« Previous 1 2 3
Protecting Samba file servers in heterogeneous environments
Teamwork
Firewall, Please
Now all you need is to set up the firewall with iptables. Of course, many settings can be made to secure a system, but Listing 7 provides a small script that shows you how to unlock the required ports for Samba and SSH and how to prohibit all other connections.
Listing 7
iptables Firewall
#!/bin/bash IPT=iptables $IPT -F $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT ACCEPT # Allow loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Allow three-way handshake $IPT -A INPUT -m state --state NEW -j ACCEPT $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow input ssh $IPT -A INPUT -p tcp --dport 22 -j ACCEPT # Allow smb over Port 445 \$IPT -A INPUT -p tcp --dport 445 -j ACCEPT
After you have started the firewall, Windows access remains possible. You should further configure the firewall to detect port scanning and brute force attacks and document any attempts in the logfiles.
Conclusions
Securely integrating a Samba server into a heterogeneous environment is not rocket science. In contrast to a Windows-flavored server, you have to deal with the security of the operating system and the Samba service manually: Just installing the packages and then setting up a few shares is not enough. However, with a few simple steps, you can securely integrate a Samba server into your AD domain, with the well-known samba.conf configuration file playing a central role.
Infos
- Samba downloads: https://www.samba.org/samba/history/
- SerNet: https://www.sernet.de/en/samba/
- Samba vulnerability: https://www.samba.org/samba/security/CVE-2017-7494.html
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
What's new in Samba 4
In December 2012, the open source world received the first, and very long awaited, release of the Samba 4.x series. -
Save money with Samba as the domain controller on a legacy Windows NT-style domain
Samba can act as a PDC or BDC on a Windows NT4-style domain. Compared with a Windows-only solution, Samba saves money on licensing, and users can log in from Linux or OS X. -
Samba domain controller in a heterogeneous environment
The open source Samba service can act as an Active Directory domain controller in a heterogeneous environment. -
Linux for Windows Admins: Samba Shuffle
Interoperability between *nix and Windows is always a problem for Windows Admins, but it doesn’t have to be. With a small effort, the two can comfortably share and share alike.
-
Samba 4 appliances by SerNet and Univention
Shortly after the Samba team finalized Samba 4 in December 2012, SerNet and Univention integrated the new Samba into their appliances that give administrators an easy way to set up and test a Samba 4-based Active Directory domain controller.