/ FreeBSD

Quick and secure Samba setup under FreeBSD

Many of us may not be Windows enthusiasts but sometimes it may be worthwhile to benefit from a file sharing service allowing Windows clients to connect.

You'll tell me :
« To share your files you can use SSHFS, FTP, etc...»
Short answer :
And it's true ! But when it comes to watch movies in realtime for example from the sharing server without having to download the file to watch it, things can be more difficult to setup.
Beside, when you have «non-technical» users, a solution easy to use is better !
So here comes Samba :

Samba

Samba provides file and print services for all clients using the SMB/CIFS protocol, mostly for Windows clients, but of course you can use it on other platforms.

Today our goal will be to :

  • Install Samba
  • Configure Samba for a private files sharing
  • Ensure that no one can access Samba outside of your network

1. Install Samba :

Let's see what is the latest version we can use :

# pkg search samba

samba46-4.6.6           Free SMB/CIFS and AD/DC server and client for Unix

Ok, time to install :

# pkg install samba46-4.6.6

Launch Samba at system startup :

# vi /etc/rc.conf

samba_server_enable="YES"

2. Configure and secure Samba for a private file sharing :

The configuration path for Samba is :

/usr/local/etc/smb4.conf

First we'll create a local user used for the authentication :

# adduser
Username: sharing
Full name: Dedicated user for Samba
Uid (Leave empty for default):
Login group [sharing]:
Login group is petito. Invite petito into other groups? []:
Login class [default]:
Shell (sh csh tcsh rbash nologin) [sh]: nologin
Home directory [/home/sharing]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:

Now we configure our service :

# vi  /usr/local/etc/smb4.conf

[global]
workgroup = WORKGROUP
realm = WORKGROUP.local
netbios name = NAS

[sharing data]
path = /mnt
public = no
writable = yes
printable = no
guest ok = no
valid users = sharing

Let's see what we've done.

[global]

By default WORKGROUP is the group for Windows clients, so it's easier to keep the same name.
The netbios name will be useful to quickly access your server this way :

\\NAS

[sharing data]

It's the name of the shared directory we'll use :
In this example, I use a mounted USB HDD in /mnt, I want it to be writable with authenticated users only (the user we created previously).

Time to start the service :

# service samba_server start

We enable the created user "sharing" on Samba :

# pdbedit -a -u sharing

You can browse your directory from your name or the IP of your server, authentication is made with the username/password you created.

3. Ensure that no one can access Samba outside of your network :

You can restrict the access from two complementary ways :

a. From /usr/local/etc/smb4.conf :

Edit your configuration file and add this line in the [global] bloc :

hosts allow = 127.0.0.1 192.168.1.0/24 2a01:cb06:3e0:eb00::/56

In my case, I only allow people connecting from my local network in IPv4 and IPv6.
Make sure to restart Samba :

# service samba_server restart

If someone from the outside tries to access your server you should see something like this in your logs :

# vi /var/log/samba4/log.smbd

[2017/08/14 16:26:25.300064,  0] ../lib/util/access.c:361(allow_access)
Denied connection from 173.208.215.27 (173.208.215.27)
[2017/08/14 16:50:20.879004,  0] ../lib/util/access.c:361(allow_access)
Denied connection from 195.138.66.84 (195.138.66.84)

But of course, attackers can still try to exploit future vulnerabilities. So we can use another way to restrict our access. In the wild frontier, better watch your back !

b. Packet Filter

Packet Filter is a powerful firewall we'll use to configure who is allowed to access our service.

First, enable Packet Filter :

# kldload pf
# vi /etc/rc.conf

pf_enable="YES"
pflog_enable="YES"

# service pf start
# service pflogd start

Configure Packet Filter :

Samba uses multiple ports listening by default on IPv4 and IPv6 :

TCP : 139 & 445
UDP : 137 & 138

We'll configure Packet Filter to allow our local network users (IPv4 and IPv6) to access these ports. The first example will show a detailed version so you can understand, then we'll do some optimisation.

# vi /etc/pf.conf
  
block drop quick inet proto tcp from !192.168.1.0/24 to re0 port 445
block drop quick inet proto tcp from !192.168.1.0/24 to re0 port 139
block drop quick inet proto udp from !192.168.1.0/24 to re0 port 137
block drop quick inet proto udp from !192.168.1.0/24 to re0 port 138
block drop quick inet6 proto tcp from !2a01:cb06:3e0:eb00::/56 to re0 port 445
block drop quick inet6 proto tcp from !2a01:cb06:3e0:eb00::/56 to re0 port 139
block drop quick inet6 proto udp from !2a01:cb06:3e0:eb00::/56 to re0 port 137
block drop quick inet6 proto udp from !2a01:cb06:3e0:eb00::/56 to re0 port 138
antispoof for re0

Ok here, we block (and drop which is optionnal) the packets from users outside of our network. And we activate the antispoof protection to make sure nobody is trying to fool us.

We can rewrite the rules in another way :

# vi /etc/pf.conf

ext_if = "re0" # our network interface
samba_tcp = "{ 139, 445 }" # tcp ports used by samba
samba_udp = "{ 137, 138 }" # udp ports used by samba
ipv4_net = "192.168.1.0/24" # our IPv4 network
ipv6_net = "2a01:cb06:3e0:eb00::/56" # our IPv6 network

# Our rules

block drop quick inet proto tcp from !$ipv4_net to $ext_if port $samba_tcp
block drop quick inet proto udp from !$ipv4_net to $ext_if port $samba_udp
block drop quick inet6 proto tcp from !$ipv6_net to $ext_if port $samba_tcp
block drop quick inet6 proto udp from !$ipv6_net to $ext_if port $samba_udp
antispoof for $ext_if # antispoof rule

Reload the Packet Filter configuration :

# pfctl -f /etc/pf.conf

Have fun !

Need help ?

CagedMonster

CagedMonster

« I know everyone I've been everywhere I know everything Because I'm everybody » Ether - Nothingface

Read More