samba - Oct 2018 - How secure is SMB3 over internet?

Hello,
How secure is SMB3 over Internet? I see that Microsoft Azure is doing SMB3
shares over internet so they seem to think it's secure.
Does the SAMBA team recommend this type of scenario OR do they recommend instead
running it over a SSH tunnel/VPN?

On Fri, Oct 19, 2018 at 08:04:59PM +0200, jmqaodmthr1acosyg--- via samba
wrote:
> Hello,
> How secure is SMB3 over Internet? I see that Microsoft Azure is doing SMB3
shares over internet so they seem to think it's secure.
> Does the SAMBA team recommend this type of scenario OR do they recommend
instead running it over a SSH tunnel/VPN?
So long as you're using SMB3_11 and encrypted transport
it's secure.

Thanks for the reply. I was checking this with several IT professionals and the
consensus was that it should never be exposed over the internet (even SMB3.0)
and they all recommended to use it over SSH or VPN. A couple of people said
there are more security professionals venting/using/supporting SSH which is why
they recommend using that.
I was just wondering, would this just be the leftover stigma from the SMB1 and
SMB2 days?

--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com <https://tutanota.com>

19. Oct 2018 14:17 by jra at samba.org <mailto:jra at samba.org>:

> On Fri, Oct 19, 2018 at 08:04:59PM +0200, jmqaodmthr1acosyg--- via samba
wrote:
>> Hello,
>> How secure is SMB3 over Internet? I see that Microsoft Azure is doing
SMB3 shares over internet so they seem to think it's secure.
>> Does the SAMBA team recommend this type of scenario OR do they
recommend instead running it over a SSH tunnel/VPN?
>
> So long as you're using SMB3_11 and encrypted transport
> it's secure.

Am 19.10.18 um 20:04 schrieb jmqaodmthr1acosyg--- via
samba:
> Hello,
> How secure is SMB3 over Internet? I see that Microsoft Azure is doing SMB3
shares over internet so they seem to think it's secure.
> Does the SAMBA team recommend this type of scenario OR do they recommend
instead running it over a SSH tunnel/VPN?
i won't even consider it

ports 137,138,139,445 ar eblocked outgoing here and any inbound
connection on that ports will reject your source-ip for some seconds on
any prot over the whole network

it's in general not wise to expose uncommon public services (common http,
ssh, ftp, email) to the web without a ssh-tunnel and if it only
because the next security issue don't bother you that much

surely, patches have to be applied anyways but there is a difference in
patch services only reachable withina tunnel and patch exposed services

On Sat, Oct 20, 2018 at 3:56 AM Reindl Harald via samba
<samba at lists.samba.org> wrote:
> Am 19.10.18 um 20:04 schrieb jmqaodmthr1acosyg--- via samba:
> > Hello,
> > How secure is SMB3 over Internet? I see that Microsoft Azure is doing
SMB3 shares over internet so they seem to think it's secure.
> > Does the SAMBA team recommend this type of scenario OR do they
recommend instead running it over a SSH tunnel/VPN?
>
> i won't even consider it
>
> ports 137,138,139,445 ar eblocked outgoing here and any inbound
> connection on that ports will reject your source-ip for some seconds on
> any prot over the whole network
>
> it's in general not wise to expose uncommon public services (common
> http, ssh, ftp, email) to the web without a ssh-tunnel and if it only
> because the next security issue don't bother you that much
>
> surely, patches have to be applied anyways but there is a difference in
> patch services only reachable withina tunnel and patch exposed services
It's fairly common to expose it over a VPN, but the VPN software
typically blocks other outbound traffic from the VPN client, except
traffic through the VPN itself. Part of the difficulty is transitive
file sharing. Can you mount a CIFS share on your laptop from home, and
expose it directly to the Internet? The answer is "yes", even if CIFS
sharing is not transitive, because you can set up a web server or FTP
server pretty trivially. on top of your locally mounted CIFS share. Or
someone else can rootkit you and otherwise expose it. The same kind of
transitive exposure should always be a security concern.

Also, from experience, as soon as they start exposing fileshares from
work to home, or to the Internet at large, they're unlikely to do it
safely. And on Windows boxes, even if you've not deliberately exposed
it, the "\\hostname\C$" share is always exposed on any host that does
file sharing at all. Samba servers don't automatically expose their
root filesystem, but Windows servers do unless filesharing is turned
off altogether. It multiplies the risks of letting SMB anything out
through the firewalls.