====Samba and NFS Server on Rocky Linux 8====

This will install a Samba4 and NFS server on Rocky Linux 8 with sharing the same data from Samba and NFS, extended ACLs will also be used.

Install Rocky Linux 8 minimal with 2 CPU, 512MB+ RAM, 20GB+ storage (use separate /home mount point if going over 100GB), set FQDN, set static IP, enable NTP.

3.) After install if finished reboot -> login -> perform a "dnf update".

==Create limited user account and add to wheel group for sudo==
<code>
useradd example_user && passwd example_user
usermod -aG wheel example_user
</code>

==Install dependencies and vim==
<code>
dnf install vim tar
</code>

Logout of root and login using sudo user

==Disallow root login over SSH==
<code>
sudo vim /etc/ssh/sshd_config
</code>
then set
<code>
PermitRootLogin no
</code>

Restart sshd
<code>
sudo systemctl restart sshd
</code>

==Configure hosts==
<code>
sudo vim /etc/hosts
</code>
Add a line for your FQDN
<code>
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.30  websrv01.domainname.com websrv01
</code>

====Automatic Updates for CentOS====

https://www.tecmint.com/dnf-automatic-install-security-updates-automatically-in-centos-8/
<code>
sudo dnf install dnf-automatic
sudo vim /etc/dnf/automatic.conf
</code>

Set:
<code>
upgrade_type = security
download_updates = yes
apply_updates = yes
system_name = (your system name)
emit_via = motd
</code>

Enable the auto-update timer
<code>
sudo systemctl enable --now dnf-automatic.timer
</code>

====fail2ban====

https://idroot.us/install-fail2ban-centos-8/
https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04
<code>
sudo dnf install epel-release
sudo dnf install fail2ban
</code>

==Create a Jail for SSHd==
<code>sudo vim /etc/fail2ban/jail.d/sshd.local</code>
Add the following:
<code>
[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[selinux-ssh]
enabled  = true
port     = ssh
logpath  = %(auditd_log)s
</code>

==Start fail2ban==
<code>
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo fail2ban-client status sshd
</code>

====Samba====
https://www.tecmint.com/install-samba-on-rhel-8-for-file-sharing-on-windows/ \\
https://www.techrepublic.com/article/how-to-create-a-linux-user-that-cannot-log-in/

==Install Base Packages==
<code>
sudo dnf install samba samba-client samba-common
</code>

==Enable Services==
<code>
sudo systemctl start smb
sudo systemctl enable smb
</code>

==Configure Firewall==
<code>
sudo firewall-cmd --permanent --add-service=samba
sudo firewall-cmd --reload
</code>

==Create Group & User==
<code>
sudo groupadd smb_users
sudo useradd smbadmin --shell=/bin/false && sudo passwd smbadmin
sudo usermod -aG smb_users smbadmin
sudo smbpasswd -a smbadmin
</code>

==Create Dir for Share and Set Permissions==
<code>
sudo mkdir -p /home/samba/public
sudo chmod -R 0770 /home/samba/public
sudo chown -R root:smb_users /home/samba/public
sudo chcon -t samba_share_t /home/samba/public
</code>

==Configure Share==
<code>
sudo vim /etc/samba/smb.conf
</code>

Add the following:
<code>
[public]
        comment = Public Share
        path =  /home/samba/public
        valid users = @smb_users
        guest ok = no
        writable = yes
        browsable = yes
        acl_xattr:ignore system acls = yes
</code>

Restart services:
<code>
sudo systemctl restart smb.service
sudo systemctl restart nmb.service
</code>

Add other users if needed and add them to the smb_users group, then fire up a Windows computer to create your initial folder structure with permissions from there...