LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-18-2016, 03:33 PM   #1
PACMANchasingme
Member
 
Registered: Mar 2015
Distribution: Arch
Posts: 62

Rep: Reputation: Disabled
Is my Samba secure?


I've been using this config for the last few years. I spent a bunch of time trying to get my other machines to share files so was just relieved to have it work and left it alone.

Code:
[global]
usershare path = /var/lib/samba/usershare
workgroup = WORKGROUP
server string = Samba Server
domain master = yes
usershare allow guests = yes
hosts allow = 192.168.0.10/200
dns proxy = no
wins support = yes
wins proxy = yes
load printers = no
printing = bsd
printcap name = /dev/null 
map to guest = bad user

[500GB-HDD-Green-Media]
path = /run/media/robby/070ddd9e-7d25-4778-832b-5a458804ebb8/Media/
public = yes
read only = yes

#[320GB-HDD-Media]
#path = /run/media/robby/070ddd9e-7d25-4778-832b-5a458804ebb8/Media2/
#public = yes
#read only = yes

[writefolder]
path = /run/media/robby/070ddd9e-7d25-4778-832b-5a458804ebb8/writefolder
public = yes
read only = no
Now after running a zenmap (on my WAN!) I found it says this

Code:
Host script results:
|_clock-skew: mean: -6105d23h13m58s, deviation: 0s, median: -6105d23h13m58s
| nbstat: NetBIOS name: INTEL_CE_LINUX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   INTEL_CE_LINUX<00>   Flags: <unique><active>
|   INTEL_CE_LINUX<03>   Flags: <unique><active>
|   INTEL_CE_LINUX<20>   Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   HIRON<1d>            Flags: <unique><active>
|   HIRON<1e>            Flags: <group><active>
|_  HIRON<00>            Flags: <group><active>
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.37)
|   NetBIOS computer name: 
|   Workgroup: HIRON\x00
|_  System time: 2000-01-30T21:09:42+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: share (dangerous)
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
 
Old 10-18-2016, 03:42 PM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by PACMANchasingme View Post
I've been using this config for the last few years. I spent a bunch of time trying to get my other machines to share files so was just relieved to have it work and left it alone.

Code:
[global]
hosts allow = 192.168.0.10/200
Doesn't look quite right... 192.168.0.10/24 maybe?
 
Old 10-18-2016, 04:01 PM   #3
michaelk
Moderator
 
Registered: Aug 2002
Posts: 25,832

Rep: Reputation: 5970Reputation: 5970Reputation: 5970Reputation: 5970Reputation: 5970Reputation: 5970Reputation: 5970Reputation: 5970Reputation: 5970Reputation: 5970Reputation: 5970
Go to https://www.grc.com and run shields up for the common ports and see if the same ones are open. Running zenmap (or nmap) with the WAN IP from the LAN will actually test the router's LAN ports.

What are you using as a router?
 
Old 10-18-2016, 04:58 PM   #4
PACMANchasingme
Member
 
Registered: Mar 2015
Distribution: Arch
Posts: 62

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Habitual View Post
Doesn't look quite right... 192.168.0.10/24 maybe?
The config works fine for sharing files, the issue is zenmaps reports here. I guess 192.168.0.10/24 is more proper though.

Quote:
Originally Posted by michaelk View Post
Go to https://www.grc.com and run shields up for the common ports and see if the same ones are open. Running zenmap (or nmap) with the WAN IP from the LAN will actually test the router's LAN ports.

What are you using as a router?
This terrible thing here.
http://www.hitron-americas.com/product/cgnm-2250/

Shieldsup says UpNp probing is blocked, good to know zenmap tests a routers lan ports they really should mention that somewhere before scanning.
 
Old 10-18-2016, 05:01 PM   #5
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,711
Blog Entries: 4

Rep: Reputation: 3949Reputation: 3949Reputation: 3949Reputation: 3949Reputation: 3949Reputation: 3949Reputation: 3949Reputation: 3949Reputation: 3949Reputation: 3949Reputation: 3949
As the Samba team documents in https://www.samba.org/samba/docs/man...erverType.html, Samba is capable of running in several "security modes."

Quote:
Microsoft Windows networking uses a protocol that was originally called the Server Message Block (SMB) protocol. Since some time around 1996 the protocol has been better known as the Common Internet Filesystem (CIFS) protocol. In the SMB/CIFS networking world, there are only two types of security: user-level and share level. We refer to these collectively as security levels. In implementing these two security levels, Samba provides flexibilities that are not available with MS Windows NT4/200x servers. In fact, Samba implements share-level security only one way, but has four ways of implementing user-level security. Collectively, we call the Samba implementations of the security levels security modes. They are known as share, user, domain, ADS, and server modes.
Today, you are probably running Samba in a Windows environment that has evolved considerably beyond "Windows 95/Me." It probably uses user-names and passwords that are maintained on a corporate level using MS Open Directory (aka LDAP). Therefore, your Samba installations should be doing the same thing today.

The following paragraph from the same Samba web-page clearly illustrates the weakness of Share: (emphasis mine)
Quote:
In share-level security, the client authenticates itself separately for each share. It sends a password along with each tree connection request (share mount), but it does not explicitly send a username with this operation. The client expects a password to be associated with each share, independent of the user. This means that Samba has to work out what username the client probably wants to use, because the username is not explicitly sent to the SMB server. Some commercial SMB servers such as NT actually associate passwords directly with shares in share-level security, but Samba always uses the UNIX authentication scheme where it is a username/password pair that is authenticated, not a share/password pair.
Clearly, this notion is, by today's standards, ancient, and intrinsically insecure.

Last edited by sundialsvcs; 10-18-2016 at 05:07 PM.
 
Old 10-18-2016, 05:16 PM   #6
michaelk
Moderator
 
Registered: Aug 2002
Posts: 25,832

Rep: Reputation: 5970Reputation: 5970Reputation: 5970Reputation: 5970Reputation: 5970Reputation: 5970Reputation: 5970Reputation: 5970Reputation: 5970Reputation: 5970Reputation: 5970
That is because most SOHO router's do not support NAT loopback.

https://en.wikipedia.org/wiki/Networ...n#NAT_loopback

Of the few SOHO router's I have played with the file sharing mode has been share level by default.

Last edited by michaelk; 10-18-2016 at 05:21 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
secure share on samba server saiyen2002 Linux - Server 2 05-24-2012 09:01 AM
secure samba sang_froid Linux - Security 1 10-25-2009 12:21 PM
SAMBA file transfers not secure - same for Windows? Micro420 Linux - Security 3 01-16-2007 12:20 AM
Samba requires unix users... secure? asktoby Linux - Networking 1 10-18-2003 07:19 AM
Secure samba through firewall Leffe Linux - Software 0 07-16-2002 07:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration