Lots of updates especially security things for Samba.
85 users on the list and counting!
==
01/13/99 Added the "logit" script to aid in real-time troubleshooting.
*Sent [Section 9]
Update*
Added a note to move the loading of SSHd higher up in the
rc.local file to speed up reboots.
[Section 30]
Added the (no_root_squash) and (ro,nosuid,noexec) NFS examples for
more NFS ideas and security
[Section 40]
01/12/99 Corrected the Contents page to reflect that Samba does both
File and Print sharing
Added [Section 47] for UNIX (and thus Samba) Printing
Added [Section 48] for SWAN / IP-SEC VPNs [not completed]
[Section 2]
Corrected the Samba entry to reflect File&Printing
Added the UNIX (samba) print feature
Added the SWAN / IPSEC VPN feature [not completed]
[Section 3]
Added a DNS hostname (roadrunner) (doh!), the SMB Workgroup
(ACME123) name, added a internal MASQ'ed machine name (coyote),
and cleaned up all remaining issues for the the search/replace
section
[Section 7]
Fixed a TERRIBLE mistake where all the /etc/rc.d/init.d script
files were 755! Also fixed the perms for /etc/cron.daily.tmpwatch
[Section 7]
Added a little reminder to periodically use the RPM update tools
documented in [Section 43]
[Section 7]
Made the recommendation to change the default UMASK from
755 to 750.
[Section 7]
Made a note where I've notied that some of the daemon start/stop
GUI tools disable/enable some daemons that you DON'T want upon
first use
[Section 8]
Fixed permission problems (changed to 700) of /var/log/log.to.ttys
and /var/log/sendlogs.
[Section 9]
Clarified that the user needs download IPFWADM before they can
user IP MASQ.
[Section 10]
Enabled and clarified why it is important to load the Real Audio
MASQ module for performance reasons.
[Section 10]
Fixed perms on the commented lines for /etc/ppp/ip-up to be 700.
[Section 10]
Fixed perms for /etc/rc.d/rc.firewall to 700
[Section 10]
Fixed perms on /etc/rc.d/rc.serial to 700
[Section 16]
Fixed perms on /etc/cron.15minutes/getdate to 700
[Section 26]
Fixed perms on /etc/rc.d/rc.raid to 700
[Section 31]
Lots of important changes to the Samba section:
- Deleted all "s so not to confuse the reader
- Added the "server string" line
- Changed the "WORKGROUP" to "acme123"
- Added the "bind interfaces only = true" setting for more
security
- Added the "create mask" and "directory mask" to fix Samba to
UNIX permission problems (all files were getting set to 755)
thus all "other" users could see the files.
- Added the "force group" setting to improve SMB/UNIX file
sharing.
- Added the "fake oplocks" setting to improve performance
- Added the "IPTOS_LOWDELAY" setting for LAN segments
- Added the "veto oplocks" setting for the CDROM changer
- Added the "browsable = no" to [Homes] so users don't
see duplicated things in the browse list
- Added the "user = %S" to increase security
- Added the "[HpLj2p]" section for SMB printing
- Added the directions to use "testparm" to check the
/etc/smb.conf file.
- Added a forgotten (and mandatory section) on creating
the /etc/smbpasswd file
- Added instructions on how to configure Win95/NT to
get all the machines into the same SMB workgroup
- Added how to mount your Win95/NT shares onto your Linux
box with smbclient and smbmount!
[Section 33]
- Clarified the use of mkisofs
[Section 39]
Fixed perms on /etc/cron.10minutes/re-sync to 700
[Section Section 41]
Added the UNIX (Samba) Printing section. This section is primarily
for SMB printing but talks about local UNIX printing too. This
section also talks about "lpd" security issues and how to fix them.
[Section 47]
By popular demand, I've begun to impliemtn a VPN with SWAN / IPSEC.
This will take a little while but the URLs are there at least.
[Section 48]
01/09/99 Made some clarifications on using command-line vs. GUI
/etc/rc.d damon control programs
[Section 8]
Added "df" and "ps ax" vitals to the sendlogs daily
email system
Added "/usr/sbin/killall tail" to the /etc/rc.d/rc.local file
[Section 9]
Added some clarifications to the DHCP section and how to get
MAC addresses from WinNT and Linux.
Corrected a mistake where I was pointing the DHCP broadcast
to the wrong NIC card.
Added the fact that you need put all your DHCP leases into
DNS and restarting named.
[Section 27]
.----------------------------------------------------------------------------.
| David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] |
!---- ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
