Hi, i have a debian box connected to internet by ADSL, in that box i share
internet to all my local network, i also have to share 3 directories with
samba with full read/write permissions.
my hosts.deny is ALL:ALL and my hosts.allow is ALL:127. AND ALL:192.168.0.
so that i only accept connections from inside my local network.
Here is the problem, i cannot ask for a password to let them write in my
directories because im using them as a database location so that my CRM
application connects there, but with this, intruders from outside my network
can write virus programs (And are actually doing it, writing a Xi.exe
program). So, how can i prevent this? here is my smb.conf:
[global]
log file = /var/log/samba/log.%m
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n
socket options = TCP_NODELAY
obey pam restrictions = yes
null passwords = yes
encrypt passwords = true
passdb backend = tdbsam guest
passwd program = /usr/bin/passwd %u
dns proxy = no
netbios name = Servidor
server string = %h server (Samba %v)
invalid users = root
workgroup = infosys
debug level = 0
os level = 20
syslog = 0
security = share
panic action = /usr/share/samba/panic-action %d
max log size = 1000
[bitacora]
writeable = yes
public = yes
path = /files/bitacora
[comun]
writeable = yes
public = yes
path = /files/comun
[admivi]
writeable = yes
public = yes
path = /files/admivi
Thank in advanced
Rodrigo
Instead of using /etc/hosts.allow and /etc/hosts.deny use the "hosts allow" and "interfaces" directive in the smb.conf. I use (in smb.conf [global] section): hosts allow = 192.168.1.0/24 127.0.0.1 interfaces=192.168.1.0/24 127.0.0.1/32 (Replace with your internal network values) To ensure that only my internal network has access to the samba service. -- Paul Espinosa pespinosa@sunflowerbroadband.com IT Supervisor The World Company 785/312-6912 .----[ Rodrigo Haces wrote ]---- | | | Hi, i have a debian box connected to internet by ADSL, in that box i | share internet to all my local network, i also have to share 3 | directories with samba with full read/write permissions. | | my hosts.deny is ALL:ALL and my hosts.allow is ALL:127. AND | ALL:192.168.0. so that i only accept connections from inside my local | network. | | Here is the problem, i cannot ask for a password to let them write in my | directories because im using them as a database location so that my CRM | application connects there, but with this, intruders from outside my | network can write virus programs (And are actually doing it, writing a | Xi.exe program). So, how can i prevent this? here is my smb.conf: | | [global] | log file = /var/log/samba/log.%m | passwd chat = *Enter\snew\sUNIX\spassword:* %n\n | *Retype\snew\sUNIX\spassword:* %n\n | socket options = TCP_NODELAY | obey pam restrictions = yes | null passwords = yes | encrypt passwords = true | passdb backend = tdbsam guest | passwd program = /usr/bin/passwd %u | dns proxy = no | netbios name = Servidor | server string = %h server (Samba %v) | invalid users = root | workgroup = infosys | debug level = 0 | os level = 20 | syslog = 0 | security = share | panic action = /usr/share/samba/panic-action %d | max log size = 1000 | | [bitacora] | writeable = yes | public = yes | path = /files/bitacora | | | [comun] | writeable = yes | public = yes | path = /files/comun | | [admivi] | writeable = yes | public = yes | path = /files/admivi | | Thank in advanced | Rodrigo |
Err, i think this is not a samba question, it is a security question. But anyhow: R U N , not walk to your box and set up a firewall on your system not letting smb-shares to the internet and you should be fine for the first moment. Then install chkrootkit on that box and run it. I guess it will at least find one rootkit installed. i accidently had a minimal debian box a few days running on an adsl-link without firewall and it was rootkitted the first day it ran. setting hosts.deny is far far away from making your debian/linux box secure if it has an internet-connection. Christoph Rodrigo Haces schrieb:> Hi, i have a debian box connected to internet by ADSL, in that box i share > internet to all my local network, i also have to share 3 directories with > samba with full read/write permissions. > > my hosts.deny is ALL:ALL and my hosts.allow is ALL:127. AND ALL:192.168.0. > so that i only accept connections from inside my local network. > > Here is the problem, i cannot ask for a password to let them write in my > directories because im using them as a database location so that my CRM > application connects there, but with this, intruders from outside my network > can write virus programs (And are actually doing it, writing a Xi.exe > program). So, how can i prevent this? here is my smb.conf: > > [global] > log file = /var/log/samba/log.%m > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUNIX\spassword:* %n\n > socket options = TCP_NODELAY > obey pam restrictions = yes > null passwords = yes > encrypt passwords = true > passdb backend = tdbsam guest > passwd program = /usr/bin/passwd %u > dns proxy = no > netbios name = Servidor > server string = %h server (Samba %v) > invalid users = root > workgroup = infosys > debug level = 0 > os level = 20 > syslog = 0 > security = share > panic action = /usr/share/samba/panic-action %d > max log size = 1000 > > [bitacora] > writeable = yes > public = yes > path = /files/bitacora > > > [comun] > writeable = yes > public = yes > path = /files/comun > > [admivi] > writeable = yes > public = yes > path = /files/admivi > > Thank in advanced > Rodrigo >