Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Ok, I work on a laptop always, and all my files are on my fileserver (~2TB, thus nothing on the laptop).
I want them to be accesible from wherever they are.
I am planning to set up a vpn server and connect to my home. Till then (it's going to be a month or so), is it safe to have the samba available from the outside?
ie mount -t smbfs //myip/share /mnt/storage
I would rather use NFS, which is generally more secure (Samba has had a number of remote buffer overflows and other such vulnerabilities recently, it seems like every few months I see a security update for it), and doesn't rely on non-routable protocols (NETBIOS).
If your client side is Windows, then there is an NFS client available from Microsoft.
If your client is *nix, then there are a number of other options available (like SSH); and ,arguably, you shouldn't even be using Samba for *nix-to-*nix communication.
If it's just access to your files then ssh is really all you need - I used the same link as in the Capt_Caveman a while back and it worked fairly simply - I have Cygwin on my laptop so I use that rather than putty. I also use WinSCP to copy files to and fro if needed.
As regards VPN I use OpenVPN - there are a few hoops to go through generating the keys etc but the docs on their site are excellent and you can get it up and running in a very short time.
Only thing to look out for is that either ssh or VPN is going to be slower than direct because of the encryption overhead.
As everyone else has said - you don't want Samba over the internet.
MS3FGX: Both laptop and fileserver are running linux. I use samba anyway because of some windows boxes on my lan.
win32sux: I read the post and now I am going to read also the guide he points out. That's going to be the temporary solution propably.
TheDirtyScreech: I don't want to install apache on this machine. It's just a fileserver. Heading for the VPN.
andrewdodsworth: I 'm messing with OpenVPN right now, but because I don't have enough time, it's going to take a lot till I read the manual and install it successfully.
Opening Samba to the world - an accident waiting to happen and not recommended. It's not that it's insecure, it's just an unnecessary risk. Given that SMB is such a common protocol for the propogation of Windows viruses then, if nothing else, rogue traffic from your ISP will treble overnight, even if they don't manage to get into any of your shares.
My own ISP even blocks Internet access if it detects unfiltered SMB connections being accepted on your IP, until you certify to them that you *have* firewalled/authenticated it or you know the risks.
For one-off usage, use scp (i.e. ssh)
For permanent usage, set up something like OpenVPN or similar and open Samba up to that.
I personally have an internal network which allows everything (i.e. pretty much unfirewalled between clients - all clients are Linux and things aren't running services they aren't supposed to.).
The only way to get onto that network is to a) plug a cable into my house wiring system or b) use some sort of authentication from an insecure network with a VPN or SSH package.
For my purposes that means that I treat wireless connections exactly the same as Internet connections - there is no access from them to my internal network until you enter via a VPN or SSH. Once you have that, you are on the "real" network and are open to anything that you need.
Externally, on wireless or the Internet, all you can see of my network is a SSH port and a VPN port. Both are updated religiously (I don't care if I run an older version of Apache on the internal network, but I don't let SSH or OpenVPN get even a tiny bit out of date because they are exposed to the world). For myself, even they are behind a second layer of defence, but that's getting too paranoid.