« Previous 1 2 3
Protecting Samba file servers in heterogeneous environments
Teamwork
Firewall, Please
Now all you need is to set up the firewall with iptables. Of course, many settings can be made to secure a system, but Listing 7 provides a small script that shows you how to unlock the required ports for Samba and SSH and how to prohibit all other connections.
Listing 7
iptables Firewall
#!/bin/bash IPT=iptables $IPT -F $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT ACCEPT # Allow loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Allow three-way handshake $IPT -A INPUT -m state --state NEW -j ACCEPT $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow input ssh $IPT -A INPUT -p tcp --dport 22 -j ACCEPT # Allow smb over Port 445 \$IPT -A INPUT -p tcp --dport 445 -j ACCEPT
After you have started the firewall, Windows access remains possible. You should further configure the firewall to detect port scanning and brute force attacks and document any attempts in the logfiles.
Conclusions
Securely integrating a Samba server into a heterogeneous environment is not rocket science. In contrast to a Windows-flavored server, you have to deal with the security of the operating system and the Samba service manually: Just installing the packages and then setting up a few shares is not enough. However, with a few simple steps, you can securely integrate a Samba server into your AD domain, with the well-known samba.conf
configuration file playing a central role.
Infos
- Samba downloads: https://www.samba.org/samba/history/
- SerNet: https://www.sernet.de/en/samba/
- Samba vulnerability: https://www.samba.org/samba/security/CVE-2017-7494.html
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)