[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Re: BNC Network Question



On Tue, 30 Apr 2002 09:15:52 +0100
Craig Andrews <craig [at] fishbot.org.uk> wrote:

> On Tuesday 30 April 2002 01:39, you exclaimed:
>
> > All you need is to make sure the router (the box that connects to the
> > internet) isn't part of the MS network, ie. it doesn't run the samba
> > software.
> 
> You can get Samba to run on the same machine with a little care. For 
> instance, you can configure it to only use one interface, so you can
> tell it to totally ignore the dialup interface.
> 
> Also, make sure that all requests on ports 137, 138 and 139 are DENIED
> or REJECTED from the dialup interface, and you should be set. Get a
> friend with a port scanner to check your machine, or use the shields up
> tool on www.grc.com to test if Samba is accessible from the outside
> world.

It is indeed fairly easy to run samba on the internet gateway, and for a
dial-up home network probably inconsequential, but it is bad practice
nevertheless.

The internet gateway should really run the absolute minimum of services,
no X11R6, no exported filesystems and preferably no DNS or mail either.
This is the reason behind Smoothwall (and other less politically offensive
minimal firewalling distributions) - they just do firewalling/routing and
not a lot else, giving the intruder the minimum of entry points and tools
to use against you.

If smbclient was installed on your gateway (part of the samba suite) and
an intruder gained access to the gateway they could very easily find out
your network topology and walk through your Windows shares. Once inside he
could use ssh to port-forward from his machine directly to 137-139 on the
gateway, piercing the firewall and bypassing samba's interface binding as
this traffic would appear from 127.0.0.1 on the loopback interface.

Maybe I'm paranoid, but an auth exploit was found in OpenSSH recently.

--Andrew

-- 
sparc sun4c stuff : http://www.lostgeneration.freeserve.co.uk/sparc
personal email    : bob at lostgeneration dot freeserve dot co dot uk

Attachment: pgp00021.pgp
Description: PGP signature