[Samba] How secure is SMB3 over internet?

Mon Oct 22 09:05:10 UTC 2018

For what it's worth, I have a samba fileserver (4.8.5) over OpenVPN 2.4.6
on Debian Stretch with linux/windoze clients.
Works flawlessly and only needs one opened port on the router/firewall.
That also allows us to use things like UltraVNC.
Only "catch", I had to use bridge-mode on the VPN instead of the easier
route mode.
Can provide details if needed.

Best regards
Carlos
Nico Kadel-Garcia via samba <samba at lists.samba.org> escreveu no dia
segunda, 22/10/2018 à(s) 09:49:

> On Sat, Oct 20, 2018 at 3:56 AM Reindl Harald via samba
> <samba at lists.samba.org> wrote:
>
> > Am 19.10.18 um 20:04 schrieb jmqaodmthr1acosyg--- via samba:
> > > Hello,
> > > How secure is SMB3 over Internet? I see that Microsoft Azure is doing
> SMB3 shares over internet so they seem to think it's secure.
> > > Does the SAMBA team recommend this type of scenario OR do they
> recommend instead running it over a SSH tunnel/VPN?
> >
> > i won't even consider it
> >
> > ports 137,138,139,445 ar eblocked outgoing here and any inbound
> > connection on that ports will reject your source-ip for some seconds on
> > any prot over the whole network
> >
> > it's in general not wise to expose uncommon public services (common =
> > http, ssh, ftp, email) to the web without a ssh-tunnel and if it only
> > because the next security issue don't bother you that much
> >
> > surely, patches have to be applied anyways but there is a difference in
> > patch services only reachable withina tunnel and patch exposed services
>
> It's fairly common to expose it over a VPN, but the VPN software
> typically blocks other outbound traffic from the VPN client, except
> traffic through the VPN itself. Part of the difficulty is transitive
> file sharing. Can you mount a CIFS share on your laptop from home, and
> expose it directly to the Internet? The answer is "yes", even if CIFS
> sharing is not transitive, because you can set up a web server or FTP
> server pretty trivially. on top of your locally mounted CIFS share. Or
> someone else can rootkit you and otherwise expose it. The same kind of
> transitive exposure should always be a security concern.
>
> Also, from experience, as soon as they start exposing fileshares from
> work to home, or to the Internet at large, they're unlikely to do it
> safely. And on Windows boxes, even if you've not deliberately exposed
> it, the "\\hostname\C$" share is always exposed on any host that does
> file sharing at all. Samba servers don't automatically expose their
> root filesystem, but Windows servers do unless filesharing is turned
> off altogether. It multiplies the risks of letting SMB anything out
> through the firewalls.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>