As per
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html
"By default, Samba accepts connections on any network interface that it
finds on your system. That means if you have an ISDN line or a PPP
connection to the Internet then Samba will accept connections on those
links. This may not be what you want.
You can change this behavior using options like this:
interfaces = eth* lo
bind interfaces only = yes
This tells Samba to listen for connections only on interfaces with a
name starting with eth such as eth0 or eth1, plus on the loopback
interface called lo. The name you will need to use depends on what OS
you are using. In the above, I used the common name for Ethernet
adapters on Linux.
If you use the above and someone tries to make an SMB connection to your
host over a PPP interface called ppp0, then [s]he will get a TCP
connection refused reply. In that case, no Samba code is run at all,
because the operating system has been told not to pass connections from
that interface to any Samba process. However, the refusal helps a
would-be cracker by confirming that the IP address provides valid active
services.
A better response would be to ignore the connection (from, for example,
ppp0) altogether. The advantage of ignoring the connection attempt, as
compared with refusing it, is that it foils those who probe an interface
with the sole intention of finding valid IP addresses for later use in
exploitation or denial of service attacks. This method of dealing with
potential malicious activity demands the use of appropriate firewall
mechanisms.
Using a Firewall
Many people use a firewall to deny access to services they do not want
exposed outside their network. This can be a good idea, although I
recommend using it in conjunction with the above methods so you are
protected even if your firewall is not active for some reason.
If you are setting up a firewall, you need to know what TCP and UDP
ports to allow and block. Samba uses the following:
Port 135/TCP - used by smbd
Port 137/UDP - used by nmbd
Port 138/UDP - used by nmbd
Port 139/TCP - used by smbd
Port 445/TCP - used by smbd
The last one is important because many older firewall setups may not be
aware of it, given that this port was only added to the protocol in
recent years.
When configuring a firewall, the high order ports (1024-65535) are often
used for outgoing connections and therefore should be permitted through
the firewall. It is prudent to block incoming packets on the high order
ports except for established connections. "
On 10/2/2013 10:29 AM, James, Trevor wrote:
Interfaces I think are best when one has bound multiple IPs to one NIC, or multiple NICS. The Allow/Deny does the same thing for a single NIC machine (my 2 cents only).
The Firewall is based on exposure of course. A SOHO, is more than likely behind a bridge/router to the internet, so exposure is limited to usually 192.168.X.X, or local devices. In this specific case I am have several subnets, so blocking everything but what is needed (first rule of security I found) means someone from another subnet cannot port scan and try to compromise this machine (which should basically become a set it and forget it type machine).
T. James
-----Original Message-----
From: Linux [mailto:linux-bounces [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca] On Behalf Of Timothy Brier
Sent: Wednesday, October 02, 2013 10:04 AM
To: linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca
Subject: Re: [OCLUG-Tech] Set up a SAMBA server
Hi,
I know I'm late on this, but here's my two cents.
I like that you block the firewall. Another option is to bind samba to the desired interface. An example in the smb.conf file would be:
interfaces = 192.168.0.0/24
On 10/2/13 9:11 AM, James, Trevor wrote:
Here is my best guess document, if anyone has any input, I am always open for suggestions.
http://macnash.telfer.uottawa.ca/~nashjc/visible/Ubuntu%20SAMBA.pdf
_______________________________________________
Linux mailing list
Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca
http://oclug.on.ca/mailman/listinfo/linux
Hi,
I know I'm late on this, but here's my two cents.
I like that you block the firewall, too many people leave this open.
Another option is to bind samba to the desired interface.
An example in the smb.conf file would be:
interfaces = 192.168.0.0/24
bind interfaces only = true
A few other lines I usually add to the smb.conf to allows samba to use
symlinks:
follow symlinks = yes
wide links = yes
unix extensions = no
To optimize throughput with windows I add this:
max xmit = 65535
aio read size = 1
aio write size =1
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=65535 SO_RCVBUF=65535
read raw = yes
write raw = yes
max connections = 65535
max open files = 65535
- Timothy Brier
_______________________________________________
Linux mailing list
Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca
http://oclug.on.ca/mailman/listinfo/linux
_______________________________________________
Linux mailing list
Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca
http://oclug.on.ca/mailman/listinfo/linux