Protecting Samba file servers in heterogeneous environments

Teamwork

Firewall, Please

Now all you need is to set up the firewall with iptables. Of course, many settings can be made to secure a system, but Listing 7 provides a small script that shows you how to unlock the required ports for Samba and SSH and how to prohibit all other connections.

Listing 7

iptables Firewall

#!/bin/bash
IPT=iptables
$IPT -F
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# Allow loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Allow three-way handshake
$IPT -A INPUT -m state --state NEW -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow input ssh
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow smb over Port 445
\$IPT -A INPUT -p tcp --dport 445 -j ACCEPT

After you have started the firewall, Windows access remains possible. You should further configure the firewall to detect port scanning and brute force attacks and document any attempts in the logfiles.

Conclusions

Securely integrating a Samba server into a heterogeneous environment is not rocket science. In contrast to a Windows-flavored server, you have to deal with the security of the operating system and the Samba service manually: Just installing the packages and then setting up a few shares is not enough. However, with a few simple steps, you can securely integrate a Samba server into your AD domain, with the well-known samba.conf configuration file playing a central role.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus