Written By:
Ying Zhang
Securing Samba
Anytime you add a service to your machine you are giving crackers one
more place to attack. Here we will look at some ways to protect your Samba
server.
With Samba
In the Samba configuration (/etc/smb.conf), you can tell it which IP
addresses to listen to. These lines are:
interfaces = 192.168.0.1/24 127.0.0.1/24
bind interfaces only = Yes
Of course you would substitute that for your own IP ranges. Because I'm
paranoid, I add another layer of protection by filtering out the NetBIOS
ports.
Filtering Ports
SMB uses ports 137-139, to be safe I block out both TCP and UDP
ports 137-139. If you are using the 2.0 series kernel, you will be using a
tool called ipfwadm to do this. With kernel 2.1 and 2.2, you use ipchains.
Using ipfwadm
Make sure you have ipfwadm, if not you can grab the RPM package from http://www.rpmfind.net/linux/RPM.
Add these lines to your /etc/rc.local file:
ipfwadm -I -P tcp -a deny -S any/0 137:139 -W eth0
ipfwadm -I -P udp -a deny -S any/0 137:139 -W eth0
ipfwadm -O -P tcp -a deny -S any/0 137:139 -W eth0
ipfwadm -O -P udp -a deny -S any/0 137:139 -W eth0
This will deny all incoming and outgoing TCP and UDP packets for ports
137-139 on interface eth0. eth0 is the NIC that connects my box to the
Internet, you may have to modify these commands to suite your system
configuration. Read the man ipfwadm for more information.
Using ipchains
You need the ipchains package for this, I think you can find it from http://www.rpmfind.net/linux/RPM
Add these line to your /etc/rc.local
ipchains -A input -p tcp -j DENY --destination-port
137:139 -i eth0
ipchains -A input -p udp -j DENY --destination-port 137:139 -i eth0
ipchains -A output -p tcp -j DENY --destination-port 137:139 -i eth0
ipchains -A output -p udp -j DENY --destination-port 137:139 -i eth0
This does the same thing as the ipfwadm commands from the previous
section.
Password Authentication
If you need user accounts and password authentication, you should
investigate the other authentication methods in Samba (e.g. user-level
security, domain level security, etc.). This is beyond the scope of this
document.Conclusion
This concludes this step-by-step howto. If you need more information about
Samba, visit their homepage (http://www.samba.org)
and read their documentation.
Note: TxRogue I hope you've found this document useful! I know when I
found it at Ying Zhang's site I found it to be just what I needed. I would
like to give him full credit for creating this howto that was so easy to
follow and allowed me to set up Samba so I could connect a Windows
box/machine via my home network. I would encourage you to send Ying Zhang
an email to let him know that you found this information very informative
and easy to follow and perhaps encourage him to make more easy to follow
howto's/nhfs.
Ying Zhang (yzhang@sfu.ca) or visit his
website at:
http://www.sfu.ca/~yzhang/
1 2
3 4
[-Previous Page-]
|