diff options
Diffstat (limited to 'docs/docbook/projdoc/securing-samba.xml')
-rw-r--r-- | docs/docbook/projdoc/securing-samba.xml | 47 |
1 files changed, 24 insertions, 23 deletions
diff --git a/docs/docbook/projdoc/securing-samba.xml b/docs/docbook/projdoc/securing-samba.xml index 58634fba35..1004260394 100644 --- a/docs/docbook/projdoc/securing-samba.xml +++ b/docs/docbook/projdoc/securing-samba.xml @@ -48,7 +48,7 @@ the latest protocols to permit more secure MS Windows file and print operations. Samba may be secured from connections that originate from outside the local network. This may be done using <emphasis>host based protection</emphasis> (using samba's implementation of a technology known as "tcpwrappers", or it may be done be using <emphasis>interface based exclusion</emphasis> -so that <command>smbd</command> will bind only to specifically permitted interfaces. It is also +so that &smbd; will bind only to specifically permitted interfaces. It is also possible to set specific share or resource based exclusions, eg: on the <parameter>IPC$</parameter> auto-share. The <parameter>IPC$</parameter> share is used for browsing purposes as well as to establish TCP/IP connections. @@ -85,23 +85,23 @@ before someone will find yet another vulnerability. </para> <para> - One of the simplest fixes in this case is to use the <command>hosts allow</command> and - <command>hosts deny</command> options in the Samba &smb.conf; configuration file to only + One of the simplest fixes in this case is to use the <parameter>hosts allow</parameter> and + <parameter>hosts deny</parameter> options in the Samba &smb.conf; configuration file to only allow access to your server from a specific range of hosts. An example might be: </para> - <para><screen> + <para><programlisting> hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 hosts deny = 0.0.0.0/0 - </screen></para> + </programlisting></para> <para> The above will only allow SMB connections from 'localhost' (your own computer) and from the two private networks 192.168.2 and 192.168.3. All other connections will be refused as soon as the client sends its first packet. The refusal will be marked as a - 'not listening on called name' error. + <errorname>not listening on called name</errorname> error. </para> </sect2> @@ -111,12 +111,12 @@ before someone will find yet another vulnerability. <para> If you want to restrict access to your server to valid users only then the following - method may be of use. In the smb.conf [globals] section put: + method may be of use. In the &smb.conf; <parameter>[globals]</parameter> section put: </para> - <para><screen> + <para><programlisting> valid users = @smbusers, jacko - </screen></para> + </programlisting></para> <para> What this does is, it restricts all server access to either the user <emphasis>jacko</emphasis> @@ -140,10 +140,10 @@ before someone will find yet another vulnerability. You can change this behaviour using options like the following: </para> - <para><screen> + <para><programlisting> interfaces = eth* lo bind interfaces only = yes - </screen></para> + </programlisting></para> <para> This tells Samba to only listen for connections on interfaces with a @@ -179,12 +179,12 @@ before someone will find yet another vulnerability. UDP ports to allow and block. Samba uses the following: </para> - <para><screen> - UDP/137 - used by nmbd - UDP/138 - used by nmbd - TCP/139 - used by smbd - TCP/445 - used by smbd - </screen></para> + <simplelist> + <member>UDP/137 - used by nmbd</member> + <member>UDP/138 - used by nmbd</member> + <member>TCP/139 - used by smbd</member> + <member>TCP/445 - used by smbd</member> + </simplelist> <para> The last one is important as many older firewall setups may not be @@ -209,11 +209,11 @@ before someone will find yet another vulnerability. To do that you could use: </para> - <para><screen> - [ipc$] - hosts allow = 192.168.115.0/24 127.0.0.1 - hosts deny = 0.0.0.0/0 - </screen></para> + <para><programlisting> +[ipc$] + hosts allow = 192.168.115.0/24 127.0.0.1 + hosts deny = 0.0.0.0/0 + </programlisting></para> <para> this would tell Samba that IPC$ connections are not allowed from @@ -225,7 +225,7 @@ before someone will find yet another vulnerability. </para> <para> - If you use this method then clients will be given a 'access denied' + If you use this method then clients will be given a <errorname>access denied</errorname> reply when they try to access the IPC$ share. That means that those clients will not be able to browse shares, and may also be unable to access some other resources. @@ -245,6 +245,7 @@ before someone will find yet another vulnerability. To configure NTLMv2 authentication the following registry keys are worth knowing about: </para> + <!-- FIXME --> <para> <screen> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] |