2022년 8월 21일 일요일

Samba Restrict File Sharing To Particular Users or Network Addresses

https://www.cyberciti.biz/faq/samba-user-network-file-sharing-restictions/

Samba Restrict File Sharing To Particular Users or Network Addresses

See all UNIX related articles/faq
All my local Linux or Unix user accounts will be able to log in to my Samba server and access share. How do I restrict access to particular users or network subnet such as 192.168.2.1/24?

You can use TCP wrappers to limit subnet access via:

Advertisement
  1. /etc/hosts.allow – This file describes the names of the hosts which are allowed to use the local INET services, as decided by the /usr/sbin/tcpd server.
  2. /etc/hosts.deny – This file describes the names of the hosts which are NOT allowed to use the local INET services, as decided by the /usr/sbin/tcpd server.
Tutorial details
Difficulty level Easy
Root privileges No
Requirements Samba server on Linux or Unix
Est. reading time 2 minutes

Samba Restrict File Sharing To Particular Users or Network Addresses

For example, allow access to smbd service inside LAN only via /etc/hosts.allow:

smbd : 192.168.2.

However, samba may or may not be built to support tcp wrappers.

hosts allow: Samba Configuration

Open your smb.conf file and add the following line to [share] to configuring Host-based share access:

[share]
  hosts allow = 192.168.2. 127.0.0.1

The hosts deny parameter has a higher priority than the hosts allow parameter. For instance:

[share]
  hosts allow = 192.168.2. 127.0.0.1
  hosts deny = router.sweet.home

valid users: Samba Configuration

Open your smb.conf file and add the following line to [share]

[share]
  valid users = user1 user2 @group1 @group2

So we can use share-based access control enables you to grant or deny access to a share for certain users and groups:

[share]
   valid users = +SAMDOM\"Domain Users"
   # block tom
   invalid users = SAMDOM\tom

read only & write only: Samba Configuration

You can also set read and write access to set of users with the read list and write list directives.

[share]
     read only = yes
     write list = user1 user2 @group1 @group2

Examples

Make [sales] share read only but allow user tom and jerry to write it:

[sales]
     comment = All Printers
     path = /nas/fs/sales
     read only = yes
     write list = tom jerry

You can also configure iptables to allow or deny access to the Samba server. See the following pages:

  1. What Ports Need To Be Open For Samba To Communicate With Other Windows/Linux Systems?
  2. Samba: Linux Iptables Firewall Configuration
  3. How to configure Samba to use SMBv2 and disable SMBv1 on Linux or Unix

 

https://serverfault.com/questions/683518/check-if-samba-only-works-locally 

It is probably secure, but there is no guarantee for that.

The samba service runs as a process listening at least on the TCP ports 139 and 445. By default it accepts connections from everywhere.

Your host allow/deny parameters make only the authentication impossible on these ports, but they don't forbid the connections to your samba service, which will be so attackable by different methods (for example, DoS attack or for any possible sechole in your system).

On my opinion, the best and most simple thing which you can do, if you set up samba to listen only on your internal network. It can be done with the interfaces setting in your smb.conf. For example, set an interfaces = 192.168.1.1/24, if your internal IP is 192.168.1.1 on a /24 subnet.

As an alternative, you can change your firewall settings as well. It depends on your firewall. In case of iptables, an iptables -A INPUT -j DROP ! -s 192.168.1.0/24 -m multiport -p tcp --dports 139,445 would deny every incoming connections to your samba service which originates out of your internal network.



 

댓글 없음:

sublime close without confirmation

  Close without confirm   Yes, you can just write a plugin to set the view as scratch and close it. Then create a keybinding for that c...