diff options
author | Tim Potter <tpot@samba.org> | 2003-03-17 11:03:29 +0000 |
---|---|---|
committer | Tim Potter <tpot@samba.org> | 2003-03-17 11:03:29 +0000 |
commit | 4adde4c8505851cba42b3d5315a5206eb7825c90 (patch) | |
tree | 482fb571d8fe306a3a345c51da29c0ef7ad5df33 /docs/docbook | |
parent | 9349b44ea741d32a74ba34f68675bd80b61123a6 (diff) | |
download | samba-4adde4c8505851cba42b3d5315a5206eb7825c90.tar.gz samba-4adde4c8505851cba42b3d5315a5206eb7825c90.tar.bz2 samba-4adde4c8505851cba42b3d5315a5206eb7825c90.zip |
Added a slightly modified version of Tridge's note about securing
a Samba server.
(This used to be commit 03a227b7ee7ed6927541966ec226344cd8c88aff)
Diffstat (limited to 'docs/docbook')
-rw-r--r-- | docs/docbook/projdoc/samba-doc.sgml | 2 | ||||
-rw-r--r-- | docs/docbook/projdoc/securing-samba.sgml | 181 |
2 files changed, 183 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index 54650f1ed9..246fba1228 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -23,6 +23,7 @@ <!ENTITY Passdb SYSTEM "passdb.sgml"> <!ENTITY VFS SYSTEM "VFS.sgml"> <!ENTITY GroupProfiles SYSTEM "GroupProfiles.sgml"> +<!ENTITY SecuringSamba SYSTEM "securing-samba.sgml"> ]> <book id="Samba-HOWTO-Collection"> @@ -115,6 +116,7 @@ part each cover one specific feature.</para> &GROUP-MAPPING-HOWTO; &SPEED; &GroupProfiles; +&SecuringSamba; </part> <part id="Appendixes"> diff --git a/docs/docbook/projdoc/securing-samba.sgml b/docs/docbook/projdoc/securing-samba.sgml new file mode 100644 index 0000000000..bfedc5456f --- /dev/null +++ b/docs/docbook/projdoc/securing-samba.sgml @@ -0,0 +1,181 @@ +<chapter id="securing-samba"> + +<chapterinfo> + <author> + <firstname>Andrew</firstname><surname>Tridgell</surname> + <affiliation><orgname>Samba Team</orgname></affiliation> + </author> + <pubdate>17 March 2003</pubdate> +</chapterinfo> + +<title>Securing Samba</title> + +<sect1> +<title>Introduction</title> +<para> +This note was attached to the Samba 2.2.8 release notes as it contained an +important security fix. The information contained here applies to Samba +installations in general. +</para> + +</sect1> + +<sect1> +<title>Using host based protection</title> + +<para> +In many installations of Samba the greatest threat comes for outside +your immediate network. By default Samba will accept connections from +any host, which means that if you run an insecure version of Samba on +a host that is directly connected to the Internet you can be +especially vulnerable. +</para> + +<para> +One of the simplest fixes in this case is to use the 'hosts allow' and +'hosts deny' options in the Samba smb.conf configuration file to only +allow access to your server from a specific range of hosts. An example +might be: +</para> + +<para><programlisting> + hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 + hosts deny = 0.0.0.0/0 +</programlisting></para> + +<para> +The above will only allow SMB connections from 'localhost' (your own +computer) and from the two private networks 192.168.2 and +192.168.3. All other connections will be refused connections as soon +as the client sends its first packet. The refusal will be marked as a +'not listening on called name' error. +</para> + +</sect1> + +<sect1> + +<title>Using interface protection</title> + +<para> +By default Samba will accept connections on any network interface that +it finds on your system. That means if you have a ISDN line or a PPP +connection to the Internet then Samba will accept connections on those +links. This may not be what you want. +</para> + +<para> +You can change this behaviour using options like the following: +</para> + +<para><programlisting> + interfaces = eth* lo + bind interfaces only = yes +</programlisting><para> + +<para> +This tells Samba to only listen for connections on interfaces with a +name starting with 'eth' such as eth0, eth1, plus on the loopback +interface called 'lo'. The name you will need to use depends on what +OS you are using, in the above I used the common name for Ethernet +adapters on Linux. +</para> + +<para> +If you use the above and someone tries to make a SMB connection to +your host over a PPP interface called 'ppp0' then they will get a TCP +connection refused reply. In that case no Samba code is run at all as +the operating system has been told not to pass connections from that +interface to any process. +</para> + +</sect1> + +<sect1> +<title>Using a firewall</title> + +<para> +Many people use a firewall to deny access to services that they don't +want exposed outside their network. This can be a very good idea, +although I would recommend using it in conjunction with the above +methods so that you are protected even if your firewall is not active +for some reason. +</para> + +<para> +If you are setting up a firewall then you need to know what TCP and +UDP ports to allow and block. Samba uses the following: +</para> + +<para><programlisting> +UDP/137 - used by nmbd +UDP/138 - used by nmbd +TCP/139 - used by smbd +TCP/445 - used by smbd +</programlisting></para> + +<para> +The last one is important as many older firewall setups may not be +aware of it, given that this port was only added to the protocol in +recent years. +</para> + +</sect1> + +<sect1> +<title>Using a IPC$ share deny</title> + +<para> +If the above methods are not suitable, then you could also place a +more specific deny on the IPC$ share that is used in the recently +discovered security hole. This allows you to offer access to other +shares while denying access to IPC$ from potentially untrustworthy +hosts. +</para> + +<para> +To do that you could use: +</para> + +<para><programlisting> + [ipc$] + hosts allow = 192.168.115.0/24 127.0.0.1 + hosts deny = 0.0.0.0/0 +</programlisting></para> + +<para> +this would tell Samba that IPC$ connections are not allowed from +anywhere but the two listed places (localhost and a local +subnet). Connections to other shares would still be allowed. As the +IPC$ share is the only share that is always accessible anonymously +this provides some level of protection against attackers that do not +know a username/password for your host. +</para> + +<para> +If you use this method then clients will be given a 'access denied' +reply when they try to access the IPC$ share. That means that those +clients will not be able to browse shares, and may also be unable to +access some other resources. +</para> + +<para> +This is not recommended unless you cannot use one of the other +methods listed above for some reason. +</para> + +</sect1> + +<sect1> +<title>Upgrading Samba</title> + +<para> +Please check regularly on http://www.samba.org/ for updates and +important announcements. Occasionally security releases are made and +it is highly recommended to upgrade Samba when a security vulnerability +is discovered. +</para> + +</sect1> + +</chapter> |