Solved

'Protect' open Samba share

Posted on 2013-12-17
8
445 Views
Last Modified: 2014-01-10
I have an open Samba share on a router (Bt Home Hub 3/4) and intend to use it as a backup target. It's created automatically when a USB stick is inserted into the router. Unfortunately this share is not supported officially and afaik is uncontrollable.

I'm thinking of accessing the share as an rsync destination from Debian running in a VM hosted by Windows 7. I might, in some cases, access the share directly.

The problem is that the share is open, so any share-seeking malware will have an easy time finding and infecting the backup. I want to protect the share but of course i can't do that the 'proper' way - at the Samba server. So i need to protect it 'at the client' and am looking for ideas, both Windows -> Samba server and Linux -> Samba server.
0
Comment
Question by:CEHJ
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 8

Accepted Solution

by:
Surrano earned 265 total points
ID: 39723870
If the share is marked as browsable at the server then I'm afraid there's no way to block people from browsing it. As a workaround far from perfect you may wish to block the access of that samba port on the router side, except for the time window of the backup.

If you want to block from the client side then you could do the same; i.e. set Windows firewall to block access of samba port of the router. I don't think you can set an exception time window in Windows, though.

Alternatively, consider using a custom firmware like openwrt (though I think it's not an option for BT routers)
0
 
LVL 86

Author Comment

by:CEHJ
ID: 39724607
Alternatively, consider using a custom firmware like openwrt (though I think it's not an option for BT routers)
Yes i can assure you, being locked out of my own router (i'm not used to getting locked out of things as i don't use Windows or a Mac ;)) sticks in my craw and i must sort that out some time.
Maybe i'll knock up proper Samba in the shape of a home-made NAS with a RaspberryPi.

But your 'timely firewalling' idea has at least given me something to think about.
0
 
LVL 8

Expert Comment

by:Surrano
ID: 39724679
glad if I could help ^^
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 14

Assisted Solution

by:kronostm
kronostm earned 100 total points
ID: 39726296
If the samba share is on the router, there is no way a client can protect that share.
I do not have means to test if this model of router allows it, but it should: On your router/samba server restrict access to ports 137-139 and 445 to only be allowed from certain IP addresses.
if it would allow direct iptables rules, it should look like this, presuming 192.168.1.0 is your own network:
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 137 -j DROP
0
 
LVL 86

Author Comment

by:CEHJ
ID: 39726410
I do not have means to test if this model of router allows it, but it should: On your router/samba server restrict access to ports 137-139 and 445 to only be allowed from certain IP addresses.
That's an interesting idea to add to the mix but of course it won't help if say cryptolocker gets onto the box i'm trying to back up. Cryptolocker can sail through to do its nasties on an allowed ip address

The RPi homebrew is looking more and more attractive
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 39771267
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 86

Author Closing Comment

by:CEHJ
ID: 39771268
Thanks folks. Sorry about the delay
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Some sounds stopped working 5 24
Is Fedora an appropriate distro for the environment. 7 93
BgInfo help 5 65
Windows 10 updates being installed on Windows 7?? 20 46
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question