You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2010-11-23 02:48:50
- jlacroix
- Member
- Registered: 2009-08-16
- Posts: 576
[SOLVED] Securing Samba
Hello everyone. I'm putting this in the beginners section because I'm having a hard time figuring this out and I think this is probably something I should know by now but I need some help.
Anyway, here is the scenario. I run an all Archlinux household. (Four machines). Each machine has a static IP. I use Samba because I fix Windows computers for a living (90% of the time the tasks I'm asked to do are virus removals) and sometimes I need to share files between them. However, I'm concerned that the files on my Samba shares may one day get infected by a Windows virus, so I wanted to restrict access to them from the Windows machines. From this forum, I came up with this smb.conf:
[global]
server string = J's Laptop
workgroup = LITTLEBIGPLANET
security = share
hosts allow = 172.16.254.11 172.16.254.12 172.16.254.13 172.16.254.14 127.0.0.1
include = /etc/samba/smbshared.conf
wins support = noIn that example, the IP's of all of my machines are listed, and ONLY those machines can access eachothers shares. That part is working. However, I totally forgot about my /images share, that I need the Windows machines to be able to access, so that I can image their hard drives with Clonezilla. Since my clients computers get a DHCP address, they won't get through to the /images share. I don't want to give the clients computers a static IP, because then I'd have to change it back when done, and I'd likely forget.
It seems like security with Samba is all-or-nothing, so I ask this: Is there a way I can ensure my Samba shares can't get infected by Windows viruses? Perhaps I'm just worrying for nothing? Is there a way to restrict access to some shares by IP, though allow others? It seems that Samba only allows restricting access on a global level, not on individual shares.
Any help is appreciated.
Last edited by jlacroix (2010-11-24 03:09:05)
Offline
#2 2010-11-23 11:11:49
- dschrute
- Member
- From: NJ, USA
- Registered: 2007-04-09
- Posts: 183
Re: [SOLVED] Securing Samba
The "hosts allow" parameter is valid at both the [global] and [share] level. So you can simply move it out of [global] and into the share section(s) you want to protect. So something like :
[global]
server string = J's Laptop
workgroup = LITTLEBIGPLANET
security = share
include = /etc/samba/smbshared.conf
wins support = no
[protected_share}
path = /someplace/safe
writable = yes
printable = no
hosts allow = 172.16.254.11 172.16.254.12 172.16.254.13 172.16.254.14 127.0.0.1
[images]
path = /images
public = yes
writable= = no
printable = no
[another_share]
...Check out the smb.conf man page for more info, and maybe look into something other than share level security. Samba is really pretty flexible when you get into it.
EDIT
I haven't tested this, so I don't know if you need to also deny specific hosts for a given share. Check the hosts allow and deny hosts section(s) of the smb.conf man page. I know you can do what you want, I'm just not sure of the exact recipe...
Last edited by dschrute (2010-11-23 11:53:44)
Offline
#3 2010-11-23 14:27:36
- jlacroix
- Member
- Registered: 2009-08-16
- Posts: 576
Re: [SOLVED] Securing Samba
The "hosts allow" parameter is valid at both the [global] and [share] level. So you can simply move it out of [global] and into the share section(s) you want to protect. So something like :
[global] server string = J's Laptop workgroup = LITTLEBIGPLANET security = share include = /etc/samba/smbshared.conf wins support = no [protected_share} path = /someplace/safe writable = yes printable = no hosts allow = 172.16.254.11 172.16.254.12 172.16.254.13 172.16.254.14 127.0.0.1 [images] path = /images public = yes writable= = no printable = no [another_share] ...Check out the smb.conf man page for more info, and maybe look into something other than share level security. Samba is really pretty flexible when you get into it.
EDIT
I haven't tested this, so I don't know if you need to also deny specific hosts for a given share. Check the hosts allow and deny hosts section(s) of the smb.conf man page. I know you can do what you want, I'm just not sure of the exact recipe...
Thank you, I'll try that when I get home. I was hoping there was a way I could block IP addresses to certain shares to 172.16.254.100 and above (my DHCP range). Is there any way to do that?
Offline
#4 2010-11-23 14:43:05
- skunktrader
- Member
- From: Brisbane, Australia
- Registered: 2010-02-14
- Posts: 1,543
Re: [SOLVED] Securing Samba
Did this solution https://bbs.archlinux.org/viewtopic.php?id=108500 not work?
Offline
#5 2010-11-23 14:45:24
- jlacroix
- Member
- Registered: 2009-08-16
- Posts: 576
Re: [SOLVED] Securing Samba
Did this solution https://bbs.archlinux.org/viewtopic.php?id=108500 not work?
No, unfortunately not. As soon as I did that I ran into this new problem, where my /images share was blocked as well, and that is one I need to have complete access to, whereas the other shares I don't.
Offline
#6 2010-11-23 15:12:18
- dschrute
- Member
- From: NJ, USA
- Registered: 2007-04-09
- Posts: 183
Re: [SOLVED] Securing Samba
the man page for smb.conf that I referenced above gives the solution. You can use both hosts allow and hosts deny. It's all there for you to read, in pretty clear examples
http://www.samba.org/samba/docs/man/man … HOSTSALLOW
Offline
#7 2010-11-23 15:16:33
- jlacroix
- Member
- Registered: 2009-08-16
- Posts: 576
Re: [SOLVED] Securing Samba
the man page for smb.conf that I referenced above gives the solution. You can use both hosts allow and hosts deny. It's all there for you to read, in pretty clear examples
http://www.samba.org/samba/docs/man/man … HOSTSALLOW
I already read that, but it didn't answer my questions, hence this topic. Sometimes I need a little hand holding with certain things. I reread the entire section, and it does not explicitly state that you can use hosts allow in a share, nor does it give examples of using hosts allow within a share. Further, it doesn't state in there how to deny access to a range of IP addresses.
Offline
#8 2010-11-23 18:44:34
- madeye
- Member
- From: Denmark
- Registered: 2006-07-19
- Posts: 331
- Website
Re: [SOLVED] Securing Samba
You could also use iptables to block all addresses except the ones you want to allow. You could even make it only block the ports that samba uses, if you were so minded.
But this of course adds one more package you need to configure.
MadEye | Registered Linux user #167944 since 2000-02-28 | Homepage
Offline
#9 2010-11-24 03:08:40
- jlacroix
- Member
- Registered: 2009-08-16
- Posts: 576
Re: [SOLVED] Securing Samba
Thanks everyone. I didn't know that the hosts allow feature could be put on a share level. I'm marking this as solved. 
Offline
Pages: 1