Public server: Safe to only restrict access to Samba Shares by IP?

newsboost · 2020-12-17 17:41:27

Hi,

My question is basically: If I setup a server running Arch Linux and acting like a Samba/SMB/CIFS server and then expose that (or those) necessary ports to the wide-open internet, then I guess it won't take many seconds/minutes, before someone begins to try to hack it and get into it. But what if I buy a fixed IP address from my ISP and do something like this (not sure how to say deny all hosts to the whole internet, except a single IP), so here's a small piece of what I imagined the smb.conf-file could look like (example public ip address used and the 0.0.0.0 is my way of saying "the whole world"):

hosts deny = 0.0.0.0/24
hosts allow = 147.77.30.51

How secure is this and is it necessary to add other security measures?

Because *if* this is secure, such that nobody except from my IP address can "hack" or get into the server, then I have a router running DDWRT and another running AsusWRT. I think both routers have a startup option to mount a CIFS-share on my internal home network and then I have a single Hikvision security camera which could send all the data up onto the internet (offsite) so I wouldn't have to worry if burglars break into where I live, steal the camera and computers (incl. harddisk for camera security footage, which then makes the security camera useless)...

Would I need encryption? The problem is that if I need encryption, ssh-tunneling or more security, then I think I would need to buy another server which is turned on 24/7/365 and sitting inside my home LAN, "processing the data" (the Hikvision camera itself is really dumb and can't do much by itself). I'm not sure if I want to run another server 24/7/365, just for adding offsite secure footage for a single security camera and for no other reason than that... In that sense, it could be wonderful, if the smb.conf-trick shown above is sufficient? Or to what extent is it enough? Also, by sending the data onto the internet using CIFS is the footage then encrypted or could anyone (or someone) grab the data and watch what's going on inside my home? That's ofcourse private footage, so I'm looking for a cheap, simple solution with adequate security for privacy - if that exists...

Looking forward to hear what you think and I hope to avoid having a second server inside the hours running 24/7/365 inside the same LAN as the Hikvision-camera, in addition to having a public server offsite, where the data is/should be/could be stored... I hope you have some great ideas or relevant input to this problem, thanks!

Trilby · 2020-12-17 18:52:43

newsboost wrote:

... and then expose that (or those) necessary ports to the wide-open internet... I imagined the smb.conf-file

I'm not sure if / how that'd be done in the smb.conf, but you should really just configure the firewall for this. Only allow selected IP addresses access to the relevant ports - that way others would not even be able to detect a running samba server. There seems to be some debate over whether DROP or REJECT is better for this (my barely-informed opinion is to favor DROP), but in either case, this should be the default, then make an exception for your IP address(es) that are allowed.

newsboost wrote:

Also, by sending the data onto the internet using CIFS is the footage then encrypted

https://wiki.archlinux.org/index.php/Sa … encryption

Last edited by Trilby (2020-12-17 18:55:10)

newsboost · 2020-12-18 02:48:53

Trilby wrote:

newsboost wrote:
... and then expose that (or those) necessary ports to the wide-open internet... I imagined the smb.conf-file
I'm not sure if / how that'd be done in the smb.conf, but you should really just configure the firewall for this.

Right, exposing ports it's not via the smb.conf, but via the firewall.

Trilby wrote:

Only allow selected IP addresses access to the relevant ports - that way others would not even be able to detect a running samba server. There seems to be some debate over whether DROP or REJECT is better for this (my barely-informed opinion is to favor DROP), but in either case, this should be the default, then make an exception for your IP address(es) that are allowed.

Right, DROP is better, agreed. But still, I want "double protection" (if anything fails or if I screw up), so I also want to only allow a specific IP address via the smb.conf. The reason I'm asking these questions is also that I've never tried to mount something except on my LAN - never in my whole life (also when working in companies, I always just mount the cifs/smb-share over a LAN or via VPN, which gives me access to the LAN). Just wanted to know if there are some different things to consider when exposing CIFS-mount via the internet and not just over a LAN... Seems like it should be just as easy, just need to consider and be careful if my private stuff becomes accessible for hackers/others, this setup is in a sense more risky (but nice with offsite storing of the data, especially in this case with security cameras)...

