LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 10-05-2007, 10:47 AM   #1
streamkid
LQ Newbie
 
Registered: Nov 2006
Distribution: gentoo
Posts: 7

Rep: Reputation: 0
Samba shares available from internet


Ok, I work on a laptop always, and all my files are on my fileserver (~2TB, thus nothing on the laptop).
I want them to be accesible from wherever they are.
I am planning to set up a vpn server and connect to my home. Till then (it's going to be a month or so), is it safe to have the samba available from the outside?
ie mount -t smbfs //myip/share /mnt/storage

Thanks in advance
 
Old 10-05-2007, 11:11 AM   #2
MS3FGX
Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 351Reputation: 351Reputation: 351Reputation: 351
Well, I certainly wouldn't do it myself.

I would rather use NFS, which is generally more secure (Samba has had a number of remote buffer overflows and other such vulnerabilities recently, it seems like every few months I see a security update for it), and doesn't rely on non-routable protocols (NETBIOS).

If your client side is Windows, then there is an NFS client available from Microsoft.

If your client is *nix, then there are a number of other options available (like SSH); and ,arguably, you shouldn't even be using Samba for *nix-to-*nix communication.
 
Old 10-05-2007, 11:57 AM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Risky stuff. I'd recommend sticking to SSH until you set up your VPN.

Capt_Caveman actually commented on this a few days ago.

Last edited by win32sux; 10-05-2007 at 11:58 AM.
 
Old 10-05-2007, 12:51 PM   #4
TheDirtyScreech
Member
 
Registered: Jul 2007
Distribution: Gentoo, LFS
Posts: 42

Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
Risky stuff. I'd recommend sticking to SSH until you set up your VPN.
I second that. Or possibly Apache + SSL, but if you don't have it setup already, you should just go straight to your VPN. Probably take about the same amount of time.

-TDS-
 
Old 10-05-2007, 03:32 PM   #5
andrewdodsworth
Member
 
Registered: Oct 2003
Location: United Kingdom
Distribution: SuSE 10.0 - 11.4
Posts: 347

Rep: Reputation: 30
If it's just access to your files then ssh is really all you need - I used the same link as in the Capt_Caveman a while back and it worked fairly simply - I have Cygwin on my laptop so I use that rather than putty. I also use WinSCP to copy files to and fro if needed.

As regards VPN I use OpenVPN - there are a few hoops to go through generating the keys etc but the docs on their site are excellent and you can get it up and running in a very short time.

Only thing to look out for is that either ssh or VPN is going to be slower than direct because of the encryption overhead.

As everyone else has said - you don't want Samba over the internet.
 
Old 10-05-2007, 05:18 PM   #6
streamkid
LQ Newbie
 
Registered: Nov 2006
Distribution: gentoo
Posts: 7

Original Poster
Rep: Reputation: 0
MS3FGX: Both laptop and fileserver are running linux. I use samba anyway because of some windows boxes on my lan.
win32sux: I read the post and now I am going to read also the guide he points out. That's going to be the temporary solution propably.
TheDirtyScreech: I don't want to install apache on this machine. It's just a fileserver. Heading for the VPN.
andrewdodsworth: I 'm messing with OpenVPN right now, but because I don't have enough time, it's going to take a lot till I read the manual and install it successfully.

Thanks all of you for your answers
 
Old 10-07-2007, 04:32 AM   #7
coolb
Member
 
Registered: Apr 2006
Location: Cape Town, South Africa
Distribution: Gentoo 2006.1(2.6.17-gentoo-r7)
Posts: 222

Rep: Reputation: 30
nah, be safe and wait until you setup/use your vpn. Allowing access to Samba from the outside could lead to security issues...
 
Old 10-08-2007, 01:34 AM   #8
Kahless
Member
 
Registered: Jul 2003
Location: Pennsylvainia
Distribution: Slackware / Debian / *Ubuntu / Opensuse / Solaris uname: Brian Cooney
Posts: 503

Rep: Reputation: 30
It sounds like the best solution may be to use ssh.


If you are running linux on the laptop, You may be interested in the FUSE driver, which would allow you to (with the correct module) mount a ssh connection like a local drive.

for more info: http://fuse.sourceforge.net/
 
Old 10-08-2007, 02:45 PM   #9
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian
Posts: 462

Rep: Reputation: 39
You might want to look into Hamachi as an option as well.
 
Old 10-08-2007, 04:31 PM   #10
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
Opening Samba to the world - an accident waiting to happen and not recommended. It's not that it's insecure, it's just an unnecessary risk. Given that SMB is such a common protocol for the propogation of Windows viruses then, if nothing else, rogue traffic from your ISP will treble overnight, even if they don't manage to get into any of your shares.

My own ISP even blocks Internet access if it detects unfiltered SMB connections being accepted on your IP, until you certify to them that you *have* firewalled/authenticated it or you know the risks.

For one-off usage, use scp (i.e. ssh)
For permanent usage, set up something like OpenVPN or similar and open Samba up to that.

I personally have an internal network which allows everything (i.e. pretty much unfirewalled between clients - all clients are Linux and things aren't running services they aren't supposed to.).

The only way to get onto that network is to a) plug a cable into my house wiring system or b) use some sort of authentication from an insecure network with a VPN or SSH package.

For my purposes that means that I treat wireless connections exactly the same as Internet connections - there is no access from them to my internal network until you enter via a VPN or SSH. Once you have that, you are on the "real" network and are open to anything that you need.

Externally, on wireless or the Internet, all you can see of my network is a SSH port and a VPN port. Both are updated religiously (I don't care if I run an older version of Apache on the internal network, but I don't let SSH or OpenVPN get even a tiny bit out of date because they are exposed to the world). For myself, even they are behind a second layer of defence, but that's getting too paranoid.
 
  


Reply

Tags
internet, nat, samba


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problems with samba, can't see samba shares windsurfer Linux - Software 20 09-12-2009 06:29 PM
Samba 3.0.6 - How to mount Samba Shares from Windows 2003? kp1 Linux - Software 2 09-10-2004 07:03 PM
samba shares misophist Libranet 5 12-02-2003 11:38 PM
Linux can mount samba shares but not windows shares bindsocket Linux - Software 1 12-01-2003 06:28 PM
Mounting Samba shares and Samba Share Login time112852 Linux - Software 1 09-14-2003 03:23 PM


All times are GMT -5. The time now is 07:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration