LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Is my Samba secure? (https://www.linuxquestions.org/questions/linux-networking-3/is-my-samba-secure-4175591680/)

PACMANchasingme 10-18-2016 03:33 PM
Is my Samba secure?
 
I've been using this config for the last few years. I spent a bunch of time trying to get my other machines to share files so was just relieved to have it work and left it alone.

Code:
[global]
usershare path = /var/lib/samba/usershare
workgroup = WORKGROUP
server string = Samba Server
domain master = yes
usershare allow guests = yes
hosts allow = 192.168.0.10/200
dns proxy = no
wins support = yes
wins proxy = yes
load printers = no
printing = bsd
printcap name = /dev/null
map to guest = bad user

[500GB-HDD-Green-Media]
path = /run/media/robby/070ddd9e-7d25-4778-832b-5a458804ebb8/Media/
public = yes
read only = yes

#[320GB-HDD-Media]
#path = /run/media/robby/070ddd9e-7d25-4778-832b-5a458804ebb8/Media2/
#public = yes
#read only = yes

[writefolder]
path = /run/media/robby/070ddd9e-7d25-4778-832b-5a458804ebb8/writefolder
public = yes
read only = no
Now after running a zenmap (on my WAN!) I found it says this

Code:
Host script results:
|_clock-skew: mean: -6105d23h13m58s, deviation: 0s, median: -6105d23h13m58s
| nbstat: NetBIOS name: INTEL_CE_LINUX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|  INTEL_CE_LINUX<00>  Flags: <unique><active>
|  INTEL_CE_LINUX<03>  Flags: <unique><active>
|  INTEL_CE_LINUX<20>  Flags: <unique><active>
|  \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|  HIRON<1d>            Flags: <unique><active>
|  HIRON<1e>            Flags: <group><active>
|_  HIRON<00>            Flags: <group><active>
| smb-os-discovery:
|  OS: Unix (Samba 3.0.37)
|  NetBIOS computer name:
|  Workgroup: HIRON\x00
|_  System time: 2000-01-30T21:09:42+00:00
| smb-security-mode:
|  account_used: guest
|  authentication_level: share (dangerous)
|  challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

Habitual 10-18-2016 03:42 PM
Quote:
Originally Posted by PACMANchasingme (Post 5619735)
I've been using this config for the last few years. I spent a bunch of time trying to get my other machines to share files so was just relieved to have it work and left it alone.

Code:
[global]
hosts allow = 192.168.0.10/200
Doesn't look quite right... 192.168.0.10/24 maybe?

michaelk 10-18-2016 04:01 PM
Go to https://www.grc.com and run shields up for the common ports and see if the same ones are open. Running zenmap (or nmap) with the WAN IP from the LAN will actually test the router's LAN ports.

What are you using as a router?

PACMANchasingme 10-18-2016 04:58 PM
Quote:
Originally Posted by Habitual (Post 5619740)
Doesn't look quite right... 192.168.0.10/24 maybe?
The config works fine for sharing files, the issue is zenmaps reports here. I guess 192.168.0.10/24 is more proper though.

Quote:
Originally Posted by michaelk (Post 5619745)
Go to https://www.grc.com and run shields up for the common ports and see if the same ones are open. Running zenmap (or nmap) with the WAN IP from the LAN will actually test the router's LAN ports.

What are you using as a router?
This terrible thing here.
http://www.hitron-americas.com/product/cgnm-2250/

Shieldsup says UpNp probing is blocked, good to know zenmap tests a routers lan ports they really should mention that somewhere before scanning. :eek:

sundialsvcs 10-18-2016 05:01 PM
As the Samba team documents in https://www.samba.org/samba/docs/man...erverType.html, Samba is capable of running in several "security modes."

Quote:
Microsoft Windows networking uses a protocol that was originally called the Server Message Block (SMB) protocol. Since some time around 1996 the protocol has been better known as the Common Internet Filesystem (CIFS) protocol. In the SMB/CIFS networking world, there are only two types of security: user-level and share level. We refer to these collectively as security levels. In implementing these two security levels, Samba provides flexibilities that are not available with MS Windows NT4/200x servers. In fact, Samba implements share-level security only one way, but has four ways of implementing user-level security. Collectively, we call the Samba implementations of the security levels security modes. They are known as share, user, domain, ADS, and server modes.
Today, you are probably running Samba in a Windows environment that has evolved considerably beyond "Windows 95/Me." :rolleyes: It probably uses user-names and passwords that are maintained on a corporate level using MS Open Directory (aka LDAP). Therefore, your Samba installations should be doing the same thing today.

The following paragraph from the same Samba web-page clearly illustrates the weakness of Share: (emphasis mine)
Quote:
In share-level security, the client authenticates itself separately for each share. It sends a password along with each tree connection request (share mount), but it does not explicitly send a username with this operation. The client expects a password to be associated with each share, independent of the user. :eek: This means that Samba has to work out what username the client probably wants to use, because the username is not explicitly sent to the SMB server. Some commercial SMB servers such as NT actually associate passwords directly with shares in share-level security, but Samba always uses the UNIX authentication scheme where it is a username/password pair that is authenticated, not a share/password pair.
Clearly, this notion is, by today's standards, ancient, and intrinsically insecure.

michaelk 10-18-2016 05:16 PM
That is because most SOHO router's do not support NAT loopback.

https://en.wikipedia.org/wiki/Networ...n#NAT_loopback

Of the few SOHO router's I have played with the file sharing mode has been share level by default.


All times are GMT -5. The time now is 10:01 PM.