Written By:
Ying Zhang

Securing Samba

Anytime you add a service to your machine you are giving crackers one more place to attack. Here we will look at some ways to protect your Samba server.

With Samba

In the Samba configuration (/etc/smb.conf), you can tell it which IP addresses to listen to. These lines are:

interfaces = 192.168.0.1/24 127.0.0.1/24
bind interfaces only = Yes

Of course you would substitute that for your own IP ranges. Because I'm paranoid, I add another layer of protection by filtering out the NetBIOS ports.

Filtering Ports

SMB uses ports 137-139, to be safe I block out both TCP and UDP ports 137-139. If you are using the 2.0 series kernel, you will be using a tool called ipfwadm to do this. With kernel 2.1 and 2.2, you use ipchains.

Using ipfwadm

Make sure you have ipfwadm, if not you can grab the RPM package from http://www.rpmfind.net/linux/RPM.

Add these lines to your /etc/rc.local file:

ipfwadm -I -P tcp -a deny -S any/0 137:139 -W eth0
ipfwadm -I -P udp -a deny -S any/0 137:139 -W eth0
ipfwadm -O -P tcp -a deny -S any/0 137:139 -W eth0
ipfwadm -O -P udp -a deny -S any/0 137:139 -W eth0

This will deny all incoming and outgoing TCP and UDP packets for ports 137-139 on interface eth0. eth0 is the NIC that connects my box to the Internet, you may have to modify these commands to suite your system configuration. Read the man ipfwadm for more information.

Using ipchains

You need the ipchains package for this, I think you can find it from http://www.rpmfind.net/linux/RPM

Add these line to your /etc/rc.local

ipchains -A input -p tcp -j DENY --destination-port 137:139 -i eth0
ipchains -A input -p udp -j DENY --destination-port 137:139 -i eth0
ipchains -A output -p tcp -j DENY --destination-port 137:139 -i eth0
ipchains -A output -p udp -j DENY --destination-port 137:139 -i eth0

This does the same thing as the ipfwadm commands from the previous section.

Password Authentication

If you need user accounts and password authentication, you should investigate the other authentication methods in Samba (e.g. user-level security, domain level security, etc.). This is beyond the scope of this document.Conclusion

This concludes this step-by-step howto. If you need more information about Samba, visit their homepage (http://www.samba.org) and read their documentation.

Note: TxRogue
I hope you've found this document useful! I know when I found it at Ying Zhang's site I found it to be just what I needed. I would like to give him full credit for creating this howto that was so easy to follow and allowed me to set up Samba so I could connect a Windows box/machine via my home network. I would encourage you to send Ying Zhang an email to let him know that you found this information very informative and easy to follow and perhaps encourage him to make more easy to follow howto's/nhfs.

Ying Zhang (yzhang@sfu.ca) or visit his website at:
http://www.sfu.ca/~yzhang/

1 2 3 4
[-Previous Page-]