[Samba] How secure is SMB3 over internet?
Reindl Harald
h.reindl at thelounge.net
Mon Oct 22 09:20:41 UTC 2018
Am 22.10.18 um 10:48 schrieb Nico Kadel-Garcia via samba:
> On Sat, Oct 20, 2018 at 3:56 AM Reindl Harald via samba
>> it's in general not wise to expose uncommon public services (common =
>> http, ssh, ftp, email) to the web without a ssh-tunnel and if it only
>> because the next security issue don't bother you that much
>>
>> surely, patches have to be applied anyways but there is a difference in
>> patch services only reachable withina tunnel and patch exposed services
>
> It's fairly common to expose it over a VPN, but the VPN software
> typically blocks other outbound traffic from the VPN client except
> traffic through the VPN itself.
i won't say "typically"
a bridged openvpn set a route for the LAN your VPN interface is member
of and don't touch anything else
> Part of the difficulty is transitive
> file sharing. Can you mount a CIFS share on your laptop from home, and
> expose it directly to the Internet? The answer is "yes", even if CIFS
> sharing is not transitive, because you can set up a web server or FTP
> server pretty trivially. on top of your locally mounted CIFS share. Or
> someone else can rootkit you and otherwise expose it. The same kind of
> transitive exposure should always be a security concern.
but that's a different beast than have a service exposed directly to the WAN
> Also, from experience, as soon as they start exposing fileshares from
> work to home, or to the Internet at large, they're unlikely to do it
> safely. And on Windows boxes, even if you've not deliberately exposed
> it, the "\\hostname\C$" share is always exposed on any host that does
> file sharing at all. Samba servers don't automatically expose their
> root filesystem, but Windows servers do unless filesharing is turned
> off altogether. It multiplies the risks of letting SMB anything out
> through the firewalls.
and 90% of all port scans are seeking for 445/5900 (smb/vnc) all day
long which makes 445 a perfect portscan-trigger resulting in repsonding
with tcp-reset for 10 seconds to any connection attempt from the source
ip on the firewall in front of the network
top 10 of our honeypot:
Port Hitcount Service
1 445 835984 smb
2 22 405086 ssh
3 5900 310434 vnc
4 23 284908 telnet
5 25 166864 smtp
6 1433 101148 mssql
7 3128 76039 squid
8 8080 69879 tomcat
9 80 66560 http
10 3389 59603 rdp
More information about the samba
mailing list