Web lists-archives.com

Re: [Samba] How secure is SMB3 over internet?




On Sat, Oct 20, 2018 at 3:56 AM Reindl Harald via samba
<samba@xxxxxxxxxxxxxxx> wrote:

> Am 19.10.18 um 20:04 schrieb jmqaodmthr1acosyg--- via samba:
> > Hello,
> > How secure is SMB3 over Internet? I see that Microsoft Azure is doing SMB3 shares over internet so they seem to think it's secure.
> > Does the SAMBA team recommend this type of scenario OR do they recommend instead running it over a SSH tunnel/VPN?
>
> i won't even consider it
>
> ports 137,138,139,445 ar eblocked outgoing here and any inbound
> connection on that ports will reject your source-ip for some seconds on
> any prot over the whole network
>
> it's in general not wise to expose uncommon public services (common =
> http, ssh, ftp, email) to the web without a ssh-tunnel and if it only
> because the next security issue don't bother you that much
>
> surely, patches have to be applied anyways but there is a difference in
> patch services only reachable withina tunnel and patch exposed services

It's fairly common to expose it over a VPN, but the VPN software
typically blocks other outbound traffic from the VPN client, except
traffic through the VPN itself. Part of the difficulty is transitive
file sharing. Can you mount a CIFS share on your laptop from home, and
expose it directly to the Internet? The answer is "yes", even if CIFS
sharing is not transitive, because you can set up a web server or FTP
server pretty trivially. on top of your locally mounted CIFS share. Or
someone else can rootkit you and otherwise expose it. The same kind of
transitive exposure should always be a security concern.

Also, from experience, as soon as they start exposing fileshares from
work to home, or to the Internet at large, they're unlikely to do it
safely. And on Windows boxes, even if you've not deliberately exposed
it, the "\\hostname\C$" share is always exposed on any host that does
file sharing at all. Samba servers don't automatically expose their
root filesystem, but Windows servers do unless filesharing is turned
off altogether. It multiplies the risks of letting SMB anything out
through the firewalls.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba