As per http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html

"By default, Samba accepts connections on any network interface that it finds on your system. That means if you have an ISDN line or a PPP connection to the Internet then Samba will accept connections on those links. This may not be what you want.

You can change this behavior using options like this:
interfaces = eth* lo
bind interfaces only = yes

This tells Samba to listen for connections only on interfaces with a name starting with eth such as eth0 or eth1, plus on the loopback interface called lo. The name you will need to use depends on what OS you are using. In the above, I used the common name for Ethernet adapters on Linux.

If you use the above and someone tries to make an SMB connection to your host over a PPP interface called ppp0, then [s]he will get a TCP connection refused reply. In that case, no Samba code is run at all, because the operating system has been told not to pass connections from that interface to any Samba process. However, the refusal helps a would-be cracker by confirming that the IP address provides valid active services.

A better response would be to ignore the connection (from, for example, ppp0) altogether. The advantage of ignoring the connection attempt, as compared with refusing it, is that it foils those who probe an interface with the sole intention of finding valid IP addresses for later use in exploitation or denial of service attacks. This method of dealing with potential malicious activity demands the use of appropriate firewall mechanisms.
Using a Firewall

Many people use a firewall to deny access to services they do not want exposed outside their network. This can be a good idea, although I recommend using it in conjunction with the above methods so you are protected even if your firewall is not active for some reason.

If you are setting up a firewall, you need to know what TCP and UDP ports to allow and block. Samba uses the following:
Port 135/TCP - used by smbd
Port 137/UDP - used by nmbd
Port 138/UDP - used by nmbd
Port 139/TCP - used by smbd
Port 445/TCP - used by smbd

The last one is important because many older firewall setups may not be aware of it, given that this port was only added to the protocol in recent years.

When configuring a firewall, the high order ports (1024-65535) are often used for outgoing connections and therefore should be permitted through the firewall. It is prudent to block incoming packets on the high order ports except for established connections. "



On 10/2/2013 10:29 AM, James, Trevor wrote:
Interfaces I think are best when one has bound multiple IPs to one NIC, or 
multiple NICS.  The Allow/Deny does the same thing for a single NIC machine (my 
2 cents only).

The Firewall is based on exposure of course.  A SOHO, is more than likely 
behind a bridge/router to the internet, so exposure is limited to usually 
192.168.X.X, or local devices.  In this specific case I am have several 
subnets, so blocking everything but what is needed (first rule of security I 
found) means someone from another subnet cannot port scan and try to compromise 
this machine (which should basically become a set it and forget it type 
machine).

T. James


-----Original Message-----
From: Linux [mailto:linux-boun...@lists.oclug.on.ca] On Behalf Of Timothy Brier
Sent: Wednesday, October 02, 2013 10:04 AM
To: linux@lists.oclug.on.ca
Subject: Re: [OCLUG-Tech] Set up a SAMBA server

Hi,

I know I'm late on this, but here's my two cents.

I like that you block the firewall.  Another option is to bind samba to the 
desired interface.  An example in the smb.conf file would be:
interfaces = 192.168.0.0/24
On 10/2/13 9:11 AM, James, Trevor wrote:
Here is my best guess document, if anyone has any input, I am always open for 
suggestions.

http://macnash.telfer.uottawa.ca/~nashjc/visible/Ubuntu%20SAMBA.pdf


_______________________________________________
Linux mailing list
Linux@lists.oclug.on.ca
http://oclug.on.ca/mailman/listinfo/linux
Hi,

I know I'm late on this, but here's my two cents.

I like that you block the firewall, too many people leave this open.
Another option is to bind samba to the desired interface.

An example in the smb.conf file would be:
interfaces = 192.168.0.0/24
bind interfaces only = true

A few other lines I usually add to the smb.conf to allows samba to use
symlinks:
follow symlinks = yes
wide links = yes
unix extensions = no

To optimize throughput with windows I add this:

max xmit = 65535
aio read size = 1
aio write size =1
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=65535 SO_RCVBUF=65535

read raw = yes

write raw = yes

max connections = 65535

max open files = 65535


- Timothy Brier


_______________________________________________
Linux mailing list
Linux@lists.oclug.on.ca
http://oclug.on.ca/mailman/listinfo/linux
_______________________________________________
Linux mailing list
Linux@lists.oclug.on.ca
http://oclug.on.ca/mailman/listinfo/linux

_______________________________________________
Linux mailing list
Linux@lists.oclug.on.ca
http://oclug.on.ca/mailman/listinfo/linux

Reply via email to