[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How /etc/hosts.allow /etc/hosts.deny and smb.conf play along

Juan is correct. However my two cents - don't rely on hosts.allow and hosts.deny for anything. Just use iptables rules to do this type of thing.

Also, most don't consider samba to be a very secure service (last CVE was only a few weeks ago) so be very careful with this service.

On Apr 26, 2012 5:37 AM, "Juan Sierra Pons" <juan@elsotanillo.net> wrote:
2012/4/26 Tuxoholic <tuxoholic@hotmail.de>:
> hi list
>
> Can somebody explain why smbd and nmbd are not affected by the following
> strict ruleset in /etc/hosts* ?
>
> /etc/hosts
> 127.0.0.1       MYHOSTNAME localhost.localdomain localhost
> 127.0.1.1       MYHOSTNAME
> 192.168.2.10    MYSERVER
>
> cat /etc/hosts.allow
> #ALL: localhost 127.0.1.1 192.168.2.0/24
> ALL: localhost 127.0.1.1 192.168.2.0/32
>
> /etc/hosts.deny
> ALL: ALL
>
> With this ruleset in place nmbd broadcasts still pull through and cifs mounts
> are still possible, whereas ssh/rsh access is no longer possible.
>
> To get rid of nmbd/smbd access I have to tweak smb.conf additionally:
>
> /etc/samba/smb.conf
>
> [global]
>        bind interfaces _only_ = Yes
>        interfaces = 127.0.0.0/8, eth0
>        ;; hosts allow = 192.168.2.0/24, 127.
>        hosts allow = 192.168.2.0/32, 127.
>        hosts deny = ALL
>
> With this smb.conf tweaking it works fine, but why could smbd/nmbd run past
> /etc/hosts.allow and /etc/hosts.deny without those lines in smb.conf?
>
> To my limited CIDR understandig a /32 mask should restrict access to
> 192.168.2.0.0 and 192.168.2.1 - this should be fine for testing purposes.
>
> Once this denies all services I'd set it to /24 to have access to the whole
> "subnet" from 192.168.2.0-192.168.2.255 and 127.0.0.1 127.0.1.1
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] BLU0-SMTP149485F83CD3709473EA7D5D8240@phx.gbl" target="_blank">http://lists.debian.org/[🔎] BLU0-SMTP149485F83CD3709473EA7D5D8240@phx.gbl
>
Hi,

My two cents:

I think the problem here is between tcpwrapper linux implementation
and the the samba package.
Are you running samba as a daemon or from then inetd?

I think you are running it as a daemon and I believe (check on the
internet) samba must be compiled in a tcpwrapper friendly way (I don't
know if this is the default)

Running samba from inetd must work OK as inetd is tcpwrapper friendly.

If this doesn't help you you can try iptables (but your workaround is OK too)

Best regards.

--------------------------------------------------------------------------------------
Juan Sierra Pons                                 juan@elsotanillo.net
Linux User Registered: #257202       http://www.elsotanillo.net
GPG key = 0xA110F4FE
Key Fingerprint = DF53 7415 0936 244E 9B00  6E66 E934 3406 A110 F4FE
--------------------------------------------------------------------------------------


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CABSy9tfVZnzHrho8VFQYWPwtjTdfiOqpmmzRM_+e1UtXLu2Pg@mail.gmail.com

Reply to: