[Samba] How secure is SMB3 over internet?

Nico Kadel-Garcia nkadel at gmail.com
Mon Oct 22 08:48:34 UTC 2018 

On Sat, Oct 20, 2018 at 3:56 AM Reindl Harald via samba
<samba at lists.samba.org> wrote:

> Am 19.10.18 um 20:04 schrieb jmqaodmthr1acosyg--- via samba:
> > Hello,
> > How secure is SMB3 over Internet? I see that Microsoft Azure is doing SMB3 shares over internet so they seem to think it's secure.
> > Does the SAMBA team recommend this type of scenario OR do they recommend instead running it over a SSH tunnel/VPN?
>
> i won't even consider it
>
> ports 137,138,139,445 ar eblocked outgoing here and any inbound
> connection on that ports will reject your source-ip for some seconds on
> any prot over the whole network
>
> it's in general not wise to expose uncommon public services (common =
> http, ssh, ftp, email) to the web without a ssh-tunnel and if it only
> because the next security issue don't bother you that much
>
> surely, patches have to be applied anyways but there is a difference in
> patch services only reachable withina tunnel and patch exposed services

It's fairly common to expose it over a VPN, but the VPN software
typically blocks other outbound traffic from the VPN client, except
traffic through the VPN itself. Part of the difficulty is transitive
file sharing. Can you mount a CIFS share on your laptop from home, and
expose it directly to the Internet? The answer is "yes", even if CIFS
sharing is not transitive, because you can set up a web server or FTP
server pretty trivially. on top of your locally mounted CIFS share. Or
someone else can rootkit you and otherwise expose it. The same kind of
transitive exposure should always be a security concern.

Also, from experience, as soon as they start exposing fileshares from
work to home, or to the Internet at large, they're unlikely to do it
safely. And on Windows boxes, even if you've not deliberately exposed
it, the "\\hostname\C$" share is always exposed on any host that does
file sharing at all. Samba servers don't automatically expose their
root filesystem, but Windows servers do unless filesharing is turned
off altogether. It multiplies the risks of letting SMB anything out
through the firewalls.

More information about the samba mailing list