Samba <> Internet file share

Chris Watt cnww at chebucto.ns.ca
Wed Aug 9 03:54:01 GMT 2000


At 12:42 09/08/00 +1000, Ashley Drees wrote:
>Hi All.
>
>If I were to enable samba on the internet facing side of my system, what 
>security issues would I face.

SMB is, by itself, a fairly vulnerable protocol, especially if you're not
using encrypted passwords. It is however not likely to be much worse than
telnet or ftp, or any other protocol that has no protection from packet
sniffers (i.e. it's mainly a question of what you do with it and whether
your particular daemon is known to have security flaws).

>Does the list think that it is a bad idea and security will be badly 
>compramised?

This list member does, but perhaps this list member is paranoid :)

>What other methiods of file sharing over the internet should I look at, 
>given that all the users are not really robust...

IMHO the "good" way to use Samba over the internet is to have firewalls (in
my case running Linux, but pick the *IX of your choice provided it has good
packet filtering/routing capabilities) and provide an SSH tunnel for Samba
(or a full-fledged secure VPN if you want) through the firewalls. 
The obvious problem with this is that it requires every remote client to be
behind a similarly configured firewall (a useful firewall on a machine
running Windows is possible AFAIK only by using vmware to run Windows). For
those of us who have control over our client machines and do not feel that
a Windows box should be connected to the 'net without a firewall (running a
real OS ;), this is not a problem, but if you either do not have easy
control over your clients or have clients that need to operate without a
firewall then this is largely pointless.
What you can still do without using SSH (or similar) is setup good traffic
filtering rules on your Samba server box (or it's firewall) to ensure that,
barring an IP-spoof, only clients using a "trusted" IP address can connect
to your Samba server. This in turn won't work for clients that come in with
random dynamic IP addresses, but will usually work with cable/ADSL services
if you simply tell your server to trust the entire dynamic IP range for
that client's ISP (this is still much better than trusting the whole
Internet).

In terms of non-samba solutions, there is always NFS, but NFS over the
Internet has Bad Idea written all over it (due to the lack of server-side
authentication/security) unless you do it through (well configured) SSH.
For a really simple drop-in solution that doesn't work all that well (but
does mostly work) you can grab one of the various Windows shareware
packages that lets you map an FTP site to a drive letter.
--

Who is this General Failure, and why is he reading my hard disk?


More information about the samba mailing list