Create The Certificates

From the /etc/stunnel directory and create the encryption key certificate using the make command. Use all the defaults when prompted, but make sure you use the server's IP address when prompted for your server's Common Name or hostname.

[root@bigboy tmp]# cd /etc/stunnel
[root@bigboy stunnel]# make stunnel.pem
...
Common Name (eg, your name or your server's hostname) []:  172.16.1.200
...
[root@bigboy stunnel]#

Note: The resulting certificate has only a 365 day lifetime. Remember to repeat this process next year.

Modify Certificate File Permissions

The certificate needs to only be read by root and the stunnel user. Use the chmod and chgrp commands to do this.

[root@bigboy stunnel]# chmod 640 stunnel.pem
[root@bigboy stunnel]# chgrp stunnel stunnel.pem

[root@bigboy stunnel]# ll
-rw-r-----  1 root stunnel   1991 Jul 31 21:50 stunnel.pem
[root@bigboy stunnel]#

Create An /etc/stunnel/stunnel.conf Configuration File

You can configure the stunnel application to:

• Intercept encrypted SSL traffic received on any TCP port
• Decrypt this traffic
• Funnel the unencrypted data to any application listening on another port.

For example, you can configure the /etc/stunnel/stunnel.conf file to intercept SSL traffic on the SWAT port 901 and funnel it decrypted to a SWAT daemon running on port 902. Here's how:

# Configure stunnel to run as user "stunnel" placing temporary 
# files in the /home/stunnel/ directory
chroot  = /home/stunnel/
pid     = /stunnel.pid
setuid  = stunnel
setgid  = stunnel
 
# Log all stunnel messages to /var/log/messages 
debug   = 7
output  = /var/log/messages
 
# Define where the SSL certificates can be found.
client  = no
cert    = /etc/stunnel/stunnel.pem
key     = /etc/stunnel/stunnel.pem

# Accept SSL connections on port 901 and funnel it to
# port 902 for swat. 
[swat]
accept   = 901
connect  = 902

Create A New /etc/xinetd.d File For Secure SWAT

To start, copy the swat file and name it swat-stunnel. We then configure the new file to be enabled, listening on port 902 and accepting connections only from localhost. We also make sure that the service is set to swat-stunnel.

[root@bigboy certs]# cd /etc/xinetd.d
[root@bigboy xinetd.d]# cp swat swat-stunnel

Your new swat-stunnel file should look like this:

service swat-stunnel
{
       port            = 902
       socket_type     = stream
       wait            = no
       only_from       = 127.0.0.1
       user            = root
       server          = /usr/sbin/swat
       log_on_failure  += USERID
       disable         = no
       bind            = 127.0.0.1
}

Disable SWAT in the /etc/xinetd.d/swat File

The stunnel daemon actually intercepts port 901 traffic on behalf of swat-stunnel. You'll need to disable SWAT to prevent a conflict.

Edit The /etc/services file To create a Secure SWAT entry

The xinetd daemon searches /etc/services file for ports and services that match those listed in each configuration file in the /etc/xinetd.d directory. If the daemon doesn't find a match it ignores the configuration file.

We now have to edit /etc/services to include our new swat-stunnel file like this.

swat-stunnel    902/tcp     # Samba Web Administration Tool (Stunnel)

Activate swat-stunnel

You can then start the new swat-stunnel application with the chkconfig command. You'll also need to shutdown regular swat beforehand.

[root@bigboy xinetd.d]# chkconfig swat off
[root@bigboy xinetd.d]# chkconfig swat-stunnel on

Start stunnel

Now start stunnel for the encryption to take place.

[root@bigboy xinetd.d]# stunnel

Note: In Fedora Core 2 you may get a cryptonet error when starting stunnel as in:

Unable to open "/dev/cryptonet"

This is caused by an incompatibility with the hwcrypto RPM used for hardware-, not software-based encryption. You need to uninstall hwcrypto to get stunnel to work correctly.

[root@bigboy xinetd.d]# rpm -e hwcrypto

You will then have to stop stunnel, restart xinetd and start stunnel again. After this, stunnel should begin to function correctly. Unfortunately stunnel doesn't have a startup script in the /etc/init.d directory and needs to be terminated manually using the pkill command.

[root@bigboy xinetd.d]# pkill stunnel
[root@bigboy xinetd.d]# stunnel

Making stunnel Start at Boot Time

As stunnel doesn't have a startup script, you'll need to add a reference to the stunnel program in your /etc/rc.local file for encrypted SWAT to work on your system. The easiest way to do this is using the which command and appending its output to the /etc/rc.local file.

[root@bigboy tmp]# which stunnel >> /etc/rc.local

Verify the contents of the /etc/rc.local file by using the cat command. The entry for stunnel should be at the very bottom.

