summaryrefslogtreecommitdiff
path: root/docs/docbook/projdoc/securing-samba.sgml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/docbook/projdoc/securing-samba.sgml')
-rw-r--r--docs/docbook/projdoc/securing-samba.sgml205
1 files changed, 205 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/securing-samba.sgml b/docs/docbook/projdoc/securing-samba.sgml
new file mode 100644
index 0000000000..d320767a77
--- /dev/null
+++ b/docs/docbook/projdoc/securing-samba.sgml
@@ -0,0 +1,205 @@
+<chapter id="securing-samba">
+
+<chapterinfo>
+ &author.tridge;
+ &author.jht;
+ <pubdate>17 March 2003</pubdate>
+</chapterinfo>
+
+<title>Securing Samba</title>
+
+<sect1>
+<title>Introduction</title>
+<para>
+This note was attached to the Samba 2.2.8 release notes as it contained an
+important security fix. The information contained here applies to Samba
+installations in general.
+</para>
+
+</sect1>
+
+<sect1>
+<title>Using host based protection</title>
+
+<para>
+In many installations of Samba the greatest threat comes for outside
+your immediate network. By default Samba will accept connections from
+any host, which means that if you run an insecure version of Samba on
+a host that is directly connected to the Internet you can be
+especially vulnerable.
+</para>
+
+<para>
+One of the simplest fixes in this case is to use the <command>hosts allow</command> and
+<command>hosts deny</command> options in the Samba &smb.conf; configuration file to only
+allow access to your server from a specific range of hosts. An example
+might be:
+</para>
+
+<para><programlisting>
+ hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
+ hosts deny = 0.0.0.0/0
+</programlisting></para>
+
+<para>
+The above will only allow SMB connections from 'localhost' (your own
+computer) and from the two private networks 192.168.2 and
+192.168.3. All other connections will be refused as soon
+as the client sends its first packet. The refusal will be marked as a
+'not listening on called name' error.
+</para>
+
+</sect1>
+
+<sect1>
+
+<title>Using interface protection</title>
+
+<para>
+By default Samba will accept connections on any network interface that
+it finds on your system. That means if you have a ISDN line or a PPP
+connection to the Internet then Samba will accept connections on those
+links. This may not be what you want.
+</para>
+
+<para>
+You can change this behaviour using options like the following:
+</para>
+
+<para><programlisting>
+ interfaces = eth* lo
+ bind interfaces only = yes
+</programlisting></para>
+
+<para>
+This tells Samba to only listen for connections on interfaces with a
+name starting with 'eth' such as eth0, eth1, plus on the loopback
+interface called 'lo'. The name you will need to use depends on what
+OS you are using, in the above I used the common name for Ethernet
+adapters on Linux.
+</para>
+
+<para>
+If you use the above and someone tries to make a SMB connection to
+your host over a PPP interface called 'ppp0' then they will get a TCP
+connection refused reply. In that case no Samba code is run at all as
+the operating system has been told not to pass connections from that
+interface to any samba process.
+</para>
+
+</sect1>
+
+<sect1>
+<title>Using a firewall</title>
+
+<para>
+Many people use a firewall to deny access to services that they don't
+want exposed outside their network. This can be a very good idea,
+although I would recommend using it in conjunction with the above
+methods so that you are protected even if your firewall is not active
+for some reason.
+</para>
+
+<para>
+If you are setting up a firewall then you need to know what TCP and
+UDP ports to allow and block. Samba uses the following:
+</para>
+
+<para><programlisting>
+ UDP/137 - used by nmbd
+ UDP/138 - used by nmbd
+ TCP/139 - used by smbd
+ TCP/445 - used by smbd
+</programlisting></para>
+
+<para>
+The last one is important as many older firewall setups may not be
+aware of it, given that this port was only added to the protocol in
+recent years.
+</para>
+
+</sect1>
+
+<sect1>
+<title>Using a IPC$ share deny</title>
+
+<para>
+If the above methods are not suitable, then you could also place a
+more specific deny on the IPC$ share that is used in the recently
+discovered security hole. This allows you to offer access to other
+shares while denying access to IPC$ from potentially untrustworthy
+hosts.
+</para>
+
+<para>
+To do that you could use:
+</para>
+
+<para><programlisting>
+ [ipc$]
+ hosts allow = 192.168.115.0/24 127.0.0.1
+ hosts deny = 0.0.0.0/0
+</programlisting></para>
+
+<para>
+this would tell Samba that IPC$ connections are not allowed from
+anywhere but the two listed places (localhost and a local
+subnet). Connections to other shares would still be allowed. As the
+IPC$ share is the only share that is always accessible anonymously
+this provides some level of protection against attackers that do not
+know a username/password for your host.
+</para>
+
+<para>
+If you use this method then clients will be given a 'access denied'
+reply when they try to access the IPC$ share. That means that those
+clients will not be able to browse shares, and may also be unable to
+access some other resources.
+</para>
+
+<para>
+This is not recommended unless you cannot use one of the other
+methods listed above for some reason.
+</para>
+
+</sect1>
+
+<sect1>
+<title>NTLMv2 Security</title>
+
+<para>
+To configure NTLMv2 authentication the following registry keys are worth knowing about:
+</para>
+
+<para>
+<programlisting>
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
+ "lmcompatibilitylevel"=dword:00000003
+
+ 0x3 - Send NTLMv2 response only. Clients will use NTLMv2 authentication,
+ use NTLMv2 session security if the server supports it. Domain
+ controllers accept LM, NTLM and NTLMv2 authentication.
+
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
+ "NtlmMinClientSec"=dword:00080000
+
+ 0x80000 - NTLMv2 session security. If either NtlmMinClientSec or
+ NtlmMinServerSec is set to 0x80000, the connection will fail if NTLMv2
+ session security is not negotiated.
+</programlisting>
+</para>
+</sect1>
+
+<sect1>
+<title>Upgrading Samba</title>
+
+<para>
+Please check regularly on <ulink url="http://www.samba.org/">http://www.samba.org/</ulink> for updates and
+important announcements. Occasionally security releases are made and
+it is highly recommended to upgrade Samba when a security vulnerability
+is discovered.
+</para>
+
+</sect1>
+
+</chapter>