Trilby wrote:

newsboost wrote:
Also, by sending the data onto the internet using CIFS is the footage then encrypted
https://wiki.archlinux.org/index.php/Sa … encryption

hmm. Damn. I think both my 2 routers are only capable of smb2. Just wanted to know if there was something I didn't fully understand... Basically it sounds like what I want is possible, if I could live with sending the security footage out unencrypted... I'm just not happy about sending private unencrypted security camera videos/pictures out on the internet, so it still sounds like I need a local server turned on 24/7/365 to make the encryption, unless either of my routers are capable of mounting a CIFS-share via VPN - I'm not completely sure if they can do that... But sounds like the smb.conf-setup is piece of cake and not difficult... Hm, I'll think about it - thanks for you input.

fukawi2 · 2020-12-18 04:24:05

Security aside, Samba/CIFS was never designed for WAN networks like the internet. Performance will be... not great... probably terrible. If this is for security camera footage (high bandwidth) then I'd suggest looking for another option. I certainly wouldn't do it this way.

Perhaps a VPN from your server to your home, and the server itself connects to the camera to record/download footage.

GSMiller · 2020-12-18 06:36:14

newsboost, there are other options, not just samba. Samba is for Windows compatibility.
Do not login with passwords, use keys.
Configure your firewall to make it even safer.

newsboost · 2020-12-18 10:01:43

fukawi2 wrote:

Security aside, Samba/CIFS was never designed for WAN networks like the internet. Performance will be... not great... probably terrible. If this is for security camera footage (high bandwidth) then I'd suggest looking for another option. I certainly wouldn't do it this way.
Perhaps a VPN from your server to your home, and the server itself connects to the camera to record/download footage.

I don't think what you suggest is possible (to make the server connect to the camera). I've checked it now, looked it up. In the settings for the camera, under the "Network Storage"-settings it's required to tell the camera how it should mount to a network share. Either using SMB or NFS - please see screenshot I've uploaded to https://ibb.co/X40FnFc (I actually think the lower part of that screenshot, the SNMP hasn't anything to do with this, I don't know what it's used for but the top part is relevant: SMB/NFS)... I think I have around 40-50 mb/s upload and most of the time the camera will not be transmitting anything (it's using motion detection to only save when movement happens in front of it), because it's a private home and I also have to go to work. So I don't think bandwidth is a problem, but it's something I would monitor, if I solve the encryption problem. Do I misunderstand you about how you would make the server connect to the camera?

Right, now that I think of it: You're right that it should be possible for the server to connect to my home via VPN and then it'll look like it's a part of my home network. Then I just setup an SMB/CIFS-server... That sounds do-able - and secure - so I'm thinking it is possible... With a VPN connection from the server to my firewall, then the smb.conf on the server doesn't even need any "hosts allow" / "hosts deny" settings, as I should just make sure the server has an effective firewall that blocks all... But either the server firewall - or my home router/firewall needs to expose the necessary ports for making a VPN-connection... As there's only one machine on the server (outside my home), I would prefer to open that firewall for a VPN-connection. But I'm not sure my DDWRT/AsusWRT-router can both connect via VPN to the server and at the same time mount a CIFS-share and expose it on the LAN... hmm..... Interesting...

Trilbyfan wrote:

newsboost, there are other options, not just samba. Samba is for Windows compatibility.
Do not login with passwords, use keys.
Configure your firewall to make it even safer.

