Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

'Protect' open Samba share

Posted on 2013-12-17
8
Medium Priority
?
456 Views
Last Modified: 2014-01-10
I have an open Samba share on a router (Bt Home Hub 3/4) and intend to use it as a backup target. It's created automatically when a USB stick is inserted into the router. Unfortunately this share is not supported officially and afaik is uncontrollable.

I'm thinking of accessing the share as an rsync destination from Debian running in a VM hosted by Windows 7. I might, in some cases, access the share directly.

The problem is that the share is open, so any share-seeking malware will have an easy time finding and infecting the backup. I want to protect the share but of course i can't do that the 'proper' way - at the Samba server. So i need to protect it 'at the client' and am looking for ideas, both Windows -> Samba server and Linux -> Samba server.
0
Comment
Question by:CEHJ
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 8

Accepted Solution

by:
Surrano earned 795 total points
ID: 39723870
If the share is marked as browsable at the server then I'm afraid there's no way to block people from browsing it. As a workaround far from perfect you may wish to block the access of that samba port on the router side, except for the time window of the backup.

If you want to block from the client side then you could do the same; i.e. set Windows firewall to block access of samba port of the router. I don't think you can set an exception time window in Windows, though.

Alternatively, consider using a custom firmware like openwrt (though I think it's not an option for BT routers)
0
 
LVL 86

Author Comment

by:CEHJ
ID: 39724607
Alternatively, consider using a custom firmware like openwrt (though I think it's not an option for BT routers)
Yes i can assure you, being locked out of my own router (i'm not used to getting locked out of things as i don't use Windows or a Mac ;)) sticks in my craw and i must sort that out some time.
Maybe i'll knock up proper Samba in the shape of a home-made NAS with a RaspberryPi.

But your 'timely firewalling' idea has at least given me something to think about.
0
 
LVL 8

Expert Comment

by:Surrano
ID: 39724679
glad if I could help ^^
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 14

Assisted Solution

by:kronostm
kronostm earned 300 total points
ID: 39726296
If the samba share is on the router, there is no way a client can protect that share.
I do not have means to test if this model of router allows it, but it should: On your router/samba server restrict access to ports 137-139 and 445 to only be allowed from certain IP addresses.
if it would allow direct iptables rules, it should look like this, presuming 192.168.1.0 is your own network:
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 137 -j DROP
0
 
LVL 86

Author Comment

by:CEHJ
ID: 39726410
I do not have means to test if this model of router allows it, but it should: On your router/samba server restrict access to ports 137-139 and 445 to only be allowed from certain IP addresses.
That's an interesting idea to add to the mix but of course it won't help if say cryptolocker gets onto the box i'm trying to back up. Cryptolocker can sail through to do its nasties on an allowed ip address

The RPi homebrew is looking more and more attractive
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 39771267
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 86

Author Closing Comment

by:CEHJ
ID: 39771268
Thanks folks. Sorry about the delay
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we’ll look at how to deploy ProxySQL.
How does someone stay on the right and legal side of the hacking world?
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question