On Tue, 30 Apr 2002 09:15:52 +0100 Craig Andrews <craig [at] fishbot.org.uk> wrote: > On Tuesday 30 April 2002 01:39, you exclaimed: > > > All you need is to make sure the router (the box that connects to the > > internet) isn't part of the MS network, ie. it doesn't run the samba > > software. > > You can get Samba to run on the same machine with a little care. For > instance, you can configure it to only use one interface, so you can > tell it to totally ignore the dialup interface. > > Also, make sure that all requests on ports 137, 138 and 139 are DENIED > or REJECTED from the dialup interface, and you should be set. Get a > friend with a port scanner to check your machine, or use the shields up > tool on www.grc.com to test if Samba is accessible from the outside > world. It is indeed fairly easy to run samba on the internet gateway, and for a dial-up home network probably inconsequential, but it is bad practice nevertheless. The internet gateway should really run the absolute minimum of services, no X11R6, no exported filesystems and preferably no DNS or mail either. This is the reason behind Smoothwall (and other less politically offensive minimal firewalling distributions) - they just do firewalling/routing and not a lot else, giving the intruder the minimum of entry points and tools to use against you. If smbclient was installed on your gateway (part of the samba suite) and an intruder gained access to the gateway they could very easily find out your network topology and walk through your Windows shares. Once inside he could use ssh to port-forward from his machine directly to 137-139 on the gateway, piercing the firewall and bypassing samba's interface binding as this traffic would appear from 127.0.0.1 on the loopback interface. Maybe I'm paranoid, but an auth exploit was found in OpenSSH recently. --Andrew -- sparc sun4c stuff : http://www.lostgeneration.freeserve.co.uk/sparc personal email : bob at lostgeneration dot freeserve dot co dot uk
Attachment:
pgp00021.pgp
Description: PGP signature