I don't see other options than SMB/CIFS and NFS (please see config-screenshot at https://ibb.co/X40FnFc). But I think it's true, as fukawi2 mentioned, that I need a VPN either from server to my home - or from my home-router/firewall to the server, which should then also mount the network-share (at least my routers - both of them, I'm pretty sure of - can mount a CIFS-share if the server was on the LAN-side, but now we're talking about first opening a VPN-connection from the router to the server on the WAN-side and I'm not sure the routers can do that)... I think in any case, if I decide to expose, open the needed ports for openVPN on my home router, then the remote server will look as it's part of my network and the camera should be able to mount the remote servers network drive. I just have to make sure I don't screw the openVPN-config up then or make it so hard to hack that nobody ever gets into my LAN, other than myself... hmm.... More stuff to think about, thanks for both your input/ideas :-)

Last edited by newsboost (2020-12-18 10:26:33)

seth · 2020-12-18 15:29:54

Does the camera support streaming (eg. http) so you could rather record the stream than having the camera upload the data?
(Whether that's a better solution depends on whether you observe your backyard or your bathroom ;-)

newsboost · 2020-12-18 15:46:03

seth wrote:

Does the camera support streaming (eg. http) so you could rather record the stream than having the camera upload the data?
(Whether that's a better solution depends on whether you observe your backyard or your bathroom ;-)

I think that isn't viable because then it'll constantly be saving/uploading data instead of relying on the "motion sensor", which ignores everything as long as there isn't any movement in front of the camera. And I don't have cats/dogs or animals, so most of the time, the camera should not record/upload anything. I don't know if supports some http://... -stuff, but at least I remember connecting via VLC (video player) - using RSTP-protocol, I think... But I wouldn't be happy with that solution:

1) I think I would require encryption, now that I think of it... My private home and stuff - don't want anyone else peeking into the camera-feed of my home, watching what I'm doing and stuff...

2) Also, because the amount of data to be saved will be gigantic, I think - the network would constantly be uploading data... Better to rely on the CIFS- (or NFS)-uploading, which I think is only active, when the motion detector "sees movement"...

I think the best I currently can come up with is to either use VPN from the WAN-server into my LAN (or maybe from my router to the WAN-server, if I can make that work)... I don't need to hear details about that, haven't got time to test it now and if I also need to play with my router(s) and that probably begins to become out of scope for the Arch Linux forum, just wanted to hear if anyone had some config-ideas for e.g. "public mounted CIFS- or NFS-network shares" or other security I could implement for an Arch Linux server on the internet, outside my LAN... I've never tried something like this, so this will be my first attempt... Guess I'll just have to begin experimenting, maybe in the cristmas holiday, coming up. Anyway, thanks guys for your input/ideas and suggestions, I think I have an idea of what to test and it'll be something along what I wrote here, I cross my fingers and see what happens :-)

Trilby · 2020-12-18 15:54:01

newsboost wrote:

... I think I would need to buy another server which is turned on 24/7/365 and sitting inside my home LAN

Perhaps you rejected this option too quickly. A $5 RPi could do this job quite well (ok $5 is a bit of a trick, it's probably more like $15 once you get the sd card, wires, etc ... but still cheap).

But realy, while I'm all for multiple layers of protection, if one layer is rock solid, adding another layer that is flimsy isn't much help: if your firewall is configured properly, that's pretty damned solid, and nothing you can do in your samba configs is going to make a notable increment in security. So assuming samba is practical over WAN (which I have no experience with and may not be the case based on comments above) I'd just configure the firewall to only allow connections from a couple whitelisted IP addresses and leave it at that.

progandy · 2020-12-18 16:09:35

I think SMB3.0 may be acceptable to use over the internet, it should support encryption. Most devices cannot handle that and only do SMBv1, even routers often are limited to that if they provide file sharing capabilities.

Still, if you are thinking about offsite backup for your video captures, I'd suggest storing a second copy locally as well. Having two copies of important data is always better. That local storage server can then forward the data to your remote location. (Or does the camera already have internal storage?)

Last edited by progandy (2020-12-18 16:18:21)

newsboost · 2020-12-18 23:59:10

Trilby wrote:

newsboost wrote:
... I think I would need to buy another server which is turned on 24/7/365 and sitting inside my home LAN
Perhaps you rejected this option too quickly. A $5 RPi could do this job quite well (ok $5 is a bit of a trick, it's probably more like $15 once you get the sd card, wires, etc ... but still cheap).
But realy, while I'm all for multiple layers of protection, if one layer is rock solid, adding another layer that is flimsy isn't much help: if your firewall is configured properly, that's pretty damned solid, and nothing you can do in your samba configs is going to make a notable increment in security. So assuming samba is practical over WAN (which I have no experience with and may not be the case based on comments above) I'd just configure the firewall to only allow connections from a couple whitelisted IP addresses and leave it at that.

