Mac as SMB server, accessing files over internet with XP/Vista

Question

Level 1

0 points

Mac as SMB server, accessing files over internet with XP/Vista

Before anyone talks to me about security, here's what I want to do:

On my Mac, I created a "share only" account with password and turned on file sharing w/SMB option checked. I am limiting my file sharing to a few (read only) files that are not "top secret" info.

Here are my questions:

1) Even if the account password is compromised, is there any other damage that a hacker can do beyond downloading the read only files I've shared?

2) Can a Windows user remotely (over the internet) access these files using built-in XP/Vista networking abilities or do they need to download a client program?

3) If I change the public side port number of my Airport Extreme to another number that is forwarded to the SMB port on my Mac, can a remote client indicate the new port number for sending SMB traffic?

4) Are SMB passwords encrypted over the internet? What about FTP or AFP passwords?

Thanks a bunch!
John

Posted on Apr 27, 2009 4:18 PM

Reply

Answer 1

Apr 27, 2009 5:15 PM in response to johnthomjr

1: you're opening up a block-level connection path directly into your storage server using a Microsoft-designed storage protocol, connecting into an open-source Samba CIFS server that doesn't offer the full authentication expected by Vista. Hopefully, there are no issues here.

2: Windows includes an SMB client.

3: Donno. I'd tend to assume not, as that sort of detail tends to be hard-wired into clients.

4: Depending which SMB authentication, there are some protections. Not ones I'd personally rely on. AFS can be encrypted, as can AFP. FTP: no. That's wide open.

I don't generally choose to run remote SMB as shares can tend to be slow over many networks, and as I've never been fully comfortable with an open storage-level connection from a remote site via AFP or SMB/CIFS or otherwise. Whether that's a password attack, a protocol-level attack, something that seeks to target and crash the server, or simply sniffing the block traffic to see what wanders past.

Options? Use a Virtual Private Network.

Or run an open link and see what happens.

Reply

Answer 2

johnthomjr Author

Level 1

0 points

Apr 28, 2009 7:19 AM in response to MrHoffman

Thanks so much for your response MrHoffman. A quick clarifier:

1) In your response to No. 1, are you saying that a hacker would not have access beyond the shared files if my password was compromised?

I would love to use VPN (I have Leopard Server as well) but after a year of trying I have not been able to get shared files to show up in a Windows client (Mac clients work fine) so I am giving up and going with a less secure (but hopefully easier) access, since the files I am sharing are not sensitive info.

2) I cannot seem to find a place that accepts an SMB remote address in Windows XP (it only allows me to make a connection with VPN or FTP). Any ideas where I would do this?

Thanks again,
John

Reply

Answer 3

Apr 28, 2009 8:14 AM in response to johnthomjr

1) In your response to No. 1, are you saying that a hacker would not have access beyond the shared files if my password was compromised?

Allow me to post an analogy: would you hand the end of a USB cable into your disk array to a hacker?

That's basically what you're doing here.

Sure, it might well be secure. We can all hope it is secure.

Given the critical and central nature of the file server within an operating system, I've seldom chosen to expose the file server across a network; I really don't want to find out how far somebody can get. And I really don't want some gremlin tossing bogus packets at my file server.

I prefer use VPNs where that is an option; some sort of a secure connection. (If you want to scare yourself, go look for some details on the DEFCON Wall Of Sheep. Based on what I see in my log files, some folks really are out to get you, too.)

I would love to use VPN (I have Leopard Server as well) but after a year of trying I have not been able to get shared files to show up in a Windows client (Mac clients work fine) so I am giving up and going with a less secure (but hopefully easier) access, since the files I am sharing are not sensitive info.

Then ask for help with that. Consider using Filezilla via sftp, for instance. Or a Windows WebDAV client.

The Internet is a very unforgiving place. If you do decide to drop your server security, then keep your backups current as that'll be a likely recovery path here should your server become breached.

2) I cannot seem to find a place that accepts an SMB remote address in Windows XP (it only allows me to make a connection with VPN or FTP). Any ideas where I would do this?

Usually mapping to a network drive, IIRC. But best to go ask Microsoft Windows questions in a Windows forum or a Microsoft forum. Or look to replace or upgrade the Windows box, if it's not doing what you need.