[root@bigboy tmp]# cat /etc/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

/usr/sbin/stunnel
[root@bigboy tmp]#

Test Secure SWAT

Your Samba server should now be listening on both port 901 and 902 as shown by the netstat -an command that follows. The server will accept remote connections on port 901 only.

[root@bigboy xinetd.d]# netstat -an
...
...
tcp        0      0 0.0.0.0:901      0.0.0.0:*        LISTEN
tcp        0      0 127.0.0.:902     0.0.0.0:*        LISTEN
...
...
[root@bigboy xinetd.d]#

Test The Secure SWAT Login

Point your browser to the Samba server to make an HTTPS connection on port 901.

https://server-ip-address:901/

You will be prompted for the Linux root user username and password. There will be a delay of about 60 to 75 seconds with each login.

Troubleshooting Secure SWAT

Sometimes you'll make mistakes in the stunnel.conf file but changes to this file take effect only after stunnel has been restarted. Unfortunately, there is no stunnel script in the /etc/init.d directory to easily stop and restart it. You have to use the pkill command to stop it and the stunnel command to start it again:

[root@bigboy tmp]# pkill stunnel ; stunnel

Make sure the file permissions and ownership on the stunnel.pem file are correct and that SWAT is always permanently off, but swat-stunnel is permanently on.

You can also refer to, "Simple Network Troubleshooting", to isolate connectivity issues between the SWAT client and Samba server on TCP port 901 amongst other things.

How SWAT Makes Samba Simpler - PART3

SWAT, Samba's web based configuration tool enables you configure your smb.conf file without you needing to remember all the formatting. Each SWAT screen is actually a form that covers a separate section of the smb.conf file into which you fill in the desired parameters. For ease of use, each parameter box has its own online help. Figure 10-1 shows the main SWAT login screen.

Figure 10-1 Samba SWAT Main Menu

Basic SWAT Setup

You must always remember that SWAT edits the smb.conf file but also strips out any comments you may have manually entered into it beforehand. The original Samba smb.conf file has many worthwhile comments in it, you should save a copy as a reference before proceeding with SWAT. For example, you could save the original file with the name /etc/samba/smb.conf.original as in:

[root@bigboy tmp]# cp /etc/samba/smb.conf /etc/samba/smb.conf.original

As you can see, using SWAT requires some understanding of the smb.conf file parameters because it eliminates these comments. Become familiar with the most important options in this file before proceeding with SWAT.

SWAT doesn't encrypt your login password. Because this could be a security concern in a corporate environment you might want to create a Samba administrator user that has no root privileges or only enable SWAT access from the GUI console or localhost.

The enabling and disabling, starting and stopping of SWAT is controlled by xinetd, which is covered in Chapter 16, "Telnet, TFTP, and xinetd", via a configuration file named /etc/xinetd.d/swat. Here is a sample:

service swat
{

   port            = 901
   socket_type     = stream
   protocol        = tcp
   wait            = no
   user            = root
   server          = /usr/sbin/swat
   log_on_failure  += USERID
   disable         = no
   only_from       = localhost

}

The file's formatting is fairly easy to understand, especially as there are only two entries of interest.

• The disable parameter must be set to no to accept connections. This can automatically be switched between yes and no as we will see later.

• The default configuration only allows SWAT web access from the VGA console only as user root on port 901 with the Linux root password. This means you'll have to enter "http://127.0.0.1:901" in your browser to get the login screen.

You can make SWAT accessible from other servers by adding IP address entries to the only_from parameter of the SWAT configuration file. Here's an example of an entry to allow connections only from 192.168.1.3 and localhost. Notice that there are no commas between the entries.

only_from = localhost 192.168.1.3

Therefore in this case you can also configure Samba on your Linux server bigboy IP with address 192.168.1.100 from PC 192.168.1.3 using the URL http://192.168.1.100:901.

Remember that most firewalls don't allow TCP port 901 through their filters. You may have to adjust your rules for this traffic to pass.

Controlling SWAT

As with all xinetd-controlled applications, the chkconfig command automatically modifies the disable field accordingly in the configuration file and activates the change.

Before SWAT can be used, the xinetd program which controls it must be activated in advance. You can start/stop/restart xinetd after boot time using the xinetd initialization script as in the examples below:

[root@bigboy tmp]# service xinetd start
[root@bigboy tmp]# service xinetd stop
[root@bigboy tmp]# service xinetd restart

Just like most Linux systems applications, you can configure xinetd to start at boot time using the chkconfig command:

[root@bigboy tmp]# chkconfig xinetd on

To activate SWAT use:

[root@bigboy tmp] chkconfig swat on

To deactivate SWAT use:

[root@bigboy tmp] chkconfig swat off

How to Disable Windows Startup Programs

You can speed up your PC's boot time by cutting out startup items in Windows.

