Wednesday, 28 November 2018

Hardening Samba

This post details how you can set up your Samba server to be a bit more resilient than the defaults.

The Samba server security page gives information on using the hosts allow/deny directives, interface binding configuration, and keeping up-to-date, so I'm not going to mention those things here.

I am however going to jump into a few other directives.

First of all, there's no good reason to give out the server's version, so my server replies with "Samba".

I mandate SMB2 as the minimum required protocol, and enforce signing. I really recommend you do this and so does Microsoft. Without mandating signing you are leaving yourself open to man-in-the-middle attacks. These settings will work with clients on Windows 7 and newer, and any non-ancient Linux/macOS.

I'm using the "standalone server" server role, so I can disable NetBIOS completely, and without NetBIOS and SMB1 there's no need to listen on anything other than TCP/445.

Here are smb.conf server directives to get you started with those changes:

        server string = Samba
        disable netbios = Yes
        server min protocol = SMB2
        smb ports = 445
        server signing = required

In addition to the above, you should consider disabling anonymous authentication.

With anonymous authentication enabled (the default), anyone can specify a blank user and password to view shares and other information, and talk to IPC$:

user@client:~$ smbclient -m SMB2 -L server -U ''
Enter 's password:

        Sharename       Type      Comment
        ---------       ----      -------
        share           Disk
        IPC$            IPC       IPC Service (Samba)
Connection to jupiter failed (Error NT_STATUS_CONNECTION_REFUSED)
NetBIOS over TCP disabled -- no workgroup available

To disable this, you can set restrict anonymous in smb.conf:

        restrict anonymous = 2

Restart Samba:

admin@server:~$ sudo systemctl restart smbd

You'll now be denied if you use blank credentials:

user@client:~$ smbclient -m SMB2 -L server -U ''
Enter 's password:
tree connect failed: NT_STATUS_ACCESS_DENIED

One other thing I'll mention is my tendency to add a "valid users" line to each share, and whitelist just the users/groups requiring permission.

Thanks for reading!

No comments:

Post a Comment