[WLUG] Samba security
Joe Landman
joe.landman at gmail.com
Sun Oct 29 11:26:18 EDT 2017
On 10/29/2017 11:13 AM, Jim Irrer wrote:
> I'm looking for advice and opinions. Our department is migrating our
> Linux servers, which are running Samba, to a centranlized server
> farm. On a previous conference call they said that they had security
> concerns about running Samba. The call discussed a lot of topics so
> we did not go into detail.
>
> I have another conference scheduled with them and intend to drill into
> this deeper. So my question is, are there legitimate concerns in this
> regard? We will only be exposing Samba on UM's hospital network, and
> it seems like a lot of the risk could be mitigated by using firewalls
> to limit access to a small set of machines. It would also seem that
> Samba is just an implementation of Windows SMB, and if that is already
> being commonly used, then why pick on Samba?
There are still a number of people whom prefer windows in any form over
linux.
One would think with the advent of petya[1] and other worms, that have
had a measurable material impact upon health care, manufacturing, etc
[2][3][4][5]. that this would be rapidly changing to focus on securable
systems (linux etc.).
This said, what I did in a previous life was to run any real windows
system in a kvm on linux, with snapshots, on a CoW based file system.
The VM was snapshotted, and the data was snapshotted. This enabled my
users to roll back any nefarious changes.
Even more importantly, we PXE booted from ram based images, which
prevented any sort of boot sector infections from being applicable.
Basically the systems were hardened by implementation, in such a way
that commonly compromised paths were simply never taken, were disabled
for normal functioning.
It was in this environment we ran windows server 201x in a kvm under
linux. Made for far simpler management, lower pain in general. They can
have their "real" SMB3 server rather than Samba, and we can protect it
in ways windows could never imagine.
[1] https://www.us-cert.gov/ncas/alerts/TA17-181A
[2]
http://www.zdnet.com/article/petya-ransomware-cyber-attack-costs-could-hit-300m-for-shipping-giant-maersk/
[3]
https://www.scmagazine.com/notpetya-hangover-impacting-mercks-bottom-line-manufacturing-operations/article/678818/
[4]
https://www.marketwatch.com/story/fedex-expects-material-financial-impact-from-petya-cyber-attack-2017-07-17
[5]
https://www.theguardian.com/business/2017/jul/06/cyber-attack-nurofen-durex-reckitt-benckiser-petya-ransomware
>
> Any input would be appreciated!
>
> Thanks - Jim
>
> --
> Thanks,
>
> - Jim
>
> Jim Irrer irrer at umich.edu <mailto:irrer at umich.edu> (734) 647-4409
> University of Michigan Hospital Radiation Oncology
> 519 W. William St. Ann Arbor, MI 48103-4943
>
>
> ______________________________________________________
> washlug mailing list washlug web site
> washlug at washlug.org www.washlug.org
> http://linux.marcdatabase.com/mailman/listinfo/washlug
--
Joe Landman
e: joe.landman at gmail.com
t: @hpcjoe
w: https://scalability.org
g: https://github.com/joelandman
l: https://www.linkedin.com/in/joelandman
More information about the washlug
mailing list