When you start your computer, Windows isn't the only program that loads. For instance, you may have noticed icons in the notification area (also known as the system tray) in the far-right portion of the taskbar. These icons often represent programs that start when the system starts. You also may have seen certain programs, such as software for syncing your phone or MP3 player, launching themselves along with Windows. Additionally, some applications begin running silently in the background every time you boot the PC.

All of these automatically opening programs consume system memory, and can drag down performance. Fortunately, managing startup programs isn't difficult; by taking a few steps, you can find out what is running on your computer and disable the items you don't need.

Method 1: Configure a Program Directly

If you've noticed a program starting automatically, and you want the behavior to stop, sometimes the easiest solution is to explore the program's settings directly.

1. Open the program.

2. Find the settings panel. Typically it will be available under a menu labeled Settings, Preferences, Options, or Tools.

3. Find the option to disable the program from running at startup. The language for this type of option varies, but it should be easy to find if it exists.

When you restart the computer, the program will no longer launch. You'll still be able to start it manually, so don't be deterred if the application asks you if you are sure you want to disable its automatic startup.

Method 2: Use the System Configuration Utility (MSConfig)

You can use msconfig.exe to change Windows' startup items.The System Configuration Utility--also called MSConfig--is a useful tool for understanding and controlling startup programs. Microsoft intends MSConfig to act primarily as a troubleshooting tool, but its simple and powerful interface makes it a good option for startup management as well.

1. Open the Start menu and type msconfig into the Search box.

2. Click the msconfig search result. The utility will open in a new window.

3. Click the Startup tab. You'll see a list of programs that start when your computer starts.

4. To stop a program from automatically launching when you boot the PC, uncheck the box next to its entry.

5. When you are finished deselecting startup items, click OK. If you made any changes, you'll be prompted to restart the computer. You don't have to restart it immediately, but the changes won't take effect until you do.

When you restart the computer, MSConfig will alert you to the changes. In the window that pops up, check the box next to Don't show this message or launch the System Configuration Utility when Windows starts, and click OK to prevent future alerts. You can always return to MSConfig to reverse the changes or make additional tweaks.

Warning

Use caution when disabling items in MSConfig. Many entries have names that aren't self-explanatory. Research each entry before unchecking its box; use the Web to search for the name of the entry, and to get an idea of its function. Without doing your homework, you could end up disabling an important application such as your antivirus program.

Speed Up Windows on What Should be a Fast PC

A number of factors could be slowing down a PC. Let's look at some of the common ones, starting with the issues that are the easiest to detect and to fix.

Defrag the Hard Drive

I'll be honest; it's been at least a decade since I've seen empirical evidence proving that afragmented hard drive slows a PC. But a lot of people insist that it does, and defragging certainly won't hurt. To defrag your hard drive:

1. Click Start and select Computer or My Computer.
2. Right-click your C: drive and selectProperties.
3. Click the Tools tab, then the Defragment now button.

Check For Malware

A malicious program working in the background could slow down your PC while also doing more serious damage. If your PC is infected, chances are that your existing antivirus program is compromised. Try something else. I recommend using the free version of either SUPERAntiSpyware orMalwarebytes' Anti-Malware. Or the AVG Rescue CD, which scans in a non-Windows--and therefore non-infected--environment.

Remove Hard-to-Kill Malware

Are you sure the problem is malware? People often jump to that conclusion when there's something wrong with their PC, and in my experience that conclusion is more often wrong than right. There's a lot of malicious code in this world, but there's even more code that's merely incompetent. There's also a fair amount of worn-out hardware.

On the other hand, if you're experiencing any of the following symptoms, you quite likely have malware:

• Your security software doesn't work properly, or refuses to update.
• Common programs for configuring and repairing Windows, such as MSCONFIG and System Restore, don't work.
• Messages from a program you never installed pop up and tell you that your computer is infected, your hard drive is dying, or you have some other serious problem. (See Watch Out for Rogues for more on this issue.)
• Your browser's home page keeps changing to something you don't want, and/or your search results aren't what they should be.
• Your computer slows down sometimes for no apparent reason. (This may not be malware. See Very Slow PC for more on this.)

But what if you've got one or more of these symptoms, yet nothing in your battery of malware-fighting programs finds something evil?

The solution is to use a Linux-based malware-fighting program that boots off a flash drive or CD-ROM. By working outside of Windows, and outside the hard drive's boot sector, these programs can better get around the malware's defenses.

I'm going to recommend two of them, both of which can boot off flash drives or CDs. They're AVG Rescue CD and Dr.Web LiveCD or LiveUSB. If one doesn't do the trick, try the other.