[Samba] How secure is SMB3 over internet?

Reindl Harald h.reindl at thelounge.net
Mon Oct 22 09:20:41 UTC 2018 


Am 22.10.18 um 10:48 schrieb Nico Kadel-Garcia via samba:
> On Sat, Oct 20, 2018 at 3:56 AM Reindl Harald via samba
>> it's in general not wise to expose uncommon public services (common =
>> http, ssh, ftp, email) to the web without a ssh-tunnel and if it only
>> because the next security issue don't bother you that much
>>
>> surely, patches have to be applied anyways but there is a difference in
>> patch services only reachable withina tunnel and patch exposed services
> 
> It's fairly common to expose it over a VPN, but the VPN software
> typically blocks other outbound traffic from the VPN client except
> traffic through the VPN itself. 

i won't say "typically"

a bridged openvpn set a route for the LAN your VPN interface is member
of and don't touch anything else

> Part of the difficulty is transitive
> file sharing. Can you mount a CIFS share on your laptop from home, and
> expose it directly to the Internet? The answer is "yes", even if CIFS
> sharing is not transitive, because you can set up a web server or FTP
> server pretty trivially. on top of your locally mounted CIFS share. Or
> someone else can rootkit you and otherwise expose it. The same kind of
> transitive exposure should always be a security concern.

but that's a different beast than have a service exposed directly to the WAN

> Also, from experience, as soon as they start exposing fileshares from
> work to home, or to the Internet at large, they're unlikely to do it
> safely. And on Windows boxes, even if you've not deliberately exposed
> it, the "\\hostname\C$" share is always exposed on any host that does
> file sharing at all. Samba servers don't automatically expose their
> root filesystem, but Windows servers do unless filesharing is turned
> off altogether. It multiplies the risks of letting SMB anything out
> through the firewalls.
and 90% of all port scans are seeking for 445/5900 (smb/vnc) all day
long which makes 445 a perfect portscan-trigger resulting in repsonding
with tcp-reset for 10 seconds to any connection attempt from the source
ip on the firewall in front of the network

top 10 of our honeypot:

  	Port 	Hitcount 	Service
1 	445 	835984 	smb
2 	22 	405086 	ssh
3 	5900 	310434 	vnc
4 	23 	284908 	telnet
5 	25 	166864 	smtp
6 	1433 	101148 	mssql
7 	3128 	76039 	squid
8 	8080 	69879 	tomcat
9 	80 	66560 	http
10 	3389 	59603 	rdp

More information about the samba mailing list