Author Topic: XI. SECURING ZENTYAL. (Part 11/12)  (Read 2285 times)


  • Zen Apprentice
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
« on: May 31, 2022, 05:41:17 pm »


Linux distributions usually come with insecure repositories in
http, so we will switch them to https as much as possible, because some
Zentyal repositories are not available in https.

To do this open a terminal window and enter the following command for the socket
support for https repositories:

Code: [Select]
sudo apt install apt-transport-https -y

From now on we can change http repositories to https.

In a terminal window:

Code: [Select]
sudo nano /etc/apt/sources.list

To change the sources, just add an "s" at the end of http, in my
example below I unchecked the deb-src, see type of archives.

Save your changes with "ctrl+x" then "y" and finally hit enter.

n addition we can also change the security http repositories by a mirror
supporting https, to be chosen according to your geographical location
to limit latencies, see archive mirrors.

In my example I chose the plusserver mirror:

Once the repositories have been changed, simply reload the sources with the command

Code: [Select]
sudo apt update


Since 20 June Zentyal HTTPS repository are available.


We will add a self-signed x509 certificate to access the console
administration in https, which by default is in http.

Go to Certification Authority in the administration console:

Then create a new certificate:

Once created we can see it in the list of current certificates:

Now you have to apply the certificate to the web server, go to "Services
certificates” and tick the services you wish to certify:

To take effect, save your changes and then close the console
administration. Upon reopening and after accepting the risk, you will see
appear https in the navigation bar.


By default the port used by the directory is 389 which is not safe, we will force
using secure port 636.

For support it is necessary to enrich the samba configuration file
found in "/usr/share/zentyal/stubs/samba/smb.conf.mas" by adding
the location of the certificate created previously.

In a terminal window:

Code: [Select]
sudo nano /usr/share/zentyal/stubs/samba/smb.conf.mas

Dans la section [global] rajoutez ces lignes:

Code: [Select]
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1

We will restrict the access rights to the certificate key, go to the
certificates folder:

Code: [Select]
cd /var/lib/samba/private/tls
Code: [Select]
sudo chmod 600 key.pem

Finally we will restart the samba services:

Code: [Select]
sudo zs samba restart


Short presentation of fail2ban, it is an intrusion prevention system that
allows you to ban source ip addresses that attempt to connect without your knowledge to
some services, such as ssh.

We are going to install fail2ban, in a terminal window:

Code: [Select]
sudo apt install fail2ban -y

Enable the service on every boot:

Code: [Select]
sudo systemctl enable fail2ban

Check the service status:

Code: [Select]
sudo systemctl status fail2ban

Let's move on to configuring the plugins:

Code: [Select]
sudo nano /etc/fail2ban/jail.d/defaults-debian.conf

Rajoutez les plugins à surveiller ainsi que le temps de bannissement:

Code: [Select]
enabled = true
port = 22
bantime = 86400
maxretry = 2
ignoreip = server-ip admin-client-ip
enabled = true
port = http,https

In the example the ssh and nginx plugins have been chosen, with a time of
ban of 24 hours estimated in seconds, as well as 2 attempts maximum.

Do not forget to add to the "ignoreip" list the ip address of your
server and the administrator workstation, at the risk of being blocked by fail2ban.

Restart the service for the changes to take effect:

Code: [Select]
sudo systemctl restart fail2ban

Check the logs:

Code: [Select]
tail -f /var/log/fail2ban.log


portsentry is a "portscan" detection and blocking program, ideal
to hide services using specific ports.

Installing portsentry:

Code: [Select]
sudo apt install portsentry -y

Enable the service on every boot:

Code: [Select]
sudo systemctl enable portsentry

Check the service status:

Code: [Select]
sudo systemctl status portsentry

Configure the file with the ip addresses to ignore, those of the server and administrator station:

Code: [Select]
sudo nano /etc/portsentry/portsentry.ignore.static

By default portsentry does not block any ip, we will go to the file of
configuration of it and modify so that the blocking is effective:

Code: [Select]
sudo nano /etc/portsentry/portsentry.conf

Set Ignore Options BLOCK_UDP/TCP to "1" for blocking support:

“Dropping Routes” section, check that the following line is uncommented:

Same for the “TCP Wrappers” section:

“External Command” section, add this long line and uncomment
KILL_RUN_CMD_FIRST with a value of “1”:

Code: [Select]
KILL_RUN_CMD="/sbin/iptables -I INPUT -s $TARGET$ -j DROP && /sbin/iptables
-I INPUT -s $TARGET$ -m limit --limit 3/minute --limit-burst 5 -j LOG
--log-level debug --log-prefix 'Portsentry: dropping: '"

Section “Scan trigger” value “0” to “1”:

For automatic detection of the ports used, simply go to the file

Code: [Select]
sudo nano /etc/default/portsentry

Passez en mode «atcp» et «audp» puis redémarrez le service:

Code: [Select]
sudo systemctl restart portsentry


To connect remotely to our server and maintain it, we
we need the ssh service and of course secure it to limit access.

First of all we will open port 22 on Zentyal which by default is closed, to
to be able to access the ssh via administrator post, open a terminal and enter the
following command:

Code: [Select]
sudo nano /etc/ssh/sshd_config

Once in the configuration file uncheck port 22 and restart the service:

Code: [Select]
sudo systemctl restart sshd

Let's go to the administrator workstation on which we will generate a
new pair of ssh keys, for this open a command window and enter the
next line:

Code: [Select]
ssh-keygen -t rsa -b 4096

This command allows us to create an rsa key pair with a length of
4096 bit.

The following message asks where to store the key pair, let the location per

Fill in a robust passphrase respecting the security policy with the help of the
KeePassXC password manager:

Once the key pair is generated, we can connect via ssh to the server
Zentyal, using the main admin console user as

Code: [Select]
ssh user_console_adm@adresse_ip_zentyal

For this first connection, the administration console user password
will be needed to connect remotely:

And here we are on the server via remote access:

We will create a hidden folder, where we will store the public key of the administrator computer
in a key authorization file, in order to limit the ssh access:

Code: [Select]
mkdir .ssh
Code: [Select]
cd .ssh
Code: [Select]
sudo nano authorized_keys

Enter the public key retrieved via notepad in the path "C:\Users\

Once the key is registered we will configure the ssh service to secure the keys access, then go to the ssh configuration file:

Code: [Select]
sudo nano /etc/ssh/sshd_config

Uncheck the Hostkeys:

Then uncheck “PermitRootLogin” and put “no”, “PubKeyAuthentication yes”,
and finally “AuthorizedKeysFile”:

Uncheck “UseDNS” and change the value to “no”:

Arrived at the "Subsystem" section, check it then add this line below to
force the use of sFTP:

Code: [Select]
Subsystem      sftp      internal-sftp

And finally, let's limit access only to the user of the administration console, by
adding at the bottom:

Code: [Select]
Allowusers user_console_adm

For the changes to be taken, simply restart the service
ssh with the following command:

Code: [Select]
sudo systemctl restart sshd

Once the service has restarted, we can connect to the server via ssh by
filling in the console the user and the associated passphrase:

And here we are on the Zentyal server:

From now on only the administrator workstation can connect to the server,
so we have limited remote access to the server.

HTTPS Repository Source

LDAPS Source

Certification Authority Source

Fail2ban Source

portsentry Source

SSH Source
« Last Edit: June 22, 2022, 11:40:24 am by vandykmarsu »