[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: is it rational to close the 139 port

On Sun, 22 Jul 2012 15:59:29 +0800
lina <lina.lastname@gmail.com> wrote:

> On Sun, Jul 22, 2012 at 3:49 PM, Andrei POPESCU
> <andreimpopescu@gmail.com> wrote:
> > On Du, 22 iul 12, 15:41:16, lina wrote:
> >>
> >> Thanks, I don't have some basic understanding about samba,
> >> will read something about it.
> >> just a short quick question, is it necessary to keep it?
> >
> > Only you can tell since we don't know what you use/need.
> I felt a bit silly to ask, and a bit annoyed about myself for knowing
> so little.
> seems no need to share files with outside.
> have rejected all inbound towards the port 139 and 445.

These ports should never be open to the Net, or any potentially hostile
computers, as there is a great deal of activity by bots looking for open
Windows shares.

If this machine is part of a network which shares files using the
Windows SMB protocol, and this machine hosts shares, then the ports
need to be open to the other network machines. If it's a standalone
computer, or doesn't host any shares, you don't need samba running at
all, or even installed. If you need to access SMB shares on other
machines, the client programs to do this do not need the main samba
program to be installed.

You should probably be working towards rejecting all incoming packets,
and only explicitly permitting what you need. That way, you don't need
to worry about samba ports or what the portmapper does, etc.

If you can, run nmap from another network computer to see what ports are
actually available, since netstat doesn't take iptables filtering into
account, and can worry you needlessly. If you have a standalone
computer, Shields Up!! on the site http://grc.com will show ports open
to the Internet, but it can do only very limited tests compared with
nmap, and you must ignore all the dire warnings on the site, intended
to panic Windows users into doing something to protect themselves.

If for reasons above, you do need to run samba and allow access, the
samba configuration allows you to specify IP addresses which have
access. The configuration file is a bit of a beast, but the samba web
administration tool (SWAT) takes away some of the pain. Iptables will
also do this, of course, but as always, belt *and* braces... it is
always embarrassing to discover that last time you were debugging a
networking problem, you temporarily turned off iptables and forgot to
re-enable it.


Reply to: