[WLUG] Samba security

Joe Landman joe.landman at gmail.com
Sun Oct 29 11:26:18 EDT 2017 


On 10/29/2017 11:13 AM, Jim Irrer wrote:
> I'm looking for advice and opinions.  Our department is migrating our 
> Linux servers, which are running Samba, to a centranlized server 
> farm.  On a previous conference call they said that they had security 
> concerns about running Samba.  The call discussed a lot of topics so 
> we did not go into detail.
>
> I have another conference scheduled with them and intend to drill into 
> this deeper.  So my question is, are there legitimate concerns in this 
> regard?  We will only be exposing Samba on UM's hospital network, and 
> it seems like a lot of the risk could be mitigated by using firewalls 
> to limit access to a small set of machines.  It would also seem that 
> Samba is just an implementation of Windows SMB, and if that is already 
> being commonly used, then why pick on Samba?

There are still a number of people whom prefer windows in any form over 
linux.

One would think with the advent of petya[1] and other worms, that have 
had a measurable material impact upon health care, manufacturing, etc 
[2][3][4][5]. that this would be rapidly changing to focus on securable 
systems (linux etc.).

This said, what I did in a previous life was to run any real windows 
system in a kvm on linux, with snapshots, on a CoW based file system.  
The VM was snapshotted, and the data was snapshotted.  This enabled my 
users to roll back any nefarious changes.

Even more importantly, we PXE booted from ram based images, which 
prevented any sort of boot sector infections from being applicable. 
Basically the systems were hardened by implementation, in such a way 
that commonly compromised paths were simply never taken, were disabled 
for normal functioning.

It was in this environment we ran windows server 201x in a kvm under 
linux.  Made for far simpler management, lower pain in general. They can 
have their "real" SMB3 server rather than Samba, and we can protect it 
in ways windows could never imagine.



[1] https://www.us-cert.gov/ncas/alerts/TA17-181A
[2] 
http://www.zdnet.com/article/petya-ransomware-cyber-attack-costs-could-hit-300m-for-shipping-giant-maersk/
[3] 
https://www.scmagazine.com/notpetya-hangover-impacting-mercks-bottom-line-manufacturing-operations/article/678818/
[4] 
https://www.marketwatch.com/story/fedex-expects-material-financial-impact-from-petya-cyber-attack-2017-07-17
[5] 
https://www.theguardian.com/business/2017/jul/06/cyber-attack-nurofen-durex-reckitt-benckiser-petya-ransomware


>
> Any input would be appreciated!
>
> Thanks - Jim
>
> -- 
> Thanks,
>
> - Jim
>
> Jim Irrer irrer at umich.edu <mailto:irrer at umich.edu>      (734) 647-4409
> University of Michigan Hospital Radiation Oncology
> 519 W. William St.             Ann Arbor, MI 48103-4943
>
>
> ______________________________________________________
> washlug mailing list    washlug web site
> washlug at washlug.org     www.washlug.org
> http://linux.marcdatabase.com/mailman/listinfo/washlug

-- 
Joe Landman
e: joe.landman at gmail.com
t: @hpcjoe
w: https://scalability.org
g: https://github.com/joelandman
l: https://www.linkedin.com/in/joelandman

More information about the washlug mailing list