Solved

'Protect' open Samba share

Posted on 2013-12-17
8
443 Views
Last Modified: 2014-01-10
I have an open Samba share on a router (Bt Home Hub 3/4) and intend to use it as a backup target. It's created automatically when a USB stick is inserted into the router. Unfortunately this share is not supported officially and afaik is uncontrollable.

I'm thinking of accessing the share as an rsync destination from Debian running in a VM hosted by Windows 7. I might, in some cases, access the share directly.

The problem is that the share is open, so any share-seeking malware will have an easy time finding and infecting the backup. I want to protect the share but of course i can't do that the 'proper' way - at the Samba server. So i need to protect it 'at the client' and am looking for ideas, both Windows -> Samba server and Linux -> Samba server.
0
Comment
Question by:CEHJ
8 Comments
 
LVL 8

Accepted Solution

by:
Surrano earned 265 total points
ID: 39723870
If the share is marked as browsable at the server then I'm afraid there's no way to block people from browsing it. As a workaround far from perfect you may wish to block the access of that samba port on the router side, except for the time window of the backup.

If you want to block from the client side then you could do the same; i.e. set Windows firewall to block access of samba port of the router. I don't think you can set an exception time window in Windows, though.

Alternatively, consider using a custom firmware like openwrt (though I think it's not an option for BT routers)
0
 
LVL 86

Author Comment

by:CEHJ
ID: 39724607
Alternatively, consider using a custom firmware like openwrt (though I think it's not an option for BT routers)
Yes i can assure you, being locked out of my own router (i'm not used to getting locked out of things as i don't use Windows or a Mac ;)) sticks in my craw and i must sort that out some time.
Maybe i'll knock up proper Samba in the shape of a home-made NAS with a RaspberryPi.

But your 'timely firewalling' idea has at least given me something to think about.
0
 
LVL 8

Expert Comment

by:Surrano
ID: 39724679
glad if I could help ^^
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 14

Assisted Solution

by:kronostm
kronostm earned 100 total points
ID: 39726296
If the samba share is on the router, there is no way a client can protect that share.
I do not have means to test if this model of router allows it, but it should: On your router/samba server restrict access to ports 137-139 and 445 to only be allowed from certain IP addresses.
if it would allow direct iptables rules, it should look like this, presuming 192.168.1.0 is your own network:
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 137 -j DROP
0
 
LVL 86

Author Comment

by:CEHJ
ID: 39726410
I do not have means to test if this model of router allows it, but it should: On your router/samba server restrict access to ports 137-139 and 445 to only be allowed from certain IP addresses.
That's an interesting idea to add to the mix but of course it won't help if say cryptolocker gets onto the box i'm trying to back up. Cryptolocker can sail through to do its nasties on an allowed ip address

The RPi homebrew is looking more and more attractive
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 39771267
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 86

Author Closing Comment

by:CEHJ
ID: 39771268
Thanks folks. Sorry about the delay
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question