hmm, interesting: I had the impression all the RPi's were too slow for my temperament... But then i noticed the RPi 4B seems pretty nice: https://magpi.raspberrypi.org/articles/ … benchmarks and http://unixetc.co.uk/2019/07/07/raspber … rld-tests/ seems acceptable... I hate changing my hardware because it's expensive and every time I do I spend lots of hours of researching so I think the RPi 4B connected with an external harddisk, could act as a nice low-power fileserver with adequate up/down transfer speeds and looks like I could live with that for some years... Good point about the RPi. The problem is that if burglars come into your house and if they take all hardware, harddisks etc - then a security camera is of no use... Maybe I can hide it - it's so small I do have cabling inside some of my walls... hmm.. Not sure which solution I'll pick now, but good point... Good idea, thanks a lot...

About firewall: If I decide to go with a solution where data is being uploaded via the internet - preferably encrypted via openvpn - I think I would use fixed IP addresses on both ends, so I can block/rule out all other IP addresses - and I would probably also have a specific IP address in the smb.conf, don't want to risk anything, so multiple security layers is fine by me... I guess it's a matter of taste and who you are. I also haven't experience with Samba over WAN but it's a good idea to consider something involving that RPi... I guess the RPi could also just make an SSH-tunnel and solve my encryption worries, when transferring private data over the internet... hmmm, need to think and read more about the RPi before I decide.

progandy wrote:

I think SMB3.0 may be acceptable to use over the internet, it should support encryption. Most devices cannot handle that and only do SMBv1, even routers often are limited to that if they provide file sharing capabilities.
Still, if you are thinking about offsite backup for your video captures, I'd suggest storing a second copy locally as well. Having two copies of important data is always better. That local storage server can then forward the data to your remote location. (Or does the camera already have internal storage?)

Right, I also think - from what I now read - that SMB 3.0 is acceptable over the internet. The problem is that the camera only supports SMB1/SMB2... So I think I need an SSH-tunnel (openvpn, I guess - it's a good idea with that RPi, I'll strongly consider that, for the VPN-tunnel, for the camera)... I think you're right that my router has the same problem, also probably won't handle SMB3...

About offsite backup considerations: The whole reason I'm asking is also that maybe I can think of something else to do with that offsite fileserver and competition on the hosting market makes the smallest servers pretty affordable, I think... You're right that I need to store local copies as well, I'm thinking about having a script (possibly involving rsync) run once in a while - not sure if it should be daily, but at least weekly I think - preferably automated, maybe via a cronjob, but that part should be easy when I get there.. Buying the right hardware and figuring out the software setup with secure transfer over the internet is my primary concern and I have to figure out precisely what I do on my LAN-/WAN-side... Haven't thought that part completely through yet, though - but for a camera I think the most important thing is that burglars cannot grab the hardware containing the footage... The camera doesn't have internal storage for the same reason: I think if somebody breaks in, it isn't really safe to store the footage inside the camera (unless it was in a highly inaccessible place, but it's very easy to access the camera, if people break in here)... I'm guessing if I were a burglar, I would like to get rid of all evidence, providing police and law enforcement to evidence showing that I'm the criminal who committed illegal crimes - so getting rid of footage would have a high priority, if I were a burglar... I can feel, I'm getting more reluctant to do something involving a RPi 4B which Trilby suggested... I'm already googling for RPi 4B reviews, need to read more before I make up my mind... I also use encryption for several of my harddisks, would need to ensure that I wouldn't regret buying the RPi 4B and that I would be happy with it, for the coming years...

Thanks for good suggestions/ideas and feedback, I think I now which direction to look into now...

Trilby · 2020-12-19 02:24:58

newsboost wrote:

I had the impression all the RPi's were too slow for my temperament...

