A Server for my work (I'm in a little deep here)

[Impotence]

Help me, please..... I'm getting really worried over this :unsure:

I work as a care assistant for disabled children / young adults at a small(ish) nonprofit business/charity that is part of ENABLE Scotland (http://www.enable.org.uk) but i have also ended up dealing with / being responsible for anything technical (Computers etc).

My Work has become reliant upon the computers they have because EVERYTHING is stored on them.

We have 8 computers in the building, all of which are holding data sensitive in some way (Information about service users, staff, finical data etc) and it really has become quite a shambles (the organization of where everything is) but we have been offered a computer to use as a server by ENABLE which is arriving next week (with a blank HDD).

This server will run Linux (Most likely Debian, but open to suggestions!) and its clients will be Windows XP machines (Although i think i might introduce a Kubuntu install to see how they cope!).

The idea is that i set this machine up to hold everyone's documents and ensure that no one can access them without the appropriate username+password (each user to have there own username+password). The only way to do this that i can think of is with FTP (I'm hoping you can have FTP access through explorer in windows, ie a folder).

Backups are a major concern that i have... i want to do this properly, Tape is obviously the best medium for a backup (Although the initial cost is quite high its reliable, high capacity and re-writable), but i don't know what to buy :doh: (or what Linux support is like).

I'm mainly worried because this server will be relied upon, this isn't just me playing with Linux anymore.... this is a production system, if something goes wrong i doubt i will be blamed but i will most definitely be called to come and fix it immediately!

Any help, comments or suggestions are more than welcome!

Impy.

 

[megamaced]

Are you looking to implement a file server or backup server? Actually, in either case, you should deploy SME server. That should have everything you need and more.

A high performance email server that handles email to and from your users.
Enhanced security features that reduce the risk of intrusion.
A central file server enabling seamless information exchange among Windows, Macintosh and Unix machines.
A web server to host your company web and/or intranet site.
Browser based server-manager software that makes it easy to add new user accounts, control remote access, configure network printers, set up workgroups and connect additional networks.
Special services that speed web and Internet access, improving the performance of your network.
A shared email address book that is maintained automatically.
i-bays, a unique communications and collaborative facility that makes it easy for users to work together on projects.
Quota Management - you have the ability to set a limit on the amount of a disk space a user can use for files and e-mail.
Windows 2000 and XP domain logon support - Previous versions have allowed the server to act as a domain controller for client computers running Windows 95, 98, ME or NT. This version now extends that domain logon support to Windows 2000 and Windows XP.
USB printer support - It is now possible to connect the SME Server to a printer via the USB port.
Improved Macintosh file sharing support - The server now includes better support for Macintosh file sharing and eliminates some previous cases where Macintosh users were unable to access i-bays.
Experimental ISDN card support - While our software has always supported external ISDN adapters, this version now includes experimental support for using an internal passive ISDN card.
Use of unmodified packages from upstream providers - Packages from Centos 4 (2.6.9 kernel), Mitel, and other packages from atrpms and rpmforge are used unmodified whenever possible. The result is that any other Redhat EL4 or Centos 4 RPMS should work without modification.
Installation on a system with 1 hard drive is automatically set up half of a RAID1 mirror, ready to accept a second drive. Systems with 2 drives are set up as RAID 1; 3-5 drives as RAID5; and 6+ Drives as RAID6.
Secure email enhancements. POP3/SSL, IMAP/SSL, SMTP/SSL, SMTP AUTH over SMTP/SSL.
Webmail has been upgraded to the latest versions of Horde, Imp, Turba and Ingo from horde.org
SMTP Email reception is now handled by qpsmtpd. Advanced but simple to use plugin system to easily install extra functionality and write local rules. Almost all features are implemented in plugins.
Antivirus email and hard drive scanning is now provided by ClamAV. Virus definitions are kept up to date automatically, and program updates will be available automatically via the software installer (yum). Plugins are available for 3rd-party (commercial) scanners as well.
Email attachment handling: Including the ability to block EXE, ZIP, PIF and automatic conversion of TNEF or UUENCODE encoded attachments to MIME.
Spam Filtering with Spamassassin. Automatic tagging with X-spam-status headers, and optional filtering and subject tagging. Configurable rejection levels.
Enhancement to the pseudonyms panel. You now have the ability to send (e.g.) support@domain1 and support@domain2 to different places, and you can now enter pseudonyms of pseudonyms.
Yum based Software installer panel. Approved contribs and official updates can now be installed in the server-manager. Selectable "Automatically install updates" option.

For backups only, you could deploy a Ubuntu / Debian server and install BackupPC on it. It's a fully featured enterprise grade backup solution that is managed via a web interface and SSH. Heres a tutorial.

 

[Impotence]

Its going to be a file server, as a replacement for the My Documents folder

 

[megamaced]

Well you could set up a file server using Debian and Samba. Just create SAMBA shares on the Debian server and map the user's My Documents folder to point to that location. Just right click My Documents and you can enter a path

 

[Impotence]

Can SAMBA shares be password protected?

 

[megamaced]

Can SAMBA shares be password protected?

Yes, but you'd be better off using proper NTFS / share permissions. Hmm, I think for your needs, SME server would probably make things easier. You will, however, have to invest a lot of your time reading the documentation and getting to grips with it. I'd suggest running it in a test environment first, such as VMware, and get to know the basics. Only deploy it once you are comfortable with it.

