On Tue, 30 Apr 2002 14:29:18 +0100 Eric E Moore <e.e.moore [at] sheffield.ac.uk> wrote: > Andrew Basterfield <list [at] lostgeneration.freeserve.co.uk> writes: > > > If smbclient was installed on your gateway (part of the samba suite) > > and an intruder gained access to the gateway they could very easily > > find out your network topology and walk through your Windows shares. > > Uhh... and if he gains access to the gateway what security do you > have anyway (unless, of course, all your machines on the "trusted" > side of the firewall are secure enough to put on the internet > directly? If you're relying on a firewall to keep people out, and the > firewall is compromized, you are pretty much SOL. What's to keep the > intruder from installing smbclient? a) I don't share passwords between machines b) all filesystems on the firewall/gateway are mounted read-only except /var, /tmp and /home which are mounted noexec. c) the my boxes with samba ignore the gateway with the 'hosts deny' directive. The windows boxes can't do this, but then again they don't belong to me so I'm not particularly concerned. d) I don't run unnecessary services on any of the boxes, and those I do I try to lock down, ie. on any box ssh will only accept connections from my desktop machine, as I never connect from any other machine. --Andrew -- sparc sun4c stuff : http://www.lostgeneration.freeserve.co.uk/sparc personal email : bob at lostgeneration dot freeserve dot co dot uk
Attachment:
pgp00024.pgp
Description: PGP signature