From 4adde4c8505851cba42b3d5315a5206eb7825c90 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 17 Mar 2003 11:03:29 +0000 Subject: Added a slightly modified version of Tridge's note about securing a Samba server. (This used to be commit 03a227b7ee7ed6927541966ec226344cd8c88aff) --- docs/docbook/projdoc/samba-doc.sgml | 2 + docs/docbook/projdoc/securing-samba.sgml | 181 +++++++++++++++++++++++++++++++ 2 files changed, 183 insertions(+) create mode 100644 docs/docbook/projdoc/securing-samba.sgml diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index 54650f1ed9..246fba1228 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -23,6 +23,7 @@ + ]> @@ -115,6 +116,7 @@ part each cover one specific feature. &GROUP-MAPPING-HOWTO; &SPEED; &GroupProfiles; +&SecuringSamba; diff --git a/docs/docbook/projdoc/securing-samba.sgml b/docs/docbook/projdoc/securing-samba.sgml new file mode 100644 index 0000000000..bfedc5456f --- /dev/null +++ b/docs/docbook/projdoc/securing-samba.sgml @@ -0,0 +1,181 @@ + + + + + AndrewTridgell + Samba Team + + 17 March 2003 + + +Securing Samba + + +Introduction + +This note was attached to the Samba 2.2.8 release notes as it contained an +important security fix. The information contained here applies to Samba +installations in general. + + + + + +Using host based protection + + +In many installations of Samba the greatest threat comes for outside +your immediate network. By default Samba will accept connections from +any host, which means that if you run an insecure version of Samba on +a host that is directly connected to the Internet you can be +especially vulnerable. + + + +One of the simplest fixes in this case is to use the 'hosts allow' and +'hosts deny' options in the Samba smb.conf configuration file to only +allow access to your server from a specific range of hosts. An example +might be: + + + + hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 + hosts deny = 0.0.0.0/0 + + + +The above will only allow SMB connections from 'localhost' (your own +computer) and from the two private networks 192.168.2 and +192.168.3. All other connections will be refused connections as soon +as the client sends its first packet. The refusal will be marked as a +'not listening on called name' error. + + + + + + +Using interface protection + + +By default Samba will accept connections on any network interface that +it finds on your system. That means if you have a ISDN line or a PPP +connection to the Internet then Samba will accept connections on those +links. This may not be what you want. + + + +You can change this behaviour using options like the following: + + + + interfaces = eth* lo + bind interfaces only = yes + + + +This tells Samba to only listen for connections on interfaces with a +name starting with 'eth' such as eth0, eth1, plus on the loopback +interface called 'lo'. The name you will need to use depends on what +OS you are using, in the above I used the common name for Ethernet +adapters on Linux. + + + +If you use the above and someone tries to make a SMB connection to +your host over a PPP interface called 'ppp0' then they will get a TCP +connection refused reply. In that case no Samba code is run at all as +the operating system has been told not to pass connections from that +interface to any process. + + + + + +Using a firewall + + +Many people use a firewall to deny access to services that they don't +want exposed outside their network. This can be a very good idea, +although I would recommend using it in conjunction with the above +methods so that you are protected even if your firewall is not active +for some reason. + + + +If you are setting up a firewall then you need to know what TCP and +UDP ports to allow and block. Samba uses the following: + + + +UDP/137 - used by nmbd +UDP/138 - used by nmbd +TCP/139 - used by smbd +TCP/445 - used by smbd + + + +The last one is important as many older firewall setups may not be +aware of it, given that this port was only added to the protocol in +recent years. + + + + + +Using a IPC$ share deny + + +If the above methods are not suitable, then you could also place a +more specific deny on the IPC$ share that is used in the recently +discovered security hole. This allows you to offer access to other +shares while denying access to IPC$ from potentially untrustworthy +hosts. + + + +To do that you could use: + + + + [ipc$] + hosts allow = 192.168.115.0/24 127.0.0.1 + hosts deny = 0.0.0.0/0 + + + +this would tell Samba that IPC$ connections are not allowed from +anywhere but the two listed places (localhost and a local +subnet). Connections to other shares would still be allowed. As the +IPC$ share is the only share that is always accessible anonymously +this provides some level of protection against attackers that do not +know a username/password for your host. + + + +If you use this method then clients will be given a 'access denied' +reply when they try to access the IPC$ share. That means that those +clients will not be able to browse shares, and may also be unable to +access some other resources. + + + +This is not recommended unless you cannot use one of the other +methods listed above for some reason. + + + + + +Upgrading Samba + + +Please check regularly on http://www.samba.org/ for updates and +important announcements. Occasionally security releases are made and +it is highly recommended to upgrade Samba when a security vulnerability +is discovered. + + + + + -- cgit