A Server for my work (I'm in a little deep here)

Help me, please..... I'm getting really worried over this :unsure:

I work as a care assistant for disabled children / young adults at a small(ish) nonprofit business/charity that is part of ENABLE Scotland (http://www.enable.org.uk) but i have also ended up dealing with / being responsible for anything technical (Computers etc).

My Work has become reliant upon the computers they have because EVERYTHING is stored on them.

We have 8 computers in the building, all of which are holding data sensitive in some way (Information about service users, staff, finical data etc) and it really has become quite a shambles (the organization of where everything is) but we have been offered a computer to use as a server by ENABLE which is arriving next week (with a blank HDD).

This server will run Linux (Most likely Debian, but open to suggestions!) and its clients will be Windows XP machines (Although i think i might introduce a Kubuntu install to see how they cope!).

The idea is that i set this machine up to hold everyone's documents and ensure that no one can access them without the appropriate username+password (each user to have there own username+password). The only way to do this that i can think of is with FTP (I'm hoping you can have FTP access through explorer in windows, ie a folder).

Backups are a major concern that i have... i want to do this properly, Tape is obviously the best medium for a backup (Although the initial cost is quite high its reliable, high capacity and re-writable), but i don't know what to buy :doh: (or what Linux support is like).

I'm mainly worried because this server will be relied upon, this isn't just me playing with Linux anymore.... this is a production system, if something goes wrong i doubt i will be blamed but i will most definitely be called to come and fix it immediately!

Any help, comments or suggestions are more than welcome!

Impy.

 

Are you looking to implement a file server or backup server? Actually, in either case, you should deploy SME server. That should have everything you need and more.

For backups only, you could deploy a Ubuntu / Debian server and install BackupPC on it. It's a fully featured enterprise grade backup solution that is managed via a web interface and SSH. Heres a tutorial.

 

Its going to be a file server, as a replacement for the My Documents folder

 

Well you could set up a file server using Debian and Samba. Just create SAMBA shares on the Debian server and map the user's My Documents folder to point to that location. Just right click My Documents and you can enter a path

 

Can SAMBA shares be password protected?

 

Yes, but you'd be better off using proper NTFS / share permissions. Hmm, I think for your needs, SME server would probably make things easier. You will, however, have to invest a lot of your time reading the documentation and getting to grips with it. I'd suggest running it in a test environment first, such as VMware, and get to know the basics. Only deploy it once you are comfortable with it.

Actually, I just remembered about FreeNAS. That would be perfect for extra network storage, but I am not sure how effective the security would be. You'll have to read up on it.

HTH

 

ok, well thanks alot Mega (At least i wont have to setup everything myself and hopefully i can assume that SME server would install configured )

anyone got any suggestions about backups?

 

Like Megamaced first suggested, use SME. You can use it as a stand-alone file server, or as a domain controller. And yes, of course file sharing is password protected. It will be easier for you to get installed since you're not yet a Linux expert, and will probably work exactly as you need it to.

 

After a long delay, i've installed SME server (The machine is a 1.7GHz Celeron with 256MB RAM).

I did a full nmap scan of a default install of SME server and there is ALOT of services running that are not needed and i think i would be much more comfortable starting from scratch with Debian than disabling everything i don't need in SME. Hopefully it will also be more education too (setup it up from scratch as opposed too just mutilating SME to my needs).

I am assuming there is pleanty of info on configuring samba etc available, so i'll do my own reasearch and log everyhting i install / configure and perhaps write it up

 

SME is an all-in-one type server, meaning it runs domain, proxy and various flavors of mail. But each service it runs has a good track record for security, so as long as you keep the system up to date, you shouldn't ever have any security issues.

 

I've been having fun

The server is mostly setup... installed, patched, new kernel (686 is the best for a 1.7GHz celeron yeah???)

Samba has been installed and configured (just need to add the users) all i have left to is install a ftp server (proftpd) a dhcp server (currently its being done by a router) and possibly SWAT (samba web interface) and SNORT (Intrusion detection, seems like a good idea).

What’s strange was nmap (4.20) couldn't identify the OS running with 3 open ports (but i submitted the fingerprint).

 

I've been thinking about this quite alot recently and I've drawn up a mind map of my idea's... anyone got any comments or suggestions?

PS it was created with kdisserd [apt-get install kdissert]

 

It looks like your attachment is broken; try deleting and reattaching it. EDIT: It looks OK now.

 

Sorry, i was correcting a mistake i made and uploading a new one (and deleting the old one)... you must have caught it during that!

 

That looks like a very good rundown, though you'll also need winbindd for domain services. Additionally, it might be a good idea to map out shares -- both public and private -- and list which facilities will provide each (SFTP, SMB, FTP, etc). And keep in mind that if you allow FTP without TLS, you will be transmitting domain passwords in clear text. Finally, you should think strongly about quotas to keep HDD usage under control, and additionally resource limitations if you plan on giving shell.

You may have already read this judging by your diagram, but here's a link to my recent Linux security articles:

anti-trend.homelinux.org - Published Security Articles

 

yeah, a quick question about part one of your guide:-

Is there any reason why you shouldn't use the -yes or --assume-yes parameter with apt for updates?

 

I don't know about you, but I don't like the idea of allowing major system decisions to be made about one of my servers without me. Last time I upgraded, aptitude wanted to remove sudo... with --assume-yes, it would have. In contrast, Red Hat systems are much more difficult to upgrade to a newer version without trouble, at least partially because it doesn't give you much choice about the upgrades when you do it. But that's also what makes security updates so transparent in Red Hat, and one of the things which makes it a great server. Precisely why I run Debian on my desktops and Red Hat on my servers... the right tools for the job. h34r:

 

OK, i now have a Hewlett Packard C1554-20102 SCSI Tape Drive but no media, and nowhere to plug it into the motherboard! (But we wearn't charged for it, so i can't complain!).

All i have been able to find out about it from google is that it is apparently a 12/24GB drive (and i think the 24GB is compressed) so i am slightly worried that we wont be able to fit a full backup onto a single tape... but anyway.

I am guessing that i will have to buy a PCI SCSI card... any reccomendations?

 

OK, as recommended earlier i am planning on disallowing FTP login without TLS, however, this means that I'm going to need a SSL certificate and i have no idea where to start... all i know is that self signed certificate's are next to pointless (other than for testing).

so who should i get my certificate from?

 

Self-signed certificates are only useless for a) preventing MITM attacks, and b) verifying the validity of a site. If you ask me, these are primarily the same thing. Also, I can argue that even a signed cert won't protect most users from a MITM attack, since they will usually blindly click "OK" anyway. But I digress... even a self-signed certificate is useful for the important thing: securing the connection with encryption. You can always buy a cert if you want, but don't discount encryption because your certs aren't signed. For tips on SSL/TLS and self-signing, see here:
NSLU2-Linux - Optware / Proftpd browse (about half-way down the page).