Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

'Protect' open Samba share

Posted on 2013-12-17
8
Medium Priority
?
460 Views
Last Modified: 2014-01-10
I have an open Samba share on a router (Bt Home Hub 3/4) and intend to use it as a backup target. It's created automatically when a USB stick is inserted into the router. Unfortunately this share is not supported officially and afaik is uncontrollable.

I'm thinking of accessing the share as an rsync destination from Debian running in a VM hosted by Windows 7. I might, in some cases, access the share directly.

The problem is that the share is open, so any share-seeking malware will have an easy time finding and infecting the backup. I want to protect the share but of course i can't do that the 'proper' way - at the Samba server. So i need to protect it 'at the client' and am looking for ideas, both Windows -> Samba server and Linux -> Samba server.
0
Comment
Question by:CEHJ
7 Comments
 
LVL 8

Accepted Solution

by:
Surrano earned 795 total points
ID: 39723870
If the share is marked as browsable at the server then I'm afraid there's no way to block people from browsing it. As a workaround far from perfect you may wish to block the access of that samba port on the router side, except for the time window of the backup.

If you want to block from the client side then you could do the same; i.e. set Windows firewall to block access of samba port of the router. I don't think you can set an exception time window in Windows, though.

Alternatively, consider using a custom firmware like openwrt (though I think it's not an option for BT routers)
0
 
LVL 86

Author Comment

by:CEHJ
ID: 39724607
Alternatively, consider using a custom firmware like openwrt (though I think it's not an option for BT routers)
Yes i can assure you, being locked out of my own router (i'm not used to getting locked out of things as i don't use Windows or a Mac ;)) sticks in my craw and i must sort that out some time.
Maybe i'll knock up proper Samba in the shape of a home-made NAS with a RaspberryPi.

But your 'timely firewalling' idea has at least given me something to think about.
0
 
LVL 8

Expert Comment

by:Surrano
ID: 39724679
glad if I could help ^^
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 14

Assisted Solution

by:kronostm
kronostm earned 300 total points
ID: 39726296
If the samba share is on the router, there is no way a client can protect that share.
I do not have means to test if this model of router allows it, but it should: On your router/samba server restrict access to ports 137-139 and 445 to only be allowed from certain IP addresses.
if it would allow direct iptables rules, it should look like this, presuming 192.168.1.0 is your own network:
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 137 -j DROP
0
 
LVL 86

Author Comment

by:CEHJ
ID: 39726410
I do not have means to test if this model of router allows it, but it should: On your router/samba server restrict access to ports 137-139 and 445 to only be allowed from certain IP addresses.
That's an interesting idea to add to the mix but of course it won't help if say cryptolocker gets onto the box i'm trying to back up. Cryptolocker can sail through to do its nasties on an allowed ip address

The RPi homebrew is looking more and more attractive
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 39771267
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 86

Author Closing Comment

by:CEHJ
ID: 39771268
Thanks folks. Sorry about the delay
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question