Hi all -

I am setting up Samba 3.x on a Red Hat Linux box to share some files between a few friends. The sharing itself works fine, and I'd be interested to hear if anyone has any experience with or thoughts on securing Samba.

In smb.conf (the samba config file), I have restricted access to my samba shares for only those IP addresses on the same subnet at the machine itself. Samba is set to 'user' security mode. Also, I've set hosts deny to deny everyone by default, so I specifically allow those I want. The shares themselves require a password to access.

IPTables also allows only those on my subnet to connect to the Samba ports. The tables' default policy is to drop everything. I am using TCP wrappers (though I don't think samba is affected by this). BitDefender is my anti-virus software. I've been thinking of putting Snort on...it seems pretty cool.

If anything comes to mind, let me know. I would just like to be sure before turning my friends lose. Thanks in advance.

Normally I don't recommend running Samba exposed to the internet at all. It's not really a hardened service and isn't designed with a security-centric mindset. Running it inside of a trusted network behind a firewall is a little different story.

That being said, it will help minimize risk if you can limit access to a small subnet of IPs using iptables. Unfortunately remote users often have dynamic IP addresses from their ISP which can fluctuate frequently, making ip-based access control challenging. There also is the option of setting up a VPN which the users must authenticate to before accessing the Samba shares. That is a bit of work to get working, especially if you are unexperienced with VPN. Setting up a simple samba-over-ssh tunnel might be easier.

If you just need to share files, why not use ftp?

thanks for the reply. as for ftp, in another situation that would work fine for me. this time, though, i need the seamless file sharing that samba provides to windows.

sorry, i should have mentioned that. there is a larger trusted network which this samba server would be connected to (it isn't stand-alone in the wild). rather, it would be an additional machine in a trusted network. according to our head IT people, they shield those samba ports and several others from being connected to from the internet. i hope that fact improves the situation a little...