What exactly is insecure about Samba access over the Internet?

linux windows networking samba server-message-block
8,250

Solution 1

The SMB protocol allows for unencrypted data transfer once authentication is complete and connections are established. Anyone snooping the wires can intercept the data being transferred back and forth via your share(s).

If you have encrypted transports for your network shares, though, that is mitigated.

Solution 2

No matter whether your Samba is encrypted or not, such service placed to a public area becomes to be a subject of interest. I do not think this is the what you want. Just use VPN. With proper setup your client can use VPN to acces your samba share and normal Internet connection for all others, simultaneously.

Share:
8,250

Related videos on Youtube

haroba
Author by

haroba

Updated on September 18, 2022

Comments

  • haroba
    haroba over 1 year

    I have a folder on a Linux server that I need to share with a number of different clients all over the country. Some requirements:

    1. The folder needs to be mountable as an ordinary network drive in Windows
    2. The system should not require a great deal of configuration on the clients' side
    3. The share needs to be available at all times

    The first thing that came to mind was using Samba over the Internet. However, having researched this a bit, everyone keeps advising against using Samba over the Internet, instead recommending alternatives such as SSHFS or an SFTP server, which fail one or both of my two first requirements.

    The final alternative that I've seen suggested is setting up a VPN server and making clients connect through VPN to get access to the Samba share. However, using VPN either channels all network traffic through my VPN server, which forces the user to connect to the VPN server only when they want to access the share, which fails requirement 3 and also makes the share difficult to use for non-technical users.

    This takes me right back to the start -- what exactly is so insecure or otherwise bad about exposing Samba to the Internet, given a good firewall, an IP whitelist in the Samba configuration, and encrypted network transport in Samba?

    • Geoffrey McCosker
      Geoffrey McCosker over 10 years
      Your first requirement is a little odd. Is there an application running on their computers that needs access to data via a specific drive letter? Why can't you provide the data to them via a web server?
    • haroba
      haroba over 10 years
      The application that needs access to the data on each client computer only knows about the drives (or Samba shares without drive letters) that Windows makes available to it, and has no way to interface with the Internet at all.
    • Geoffrey McCosker
      Geoffrey McCosker over 10 years
      I think the solution is to fix the application. Obviously not an answer to your question, but this is a pretty kludgy app. I'm not a developer, but I think you use SOAP or REST for this kind of stuff.
    • haroba
      haroba over 10 years
      It's not an application that I or any of the clients have developed, but a very big content management system that is used by a number of major players, that I unfortunately have absolutely no control over.
  • haroba
    haroba over 10 years
    Is this actually a problem? After all, the passwords can also be encrypted, so what kind of useful data can they snoop on?
  • haroba
    haroba over 10 years
    As far as I understand if you access the Samba share using "smbclient -e" or the equivalent in newer versions of Windows, everything is encrypted.
  • squillman
    squillman over 10 years
    Sorry, was editing in the last line of my answer as you were commenting. You should also look at server signing, though, to ensure your clients are connecting to your server and not something else pretending to be. I also fixed the typo in my first sentence...

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Unable to connect to samba shared folder via windows
smbmount fails to resolve hostname's address
Can't access SMB shares on Windows but can on Linux
Windows workstations in a Windows domain with a Linux domain controller
Small writes to SMB network share are slow on Windows, fast over CIFS Linux mount
Connecting with SMBCLIENT to Windows 7 produces error: "protocol negotiation failed: ERRDOS:ERRnomem"
Using Git with a Samba shared folder
How to get user password expiration date from Active Directory?
smbclient tree connect failed nt_status_bad_network_name when folder exists
Problem accessing Windows Share from Ubuntu using Samba