Jump to content

Enabling Samba in DMZ


logicalconfusion

Recommended Posts

If SMB is enabled and exposed to the internet, not supposed to be able to but yes you can in most instances. Its supposed to be used by netbios names to be able to connect to shares on the local lan only, but be warned, there are other attacks that would put this machine at risk having the Server, Computer Browser, and Workstation services exposed to the internet. If Remote Registry and RPC protocols are enabled, someone with admin credentials could use psexec to control the machine via its IP address. In general, you should never put a machine in a DMZ. If you must use a machine as a file server to share files, setup a VPN on the machine or OpenSSH so people can log in remotely, port forward SSH to the desired machine, and use SCP to pull down files or upload files.

Link to comment
Share on other sites

I got an XP machine set up in the DMZ of my network. Can I use Samba to share files with BT5 and Ubuntu 12 on the through the firewall of my modem?

Just out of curiosity, why did you put that XP machine in a DMZ?

Link to comment
Share on other sites

Its not just SMB that can be attacked though either. Workstations, especially XP, should never be in a DMZ unless you like getting hacked on a regular basis.

Link to comment
Share on other sites

Actually, this is up the same ally as a question I was about to ask. I'd like to share some files on a CentOS server, but don't really know the best way to do it. I thought about a SAMBA share, but it's full of holes and not good practice. Ideally, I'd like to be able to go to a link, get authenticated, and allowed to browse files and download them. Is anyone aware of a good, mostly safe way to do this? Thank you.

Link to comment
Share on other sites

Actually, this is up the same ally as a question I was about to ask. I'd like to share some files on a CentOS server, but don't really know the best way to do it. I thought about a SAMBA share, but it's full of holes and not good practice. Ideally, I'd like to be able to go to a link, get authenticated, and allowed to browse files and download them. Is anyone aware of a good, mostly safe way to do this? Thank you.

Either setup SSH for SCP/SFTP access, or VPN into the box would be my preferences. Both those options are encrypted and would allow remote access while all info is sent through an encrypted tunnel. They make GUI clients for SCP as well, so if you're say, at a friends and hes on a Windows box, you can carry WinSCP on a thumbdrive and login remotely to use a GUI to pull down or upload files if needed.
Link to comment
Share on other sites

If it is purely downloading of files that you are interested in then you could just run apache on the machine and serve the directory containing your files through that. You can do authentication against local passwords added to a .htpasswd file or if you have any authentication services running in your environment (AD, LDAP, Kerberos, etc.) then you can configure it to use those for authentication. Just make sure you configure the server to only serve out over TLS/SSL so that you have encryption.

The only difficult situation that you may have is if your server doesn't have a consistent hostname then you may not be able to get an SSL certificate signed by one of the usual CAs and either have to go with a self-signed certificate or generate your own CA certificate that you install on those machines you wish to connect to your server. The easiest way is with a self-signed certificate but you will have to either have a note of the SHA1 hash of the certificate or have it memorised to make sure that you don't get caught in a man-in-the-middle attack.

Link to comment
Share on other sites

Sounds like I need to learn more about Apache, authentication, and certificate management. Thank you!

Just know that running a web server from home and exposed to the internet, is just as dangerous as putting a machine in a DMZ. If mis-configured or compromised, that lets attackers pivot into the rest of your network. Nothing is without its drawbacks, including an SSH server which can be brute forced unless you use key pair authentication and disable password access, but If you've never setup a web server, I would suggest setting up a VPN ot SSH tunnel instead if you want remote access to files or your home network. I see no value in making a web server accessible from a home box, other than maybe in a VM and for pentesting practice, but I wouldn't put anything else on the same network if reachable from the internet in case it ever got whacked.
Link to comment
Share on other sites

Just know that running a web server from home and exposed to the internet, is just as dangerous as putting a machine in a DMZ. If mis-configured or compromised.

This is a good point, it is very easy for those of us who deal with Apache and use it to make systems available publicly to forget that while it is a very stable and secure web server, like most systems it is easy for a beginner to make mistakes and open themselves up.

