The Samba server security page gives information on using the hosts allow/deny directives, interface binding configuration, and keeping up-to-date, so I'm not going to mention those things here.
I am however going to jump into a few other directives.
First of all, there's no good reason to give out the server's version, so my server replies with "Samba".
I mandate SMB2 as the minimum required protocol, and enforce signing. I really recommend you do this and so does Microsoft. Without mandating signing you are leaving yourself open to man-in-the-middle attacks. These settings will work with clients on Windows 7 and newer, and any non-ancient Linux/macOS.
I'm using the "standalone server" server role, so I can disable NetBIOS completely, and without NetBIOS and SMB1 there's no need to listen on anything other than TCP/445.
Here are smb.conf server directives to get you started with those changes:
[global]
server string = Samba
disable netbios = Yes
server min protocol = SMB2
smb ports = 445
server signing = required
In addition to the above, you should consider disabling anonymous authentication.
With anonymous authentication enabled (the default), anyone can specify a blank user and password to view shares and other information, and talk to IPC$:
user@client:~$ smbclient -m SMB2 -L server -U ''
Enter 's password:
Sharename Type Comment
--------- ---- -------
share Disk
IPC$ IPC IPC Service (Samba)
Connection to server failed (Error NT_STATUS_CONNECTION_REFUSED)
NetBIOS over TCP disabled -- no workgroup available
To disable this, you can set restrict anonymous in smb.conf:
[global]
restrict anonymous = 2
Restart Samba:
admin@server:~$ sudo systemctl restart smbd
You'll now be denied if you use blank credentials:
user@client:~$ smbclient -m SMB2 -L server -U ''
Enter 's password:
tree connect failed: NT_STATUS_ACCESS_DENIED
One other thing I'll mention is my tendency to add a "valid users" line to each share, and whitelist just the users/groups requiring permission.
Thanks for reading!
No comments:
Post a Comment