summaryrefslogtreecommitdiff
path: root/docs/docbook/projdoc/securing-samba.xml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/docbook/projdoc/securing-samba.xml')
-rw-r--r--docs/docbook/projdoc/securing-samba.xml47
1 files changed, 24 insertions, 23 deletions
diff --git a/docs/docbook/projdoc/securing-samba.xml b/docs/docbook/projdoc/securing-samba.xml
index 58634fba35..1004260394 100644
--- a/docs/docbook/projdoc/securing-samba.xml
+++ b/docs/docbook/projdoc/securing-samba.xml
@@ -48,7 +48,7 @@ the latest protocols to permit more secure MS Windows file and print operations.
Samba may be secured from connections that originate from outside the local network. This may be
done using <emphasis>host based protection</emphasis> (using samba's implementation of a technology
known as "tcpwrappers", or it may be done be using <emphasis>interface based exclusion</emphasis>
-so that <command>smbd</command> will bind only to specifically permitted interfaces. It is also
+so that &smbd; will bind only to specifically permitted interfaces. It is also
possible to set specific share or resource based exclusions, eg: on the <parameter>IPC$</parameter>
auto-share. The <parameter>IPC$</parameter> share is used for browsing purposes as well as to establish
TCP/IP connections.
@@ -85,23 +85,23 @@ before someone will find yet another vulnerability.
</para>
<para>
- One of the simplest fixes in this case is to use the <command>hosts allow</command> and
- <command>hosts deny</command> options in the Samba &smb.conf; configuration file to only
+ One of the simplest fixes in this case is to use the <parameter>hosts allow</parameter> and
+ <parameter>hosts deny</parameter> options in the Samba &smb.conf; configuration file to only
allow access to your server from a specific range of hosts. An example
might be:
</para>
- <para><screen>
+ <para><programlisting>
hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
hosts deny = 0.0.0.0/0
- </screen></para>
+ </programlisting></para>
<para>
The above will only allow SMB connections from 'localhost' (your own
computer) and from the two private networks 192.168.2 and
192.168.3. All other connections will be refused as soon
as the client sends its first packet. The refusal will be marked as a
- 'not listening on called name' error.
+ <errorname>not listening on called name</errorname> error.
</para>
</sect2>
@@ -111,12 +111,12 @@ before someone will find yet another vulnerability.
<para>
If you want to restrict access to your server to valid users only then the following
- method may be of use. In the smb.conf [globals] section put:
+ method may be of use. In the &smb.conf; <parameter>[globals]</parameter> section put:
</para>
- <para><screen>
+ <para><programlisting>
valid users = @smbusers, jacko
- </screen></para>
+ </programlisting></para>
<para>
What this does is, it restricts all server access to either the user <emphasis>jacko</emphasis>
@@ -140,10 +140,10 @@ before someone will find yet another vulnerability.
You can change this behaviour using options like the following:
</para>
- <para><screen>
+ <para><programlisting>
interfaces = eth* lo
bind interfaces only = yes
- </screen></para>
+ </programlisting></para>
<para>
This tells Samba to only listen for connections on interfaces with a
@@ -179,12 +179,12 @@ before someone will find yet another vulnerability.
UDP ports to allow and block. Samba uses the following:
</para>
- <para><screen>
- UDP/137 - used by nmbd
- UDP/138 - used by nmbd
- TCP/139 - used by smbd
- TCP/445 - used by smbd
- </screen></para>
+ <simplelist>
+ <member>UDP/137 - used by nmbd</member>
+ <member>UDP/138 - used by nmbd</member>
+ <member>TCP/139 - used by smbd</member>
+ <member>TCP/445 - used by smbd</member>
+ </simplelist>
<para>
The last one is important as many older firewall setups may not be
@@ -209,11 +209,11 @@ before someone will find yet another vulnerability.
To do that you could use:
</para>
- <para><screen>
- [ipc$]
- hosts allow = 192.168.115.0/24 127.0.0.1
- hosts deny = 0.0.0.0/0
- </screen></para>
+ <para><programlisting>
+[ipc$]
+ hosts allow = 192.168.115.0/24 127.0.0.1
+ hosts deny = 0.0.0.0/0
+ </programlisting></para>
<para>
this would tell Samba that IPC$ connections are not allowed from
@@ -225,7 +225,7 @@ before someone will find yet another vulnerability.
</para>
<para>
- If you use this method then clients will be given a 'access denied'
+ If you use this method then clients will be given a <errorname>access denied</errorname>
reply when they try to access the IPC$ share. That means that those
clients will not be able to browse shares, and may also be unable to
access some other resources.
@@ -245,6 +245,7 @@ before someone will find yet another vulnerability.
To configure NTLMv2 authentication the following registry keys are worth knowing about:
</para>
+ <!-- FIXME -->
<para>
<screen>
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
generated by cgit (git 2.34.1) at 2024-07-08 20:05:19 +0000