Reply

Answer 4

davidh

Level 4

1,896 points

Apr 29, 2009 2:56 AM in response to MrHoffman

Further to MrHoffman's excellent replies, johnthomjr: you need to know that most (perhaps not all but nearly so) ISPs *specifically block* smb traffic. It's one of the most hacked(-at) items,
it's right up there on the list:

http://www.sans.org/top20/
http://www.sans.org/top20/#s2

(Noting that CIFS = smb, effectively):

"Enable the... Firewall and/or install a 3rd party firewall on the host. Ensure that rules are applied to restrict access to the Windows machine except for those connections that are explicitly required. For example many of these vulnerabilities are found on interfaces offered through CIFS, and blocking ports 139/tcp and 445/tcp is essential for preventing remote attacks."

Also please note (from the same site), "All versions of Unix/Linux/Mac OS Server are potentially at risk from improper and default configurations. All those OS versions may be affected by accounts having weak or dictionary-based passwords for authentication."

It is pretty much de rigueur, industry-standard practice for any & all companies with a competent technology person or staff, to deny external access to company file-services *except and exclusively* via VPN or other secure channels. "File-services" here as differentiated from - for example - web-services intended for, and meant to be publicly accessible.

Reply

Answer 5

Apr 29, 2009 9:35 AM in response to davidh

I usually prefer to use a standalone VPN-capable firewall at the network perimeter.

While a firewall is not a panacea and certainly not "magic pixie dust" for providing network security, it's still preferable to have the dictionary attacks and the botnets all occupying themselves at the firewall at the perimeter, rather than consuming cycles and log file space on the production servers. Even the unsuccessful brute-force attacks can fill up your disks, and these can (and variously are used to) obscure the actual attacks.

Most any host-based firewall is reliable, but the box still has to deal with the attacks. That can range from receiving and dropping (and potentially logging) the connection, to receiving an incoming connection from the botnet and performing the (for instance) ssh-related processing on a (hopefully failed) ssh login.

If I happen to punch ssh through the firewall for a particular task, I usually prefer to do that on an "odd" port. As are the SMB/Samba/CIFS attacks, ssh attacks (against the "standard" ports) are also common.

Reply

Answer 6

johnthomjr Author

Level 1

0 points

Apr 29, 2009 10:03 AM in response to MrHoffman

Thanks to both of you for your good advice. I have a firewall at the perimeter (not at the server) and for SSH traffic I have in fact chosen a different port. This works great since most public side SSH clients let you send traffic to a different port, however sending traffic to a different port does not seem to be a possibility with most SMB clients.

I would certainly use SSH for file serving except in Leopard it does not allow me to "sandbox" a client, rather it exposes my whole directory tree--so it is not an option without some tricky Terminal work.

I have sought help for getting my file shares to light up in a Windows client over VPN, but nothing seemed to work. Everyone could connect via VPN and were assigned proper virtual IP address, but no Windows clients had success seeing the file shares.

Assuming the client is assigned a virtual IP address that matches the domain of the file server and that the file server has SMB services turned on. Why wouldn't the share points show up?

(BTW. My original post dealt with Leopard (not Leopard Server). Not sure how it got moved to the Leopard Server forum. However, since we are now talking VPN, I guess it can stay here).

Reply

Answer 7

johnthomjr Author

Level 1

0 points

Apr 29, 2009 10:33 AM in response to MrHoffman

I reread a post you made to me a while ago wherein you state you do not like using SMB over VPN but rather FTP. Just a quick general question: assume I create a VPN connection and the server is providing FTP services. If I type ftp://[address] into a web browser what address do I use to see the shares? I assume the local IP address of the server, correct?

Reply

Answer 8

Apr 29, 2009 11:29 AM in response to johnthomjr

Eh? [I don't generally recommend ftp|http://labs.hoffmanlabs.com/node/530] as a general rule, and don't recall making a recommendation in recent times. I tend to prefer to use a VPN. Or sftp.

Once the VPN is established, then you can run whatever protocols are necessary. Whether that is SMB (CIFS) or the wildly-insecure ftp. You can have the menu-bar transparency and ease-of use that you want.

Implementing server technologies require some knowledge of networking and of network security. Start with the presumption that any protocols or servers useful to you are equally or more useful to an attacker, and assume that your servers will get attacked. And that most any non-encrypted protocols are insecure. And that even some encrypted protocols are insecure. And work from there.