Actually, I just remembered about FreeNAS. That would be perfect for extra network storage, but I am not sure how effective the security would be. You'll have to read up on it.

HTH

 

[Impotence]

ok, well thanks alot Mega (At least i wont have to setup everything myself and hopefully i can assume that SME server would install configured :D)

anyone got any suggestions about backups?

 

[Anti-Trend]

Like Megamaced first suggested, use SME. You can use it as a stand-alone file server, or as a domain controller. And yes, of course file sharing is password protected. It will be easier for you to get installed since you're not yet a Linux expert, and will probably work exactly as you need it to.

 

[Impotence]

After a long delay, i've installed SME server (The machine is a 1.7GHz Celeron with 256MB RAM).

I did a full nmap scan of a default install of SME server and there is ALOT of services running that are not needed and i think i would be much more comfortable starting from scratch with Debian than disabling everything i don't need in SME. Hopefully it will also be more education too (setup it up from scratch as opposed too just mutilating SME to my needs).

I am assuming there is pleanty of info on configuring samba etc available, so i'll do my own reasearch and log everyhting i install / configure and perhaps write it up :)

 

[Anti-Trend]

SME is an all-in-one type server, meaning it runs domain, proxy and various flavors of mail. But each service it runs has a good track record for security, so as long as you keep the system up to date, you shouldn't ever have any security issues.

 

[Impotence]

I've been having fun :D

The server is mostly setup... installed, patched, new kernel (686 is the best for a 1.7GHz celeron yeah???)

Samba has been installed and configured (just need to add the users) all i have left to is install a ftp server (proftpd) a dhcp server (currently its being done by a router) and possibly SWAT (samba web interface) and SNORT (Intrusion detection, seems like a good idea).

What’s strange was nmap (4.20) couldn't identify the OS running with 3 open ports (but i submitted the fingerprint).

 

[Impotence]

I've been thinking about this quite alot recently and I've drawn up a mind map of my idea's... anyone got any comments or suggestions?

PS it was created with kdisserd [apt-get install kdissert]

 

[Anti-Trend]

It looks like your attachment is broken; try deleting and reattaching it. EDIT: It looks OK now.

 

[Impotence]

Sorry, i was correcting a mistake i made and uploading a new one (and deleting the old one)... you must have caught it during that!

 

[Anti-Trend]

That looks like a very good rundown, though you'll also need winbindd for domain services. Additionally, it might be a good idea to map out shares -- both public and private -- and list which facilities will provide each (SFTP, SMB, FTP, etc). And keep in mind that if you allow FTP without TLS, you will be transmitting domain passwords in clear text. Finally, you should think strongly about quotas to keep HDD usage under control, and additionally resource limitations if you plan on giving shell.

You may have already read this judging by your diagram, but here's a link to my recent Linux security articles:

anti-trend.homelinux.org - Published Security Articles

 

[Impotence]

yeah, a quick question about part one of your guide:-

If you're using a Debian system or a derivative thereof which makes use of apt, automated updates are not really an option due to the interactive nature of apt-get or aptitude. However, you can still use the apt-cron....

Is there any reason why you shouldn't use the -yes or --assume-yes parameter with apt for updates?

 

[Anti-Trend]

yeah, a quick question about part one of your guide:-
Is there any reason why you shouldn't use the -yes or --assume-yes parameter with apt for updates?

I don't know about you, but I don't like the idea of allowing major system decisions to be made about one of my servers without me. :) Last time I upgraded, aptitude wanted to remove sudo... with --assume-yes, it would have. In contrast, Red Hat systems are much more difficult to upgrade to a newer version without trouble, at least partially because it doesn't give you much choice about the upgrades when you do it. But that's also what makes security updates so transparent in Red Hat, and one of the things which makes it a great server. Precisely why I run Debian on my desktops and Red Hat on my servers... the right tools for the job. :ph34r:

 

[Impotence]

OK, i now have a Hewlett Packard C1554-20102 SCSI Tape Drive but no media, and nowhere to plug it into the motherboard! (But we wearn't charged for it, so i can't complain!).

All i have been able to find out about it from google is that it is apparently a 12/24GB drive (and i think the 24GB is compressed) so i am slightly worried that we wont be able to fit a full backup onto a single tape... but anyway.

I am guessing that i will have to buy a PCI SCSI card... any reccomendations?

 

[Impotence]

OK, as recommended earlier i am planning on disallowing FTP login without TLS, however, this means that I'm going to need a SSL certificate and i have no idea where to start... all i know is that self signed certificate's are next to pointless (other than for testing).

so who should i get my certificate from?

 

[Anti-Trend]

... all i know is that self signed certificate's are next to pointless (other than for testing). so who should i get my certificate from?

Self-signed certificates are only useless for a) preventing MITM attacks, and b) verifying the validity of a site. If you ask me, these are primarily the same thing. :) Also, I can argue that even a signed cert won't protect most users from a MITM attack, since they will usually blindly click "OK" anyway. But I digress... even a self-signed certificate is useful for the important thing: securing the connection with encryption. You can always buy a cert if you want, but don't discount encryption because your certs aren't signed. For tips on SSL/TLS and self-signing, see here:
NSLU2-Linux - Optware / Proftpd browse (about half-way down the page).