Slow? Processor speed isn't very important for the current task. The CPU requirements are far far below what even the most limited RPi could do (e.g., either a first gen, or a pi zero which would be my suggestion). Network throughput will be the limiting factor. An RPi's networking is just as fast as any server-grade rack mounted hardware connected via the same ISP.

EDIT: before someone gripes, yes high-class rack mount server hardware will often have pretty snazzy NICs with lots of capabilities and capable of blazing speeds. But if you put them on a home wireless network next to a Pi Zero, they'll both be equally limited by the WAN or local ISP bandwidth.

Last edited by Trilby (2020-12-19 02:28:24)

newsboost · 2020-12-19 17:26:34

Trilby wrote:

newsboost wrote:
I had the impression all the RPi's were too slow for my temperament...
Slow? Processor speed isn't very important for the current task.

That why I wrote "... too slow for *MY* temperament". I might as well make it a fileserver if it has to be turned on 24/7/365. I'm strongly considering - currently researching if I should do it: To buy that RP 4B and connect it via UASP to 1-2 external harddrives I have: https://www.jeffgeerling.com/blog/2020/ … -50-faster (I don't want to consider models slower than the RP 4B, don't want in 1-2 years to be dissapointed and have to upgrade, I'm looking for a solution that lasts longer than 2 years in the future, before I have to upgrade or do anything). I have an old synology DS413J but it's in the process of being sold (had FTP upload speed around 35 MB/s, download I think is around 65 MB/s, not anyhigher - it's too slow for me, not worth it anymore I think). I also believe the "413" means it was introduced in year 2013 - so it's a 7 years old model, I think I need to upgrade to get at least 50-60 MB/s write speed and preferably >100 MB/s read speed, I think I read somewhere that the RP 4B could do that via UASP and USB3. Previous models can't do that, don't live up to my expectations, from all I've seen while researching this in the past 1-2 day(s), since that was suggested in this thread...

Sounds like the RP4B with UASP will be good for me, for the next couple of years - power consumption is really low and with adequate read/write network speeds for the RP 4B, sounds like a good deal - with linux I believe I can also make it act as openssh server/client (haven't ever had a RP4 before, but from what I read it's features is comparable with many home/small office NAS-devices... Anyway, maybe this is beginning to be offtopic for Arch Linux forum, but thanks for the comments anyway.

Last edited by newsboost (2020-12-19 17:30:30)

GSMiller · 2020-12-21 19:16:18

newsboost, even a slow small cheap raspberry pi can help you greatly.
You do not need cpu to move a lot of data. and data is limited by the network.
If your servers are all Linux, do not use Samba, and use keys, not passwords.

Arch Linux

#1 2020-12-17 17:41:27

Public server: Safe to only restrict access to Samba Shares by IP?

#2 2020-12-17 18:52:43

Re: Public server: Safe to only restrict access to Samba Shares by IP?

#3 2020-12-18 02:48:53

Re: Public server: Safe to only restrict access to Samba Shares by IP?

#4 2020-12-18 04:24:05

Re: Public server: Safe to only restrict access to Samba Shares by IP?

#5 2020-12-18 06:36:14

Re: Public server: Safe to only restrict access to Samba Shares by IP?

#6 2020-12-18 10:01:43

Re: Public server: Safe to only restrict access to Samba Shares by IP?

#7 2020-12-18 15:29:54

Re: Public server: Safe to only restrict access to Samba Shares by IP?

#8 2020-12-18 15:46:03

Re: Public server: Safe to only restrict access to Samba Shares by IP?

#9 2020-12-18 15:54:01

Re: Public server: Safe to only restrict access to Samba Shares by IP?

#10 2020-12-18 16:09:35

Re: Public server: Safe to only restrict access to Samba Shares by IP?

#11 2020-12-18 23:59:10

Re: Public server: Safe to only restrict access to Samba Shares by IP?

#12 2020-12-19 02:24:58

Re: Public server: Safe to only restrict access to Samba Shares by IP?

#13 2020-12-19 17:26:34

Re: Public server: Safe to only restrict access to Samba Shares by IP?

#14 2020-12-21 19:16:18

Re: Public server: Safe to only restrict access to Samba Shares by IP?

Board footer