From a security point of view, the best thing to do when starting to learn about using and configuring apache is to keep your configuration simple. Don't overreach yourself, decide the task you want it to do and set it up for just that. In the case of serving files, remove the configuration for all the other folders that usually get setup in the default configuration for apache (e.g. cgi-bin, icons, manual). Once you have just the one location being served out then concentrate on setting up your security (setup SSL and your authentication). Once you have it running and you are convinced it is secure then you can put in your port forward on your router and access it from internet (Port forward a high up port as it is less likely to be stumbled across by others and ISPs quite often block incoming connections to ports 80 and 443)

Running any service that is accessible directly from the internet will leave you with an increase in the potential to getting your network broken into, you just have ask yourself if the risk is worth the benefit (being able to access some of your files from outside of the network).

Link to comment
Share on other sites

Thank you for the help. Now, before, when I had a server set up in my home, I only allowed access via password-protected keys. If I wanted to access it from the outside (like on my Android phone, or any SSH Session), I had to select my key and put in the password for it. I was still new (still am), was that a sound practice?

Link to comment
Share on other sites

Using keys with a good long passphrase is good practice for securing ssh and using ssh requiring keys to provide remote access to a server for those people with logins on the server is also good practice. On the other hand it isn't good practice for providing third-parties with limited access to services (It is possible to limit access for users but maintaining the list of what they should be able to access and what they shouldn't gets very difficult to maintain as the number of users increases.).

If you want to give your friends access to a single directory of files to download from then you don't want to give them access to a shell on your server, or the ability to set up their own tunnels, or even access to your internal networks. These risks are easy to avoid by using a different method to access the download directory. Also it makes it a lot easier for your friends to access. Some people find the concept of ssh keys, passphrases and ssh/scp/sftp very difficult to understand, but they use a web browser every day.

Really it is a case of finding the best way to provide the service required to the users required, you will probably find that ssh is the best option for yourself, but you won't want to give others ssh access.

Link to comment
Share on other sites

If you need to restrict access, setup sftp with user accounts for each user, and put them in a group with access to a speific set of folders you want them to have access to, and chmod and chgrp the folder to be in the same user group you put your friends in. if windows based, better to setup a domain and active directory, and file shares with each user having access from their respective groups to that specific file share, but setup up a domain controller, active directory and such, can be a PITA. A simbple SFTP server which uses SSH for connection, would be much simpler in my opinion. Just make sure its configured properly to not let them traverse directories to the rest of the OS. I think FileZilla even has a server side to it but I've never actually set it up or had a need for it since I have my own website domains, I just upload files there when I need to share them or make files accessible over the internet. I'm always leery about using a home box as a file server for people other than myself, but thats a personal choice. If you want to take the short cut(not that I like them), use something like Dropbox or one of the other similar services, and then you can share out links and logins for access to the cloud storage services.

Link to comment
Share on other sites

Thank you again for all the replies and help. I'm still working out security risks and such. I now realize with just a web server on a VPS how much I'm in over my head. For example, I'm pretty sure the file permissions on my server are wrong, as I think I'm giving the "other" group read/write. Yeah, I need to take another look at that.

Link to comment
Share on other sites

If you have the money, just register a domain name with someone like Dreamhost, upload files to a specific folder, and make it htpasswd'd off from the public and give friends the username and password to the directory. This way, files aren't stored at your home machine, and if you ever need access, you can do so from anywhere on the web without having to put your home network at risk.

Link to comment
Share on other sites

You guys are awesome! I forgot about this little post. Its actually pretty trivial (and insecure on DMZ, although you can pswd protect the share). All you would have to do is modfiy a config file and chmod 777 a directory to share files across a network, basically. Of course its possible to go nuts and include subnet and pswds but its not the way to go to share files securely, especially on a public network. SFTP would be the way to go ihmo. Thanks!

Link to comment
Share on other sites

Should never leave anything chmod 777. Directories should not need to be more than 0755 and files 0644 for read only. 777 is read, write and execute, for anyone.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...