diff options
Diffstat (limited to 'docs/docbook/projdoc/securing-samba.xml')
| -rw-r--r-- | docs/docbook/projdoc/securing-samba.xml | 205 |
1 files changed, 205 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/securing-samba.xml b/docs/docbook/projdoc/securing-samba.xml new file mode 100644 index 0000000000..d320767a77 --- /dev/null +++ b/docs/docbook/projdoc/securing-samba.xml @@ -0,0 +1,205 @@ +<chapter id="securing-samba"> + +<chapterinfo> + &author.tridge; + &author.jht; + <pubdate>17 March 2003</pubdate> +</chapterinfo> + +<title>Securing Samba</title> + +<sect1> +<title>Introduction</title> +<para> +This note was attached to the Samba 2.2.8 release notes as it contained an +important security fix. The information contained here applies to Samba +installations in general. +</para> + +</sect1> + +<sect1> +<title>Using host based protection</title> + +<para> +In many installations of Samba the greatest threat comes for outside +your immediate network. By default Samba will accept connections from +any host, which means that if you run an insecure version of Samba on +a host that is directly connected to the Internet you can be +especially vulnerable. +</para> + +<para> +One of the simplest fixes in this case is to use the <command>hosts allow</command> and +<command>hosts deny</command> options in the Samba &smb.conf; configuration file to only +allow access to your server from a specific range of hosts. An example +might be: +</para> + +<para><programlisting> + hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 + hosts deny = 0.0.0.0/0 +</programlisting></para> + +<para> +The above will only allow SMB connections from 'localhost' (your own +computer) and from the two private networks 192.168.2 and +192.168.3. All other connections will be refused as soon +as the client sends its first packet. The refusal will be marked as a +'not listening on called name' error. +</para> + +</sect1> + +<sect1> + +<title>Using interface protection</title> + +<para> +By default Samba will accept connections on any network interface that +it finds on your system. That means if you have a ISDN line or a PPP +connection to the Internet then Samba will accept connections on those +links. This may not be what you want. +</para> + +<para> +You can change this behaviour using options like the following: +</para> + +<para><programlisting> + interfaces = eth* lo + bind interfaces only = yes +</programlisting></para> + +<para> +This tells Samba to only listen for connections on interfaces with a +name starting with 'eth' such as eth0, eth1, plus on the loopback +interface called 'lo'. The name you will need to use depends on what +OS you are using, in the above I used the common name for Ethernet +adapters on Linux. +</para> + +<para> +If you use the above and someone tries to make a SMB connection to +your host over a PPP interface called 'ppp0' then they will get a TCP +connection refused reply. In that case no Samba code is run at all as +the operating system has been told not to pass connections from that +interface to any samba process. +</para> + +</sect1> + +<sect1> +<title>Using a firewall</title> + +<para> +Many people use a firewall to deny access to services that they don't +want exposed outside their network. This can be a very good idea, +although I would recommend using it in conjunction with the above +methods so that you are protected even if your firewall is not active +for some reason. +</para> + +<para> +If you are setting up a firewall then you need to know what TCP and +UDP ports to allow and block. Samba uses the following: +</para> + +<para><programlisting> + UDP/137 - used by nmbd + UDP/138 - used by nmbd + TCP/139 - used by smbd + TCP/445 - used by smbd +</programlisting></para> + +<para> +The last one is important as many older firewall setups may not be +aware of it, given that this port was only added to the protocol in +recent years. +</para> + +</sect1> + +<sect1> +<title>Using a IPC$ share deny</title> + +<para> +If the above methods are not suitable, then you could also place a +more specific deny on the IPC$ share that is used in the recently +discovered security hole. This allows you to offer access to other +shares while denying access to IPC$ from potentially untrustworthy +hosts. +</para> + +<para> +To do that you could use: +</para> + +<para><programlisting> + [ipc$] + hosts allow = 192.168.115.0/24 127.0.0.1 + hosts deny = 0.0.0.0/0 +</programlisting></para> + +<para> +this would tell Samba that IPC$ connections are not allowed from +anywhere but the two listed places (localhost and a local +subnet). Connections to other shares would still be allowed. As the +IPC$ share is the only share that is always accessible anonymously +this provides some level of protection against attackers that do not +know a username/password for your host. +</para> + +<para> +If you use this method then clients will be given a 'access denied' +reply when they try to access the IPC$ share. That means that those +clients will not be able to browse shares, and may also be unable to +access some other resources. +</para> + +<para> +This is not recommended unless you cannot use one of the other +methods listed above for some reason. +</para> + +</sect1> + +<sect1> +<title>NTLMv2 Security</title> + +<para> +To configure NTLMv2 authentication the following registry keys are worth knowing about: +</para> + +<para> +<programlisting> + [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] + "lmcompatibilitylevel"=dword:00000003 + + 0x3 - Send NTLMv2 response only. Clients will use NTLMv2 authentication, + use NTLMv2 session security if the server supports it. Domain + controllers accept LM, NTLM and NTLMv2 authentication. + + [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] + "NtlmMinClientSec"=dword:00080000 + + 0x80000 - NTLMv2 session security. If either NtlmMinClientSec or + NtlmMinServerSec is set to 0x80000, the connection will fail if NTLMv2 + session security is not negotiated. +</programlisting> +</para> +</sect1> + +<sect1> +<title>Upgrading Samba</title> + +<para> +Please check regularly on <ulink url="http://www.samba.org/">http://www.samba.org/</ulink> for updates and +important announcements. Occasionally security releases are made and +it is highly recommended to upgrade Samba when a security vulnerability +is discovered. +</para> + +</sect1> + +</chapter> |