jmqaodmthr1acosyg at tutanota.com
2018-Oct-19 18:04 UTC
[Samba] How secure is SMB3 over internet?
Hello, How secure is SMB3 over Internet? I see that Microsoft Azure is doing SMB3 shares over internet so they seem to think it's secure. Does the SAMBA team recommend this type of scenario OR do they recommend instead running it over a SSH tunnel/VPN?
On Fri, Oct 19, 2018 at 08:04:59PM +0200, jmqaodmthr1acosyg--- via samba wrote:> Hello, > How secure is SMB3 over Internet? I see that Microsoft Azure is doing SMB3 shares over internet so they seem to think it's secure. > Does the SAMBA team recommend this type of scenario OR do they recommend instead running it over a SSH tunnel/VPN?So long as you're using SMB3_11 and encrypted transport it's secure.
jmqaodmthr1acosyg at tutanota.com
2018-Oct-19 18:31 UTC
[Samba] How secure is SMB3 over internet?
Thanks for the reply. I was checking this with several IT professionals and the consensus was that it should never be exposed over the internet (even SMB3.0) and they all recommended to use it over SSH or VPN. A couple of people said there are more security professionals venting/using/supporting SSH which is why they recommend using that. I was just wondering, would this just be the leftover stigma from the SMB1 and SMB2 days? -- Securely sent with Tutanota. Claim your encrypted mailbox today! https://tutanota.com <https://tutanota.com> 19. Oct 2018 14:17 by jra at samba.org <mailto:jra at samba.org>:> On Fri, Oct 19, 2018 at 08:04:59PM +0200, jmqaodmthr1acosyg--- via samba wrote: >> Hello, >> How secure is SMB3 over Internet? I see that Microsoft Azure is doing SMB3 shares over internet so they seem to think it's secure. >> Does the SAMBA team recommend this type of scenario OR do they recommend instead running it over a SSH tunnel/VPN? > > So long as you're using SMB3_11 and encrypted transport > it's secure.
Am 19.10.18 um 20:04 schrieb jmqaodmthr1acosyg--- via samba:> Hello, > How secure is SMB3 over Internet? I see that Microsoft Azure is doing SMB3 shares over internet so they seem to think it's secure. > Does the SAMBA team recommend this type of scenario OR do they recommend instead running it over a SSH tunnel/VPN?i won't even consider it ports 137,138,139,445 ar eblocked outgoing here and any inbound connection on that ports will reject your source-ip for some seconds on any prot over the whole network it's in general not wise to expose uncommon public services (common http, ssh, ftp, email) to the web without a ssh-tunnel and if it only because the next security issue don't bother you that much surely, patches have to be applied anyways but there is a difference in patch services only reachable withina tunnel and patch exposed services
On Sat, Oct 20, 2018 at 3:56 AM Reindl Harald via samba <samba at lists.samba.org> wrote:> Am 19.10.18 um 20:04 schrieb jmqaodmthr1acosyg--- via samba: > > Hello, > > How secure is SMB3 over Internet? I see that Microsoft Azure is doing SMB3 shares over internet so they seem to think it's secure. > > Does the SAMBA team recommend this type of scenario OR do they recommend instead running it over a SSH tunnel/VPN? > > i won't even consider it > > ports 137,138,139,445 ar eblocked outgoing here and any inbound > connection on that ports will reject your source-ip for some seconds on > any prot over the whole network > > it's in general not wise to expose uncommon public services (common > http, ssh, ftp, email) to the web without a ssh-tunnel and if it only > because the next security issue don't bother you that much > > surely, patches have to be applied anyways but there is a difference in > patch services only reachable withina tunnel and patch exposed servicesIt's fairly common to expose it over a VPN, but the VPN software typically blocks other outbound traffic from the VPN client, except traffic through the VPN itself. Part of the difficulty is transitive file sharing. Can you mount a CIFS share on your laptop from home, and expose it directly to the Internet? The answer is "yes", even if CIFS sharing is not transitive, because you can set up a web server or FTP server pretty trivially. on top of your locally mounted CIFS share. Or someone else can rootkit you and otherwise expose it. The same kind of transitive exposure should always be a security concern. Also, from experience, as soon as they start exposing fileshares from work to home, or to the Internet at large, they're unlikely to do it safely. And on Windows boxes, even if you've not deliberately exposed it, the "\\hostname\C$" share is always exposed on any host that does file sharing at all. Samba servers don't automatically expose their root filesystem, but Windows servers do unless filesharing is turned off altogether. It multiplies the risks of letting SMB anything out through the firewalls.