[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] Re: BNC Network Question
On Tuesday 30 April 2002 11:08, you exclaimed:
> It is indeed fairly easy to run samba on the internet gateway, and for a
> dial-up home network probably inconsequential, but it is bad practice
> nevertheless.
Indeed it is. It's just a quick, easy (and most of all cheap) way of running
without more machines cluttering up your house :)
I have a particularly tiny residence, and it is hard enough fitting the
machines I have in. My current ideal would be a two NIC laptop sat in the
corner doing this kind of thing (small, but very expensive).
> The internet gateway should really run the absolute minimum of services,
Agreed.
> If smbclient was installed on your gateway (part of the samba suite) and
> an intruder gained access to the gateway they could very easily find out
> your network topology and walk through your Windows shares. Once inside he
> could use ssh to port-forward from his machine directly to 137-139 on the
> gateway, piercing the firewall and bypassing samba's interface binding as
> this traffic would appear from 127.0.0.1 on the loopback interface.
This is why I agreed :) The ability of SMB clients to walk through all hosts
and shares on a network and find out the access rights is very nice in a
confined LAN, but a bit of a security nightmare the second it creeps out. Of
course, up until recently, MS Windows left file and print sharing turned on
for the dial up networking device, which was fun.
> Maybe I'm paranoid, but an auth exploit was found in OpenSSH recently.
Just because you're paranoid doesn't mean they _aren't_ out to get you :)
Craig
___________________________________________________________________
Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html
GNU the choice of a complete generation.