mirror of
https://github.com/samba-team/samba.git
synced 2025-02-25 17:57:42 +03:00
Added a slightly modified version of Tridge's note about securing
a Samba server.
This commit is contained in:
parent
a43fe8e5f0
commit
03a227b7ee
docs/docbook/projdoc
@ -23,6 +23,7 @@
|
||||
<!ENTITY Passdb SYSTEM "passdb.sgml">
|
||||
<!ENTITY VFS SYSTEM "VFS.sgml">
|
||||
<!ENTITY GroupProfiles SYSTEM "GroupProfiles.sgml">
|
||||
<!ENTITY SecuringSamba SYSTEM "securing-samba.sgml">
|
||||
]>
|
||||
|
||||
<book id="Samba-HOWTO-Collection">
|
||||
@ -115,6 +116,7 @@ part each cover one specific feature.</para>
|
||||
&GROUP-MAPPING-HOWTO;
|
||||
&SPEED;
|
||||
&GroupProfiles;
|
||||
&SecuringSamba;
|
||||
</part>
|
||||
|
||||
<part id="Appendixes">
|
||||
|
181
docs/docbook/projdoc/securing-samba.sgml
Normal file
181
docs/docbook/projdoc/securing-samba.sgml
Normal file
@ -0,0 +1,181 @@
|
||||
<chapter id="securing-samba">
|
||||
|
||||
<chapterinfo>
|
||||
<author>
|
||||
<firstname>Andrew</firstname><surname>Tridgell</surname>
|
||||
<affiliation><orgname>Samba Team</orgname></affiliation>
|
||||
</author>
|
||||
<pubdate>17 March 2003</pubdate>
|
||||
</chapterinfo>
|
||||
|
||||
<title>Securing Samba</title>
|
||||
|
||||
<sect1>
|
||||
<title>Introduction</title>
|
||||
<para>
|
||||
This note was attached to the Samba 2.2.8 release notes as it contained an
|
||||
important security fix. The information contained here applies to Samba
|
||||
installations in general.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1>
|
||||
<title>Using host based protection</title>
|
||||
|
||||
<para>
|
||||
In many installations of Samba the greatest threat comes for outside
|
||||
your immediate network. By default Samba will accept connections from
|
||||
any host, which means that if you run an insecure version of Samba on
|
||||
a host that is directly connected to the Internet you can be
|
||||
especially vulnerable.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
One of the simplest fixes in this case is to use the 'hosts allow' and
|
||||
'hosts deny' options in the Samba smb.conf configuration file to only
|
||||
allow access to your server from a specific range of hosts. An example
|
||||
might be:
|
||||
</para>
|
||||
|
||||
<para><programlisting>
|
||||
hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
|
||||
hosts deny = 0.0.0.0/0
|
||||
</programlisting></para>
|
||||
|
||||
<para>
|
||||
The above will only allow SMB connections from 'localhost' (your own
|
||||
computer) and from the two private networks 192.168.2 and
|
||||
192.168.3. All other connections will be refused connections as soon
|
||||
as the client sends its first packet. The refusal will be marked as a
|
||||
'not listening on called name' error.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1>
|
||||
|
||||
<title>Using interface protection</title>
|
||||
|
||||
<para>
|
||||
By default Samba will accept connections on any network interface that
|
||||
it finds on your system. That means if you have a ISDN line or a PPP
|
||||
connection to the Internet then Samba will accept connections on those
|
||||
links. This may not be what you want.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
You can change this behaviour using options like the following:
|
||||
</para>
|
||||
|
||||
<para><programlisting>
|
||||
interfaces = eth* lo
|
||||
bind interfaces only = yes
|
||||
</programlisting><para>
|
||||
|
||||
<para>
|
||||
This tells Samba to only listen for connections on interfaces with a
|
||||
name starting with 'eth' such as eth0, eth1, plus on the loopback
|
||||
interface called 'lo'. The name you will need to use depends on what
|
||||
OS you are using, in the above I used the common name for Ethernet
|
||||
adapters on Linux.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If you use the above and someone tries to make a SMB connection to
|
||||
your host over a PPP interface called 'ppp0' then they will get a TCP
|
||||
connection refused reply. In that case no Samba code is run at all as
|
||||
the operating system has been told not to pass connections from that
|
||||
interface to any process.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1>
|
||||
<title>Using a firewall</title>
|
||||
|
||||
<para>
|
||||
Many people use a firewall to deny access to services that they don't
|
||||
want exposed outside their network. This can be a very good idea,
|
||||
although I would recommend using it in conjunction with the above
|
||||
methods so that you are protected even if your firewall is not active
|
||||
for some reason.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If you are setting up a firewall then you need to know what TCP and
|
||||
UDP ports to allow and block. Samba uses the following:
|
||||
</para>
|
||||
|
||||
<para><programlisting>
|
||||
UDP/137 - used by nmbd
|
||||
UDP/138 - used by nmbd
|
||||
TCP/139 - used by smbd
|
||||
TCP/445 - used by smbd
|
||||
</programlisting></para>
|
||||
|
||||
<para>
|
||||
The last one is important as many older firewall setups may not be
|
||||
aware of it, given that this port was only added to the protocol in
|
||||
recent years.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1>
|
||||
<title>Using a IPC$ share deny</title>
|
||||
|
||||
<para>
|
||||
If the above methods are not suitable, then you could also place a
|
||||
more specific deny on the IPC$ share that is used in the recently
|
||||
discovered security hole. This allows you to offer access to other
|
||||
shares while denying access to IPC$ from potentially untrustworthy
|
||||
hosts.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To do that you could use:
|
||||
</para>
|
||||
|
||||
<para><programlisting>
|
||||
[ipc$]
|
||||
hosts allow = 192.168.115.0/24 127.0.0.1
|
||||
hosts deny = 0.0.0.0/0
|
||||
</programlisting></para>
|
||||
|
||||
<para>
|
||||
this would tell Samba that IPC$ connections are not allowed from
|
||||
anywhere but the two listed places (localhost and a local
|
||||
subnet). Connections to other shares would still be allowed. As the
|
||||
IPC$ share is the only share that is always accessible anonymously
|
||||
this provides some level of protection against attackers that do not
|
||||
know a username/password for your host.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If you use this method then clients will be given a 'access denied'
|
||||
reply when they try to access the IPC$ share. That means that those
|
||||
clients will not be able to browse shares, and may also be unable to
|
||||
access some other resources.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
This is not recommended unless you cannot use one of the other
|
||||
methods listed above for some reason.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1>
|
||||
<title>Upgrading Samba</title>
|
||||
|
||||
<para>
|
||||
Please check regularly on http://www.samba.org/ for updates and
|
||||
important announcements. Occasionally security releases are made and
|
||||
it is highly recommended to upgrade Samba when a security vulnerability
|
||||
is discovered.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
</chapter>
|
Loading…
x
Reference in New Issue
Block a user