Question about Samba Security

Sean P. Elble elbles at sessys.com
Thu Nov 29 17:20:53 GMT 2007 

On Thu, 29 Nov 2007, Gerald (Jerry) Carter wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dave,
>
>> I am the resident IT guy at a small, but growing company. I setup Samba
>> (most recent version) on a FreeBSD 6.1 server which everyone in the
>> company now uses to store personal and shared files. It's great. We have
>> a few employees who work outside of the office though, and I want them
>> to be able to access the same filesystem somehow. I thinking about
>> setting up our router to forward port 139 so that out outside employees
>> can access the Samba server (so long as they have the IP of our router,
>> which is static). But I have security concerns in doing this. Is this
>> risk of being attacked/hacked over port 139 very high?
>
> Its never recommended to put a CIFS file server (from any vendor)
> outside the firewall.
>
>> Is Samba as vulnerable to attacks over port 139 as an actual
>> Windows server is?
>
> There are several weakness in the protocol itself.  Recent
> protocol improvements can alleviate this, but in general
> CIFS is a very broad protocol that requires large amounts
> of parsing.
>
>> If so, can someone recommend another solution? Setting up
>> a VPN is an project that I don't have time to get involved
>> with. Please reply to my email: dave at transducertech.com.

A VPN proper (i.e. IPSec) is very time consuming, but something like PPTP
is very quick and easy to implement, and can even authenticate against
Samba or Windows using a Winbind plugin. It's far from the most secure
thing in the world, but it does add a layer of encryption in the creation
of the tunnel. It's not the best thing in the world, but it is far better 
than opening port 139 to the world. And plus, it's hard not to take the 
advice of the Samba developers (see below, again, heh).

>
> Best to invest the time in a VPN though.  That's the recommended
> solution.
>
>
>
> cheers, jerry
> - --
> =====================================================================
> Samba                                    ------- http://www.samba.org
> Centeris                         -----------  http://www.centeris.com
> "What man is a man who does not make the world better?"      --Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFHTuJ+IR7qMdg1EfYRAjBYAKDLmsyxTF+oVKBuHgJKEmmq4juX3gCfWM5Z
> JYJ2CgnXzeGtYcwZPY9IztY=
> =SmG0
> -----END PGP SIGNATURE-----
> ________________________________________________________________________
> SES Computer Systems Anti-Virus and Anti-Spam E-Mail Filtering
> Powered By ClamAV & SpamAssassin
>
________________________________________________________________________
SES Computer Systems Anti-Virus and Anti-Spam E-Mail Filtering
Powered By ClamAV & SpamAssassin

More information about the samba-technical mailing list