Re: [Sheflug] Re: BNC Network Question

[Craig Andrews <xxxxx [at] xxxxxxxxxxxxxx>]

On Tuesday 30 April 2002 11:08, you exclaimed:
> It is indeed fairly easy to run samba on the internet gateway, and for a
> dial-up home network probably inconsequential, but it is bad practice
> nevertheless.

Indeed it is. It's just a quick, easy (and most of all cheap) way of running 
without more machines cluttering up your house :)

I have a particularly tiny residence, and it is hard enough fitting the 
machines I have in. My current ideal would be a two NIC laptop sat in the 
corner doing this kind of thing (small, but very expensive).

> The internet gateway should really run the absolute minimum of services,

Agreed.

> If smbclient was installed on your gateway (part of the samba suite) and
> an intruder gained access to the gateway they could very easily find out
> your network topology and walk through your Windows shares. Once inside he
> could use ssh to port-forward from his machine directly to 137-139 on the
> gateway, piercing the firewall and bypassing samba's interface binding as
> this traffic would appear from 127.0.0.1 on the loopback interface.

This is why I agreed :) The ability of SMB clients to walk through all hosts 
and shares on a network and find out the access rights is very nice in a 
confined LAN, but a bit of a security nightmare the second it creeps out. Of 
course, up until recently, MS Windows left file and print sharing turned on 
for the dial up networking device, which was fun.

> Maybe I'm paranoid, but an auth exploit was found in OpenSSH recently.

Just because you're paranoid doesn't mean they _aren't_ out to get you :)

Craig
___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.