As for keeping remote access constrained, I tend to use a crash-and-burn box for that where I can; a drop box or such. (It is possible to set up a write-only ftp drop box server, but that's another discussion.) I'd expect that the sftp server honors the standard file protections and access model, so I'm not sure why you're seeing extra access.

And would a more general discussion of what problems you're looking to solve here be feasible, rather than the discussions of specific tools and features and issues; of proposed solutions? There might well be an alternative or two available, if we know what the general problem requirements are.

Reply

Answer 9

johnthomjr Author

Level 1

0 points

Apr 29, 2009 2:25 PM in response to MrHoffman

My post meant to imply that you recommended FTP over VPN, not FTP over internet. Your words: "I've never run remote shares over a VPN as anything other than a test; I've typically used ftp to haul over the files via the VPN, or WebDAV, or (better) a web-based transfer or sftp or such."

My "general" problem as already stated: Getting certain file shares on a Leopard server (either in Leopard OS or Leopard Server OS) to show up in a Windows client.

Observations:

1) SSH/SFTP protocol in Leopard is no good as it will not limit the directory tree to certain folders/files as I would like. Hopefully Snow Leopard will take care of this.

2) AFP, SMB, FTP over internet is not secure as you and a million others have pointed out. However, my original post was merely asking questions about the extent of the risk if the shares are not confidential and the account/files/folders are "read-only". While I understand the specific shares are at risk of being accessed and downloaded (which I do not care if they are), but can my whole server be easily compromised given the "read-only" conditions?

3) I can get Windows client to connect to server via VPN but folders/files shared on the server via SMB do not show up. Should be a no brainer--connect via VPN (this works), client receives local IP address with same domain as server (this works), files shared on server via SMB are accessible for download (this does not work). Since Leopard Server advertises that this should work with minimal configuration then it should work with minimal configuration. So given that VPN is connected and the XP/Vista client has a local IP address with same domain as server. What other minimal configuration proverbial "switch" have I forgotten to flip?

Reply

Answer 10

Apr 29, 2009 4:14 PM in response to johnthomjr

1: I've not seen that; AFAIK sftp honors the standard user protections.

2: Can this read-only stack get compromised? I don't know. If the lowest-level storage protocols are compromised, then your whole storage stack is compromised. I would not do this. I see enough attacks on my servers to presume there are vulnerabilities here. I would accordingly not chose to expose AFP or SMB off of my LAN, and I generally don't expose this beyond the subnet. Do what you want, though. These are your servers and your files, after all.

3: see below.

Setting up a cross-platform cross-network SMB/CIFS share is going to require some debugging, regardless. I've usually punted on this stuff, and used a distributed version control package or web content management package, or through FileZilla and WebDAV and such.

Skimming through the following Microsoft articles might provide you with some insights: [Virtual Private Networks|http://technet.microsoft.com/en-us/network/bb545442.aspx], [Remote access VPN security considerations|http://technet.microsoft.com/en-us/library/cc759686.aspx] and [Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab|http://technet.microsoft.com/en-us/library/cc757206.aspx] might be interesting.

You're going to be splitting the technical audience here with your questions, too. I'm simply not working regularly with Microsoft Windows any more, for instance.

Try the same remote access from Mac OS X client, too. See if that works, too.

And these are your servers. There is no certainty with security. Do what you want or need here. Do keep your data archives current, too, as you may (will?) need those if your servers are breached.

Reply

Answer 11

johnthomjr Author

Level 1

0 points

Apr 29, 2009 4:46 PM in response to MrHoffman

Thanks so much. You've been very helpful. I guess I'll keep trying to get VPN to work or set up a webpage with a password for distributing the files. I'm just bummed that I can't add multiple file links to a webpage at the same time--it'll take forever setting up single links to single files--unless you know a quicker way?

Reply

Answer 12

Apr 29, 2009 5:34 PM in response to johnthomjr

I migrated most of the content to web content management system (CMS) environments some time ago. That FTP I link I posted a while back doesn't exist as an HTML file, for instance. It's database-driven dynamic content. And there are file uploads and downloads and RSS and pings and a host of other capabilities available here with various of the web CMS packages around.

Reply