Neill Newman wrote:
Samba, although used by MS, was designed with the authentication stage in the server, thus getting around this problem.. Between NFS and SMB, SMB is more secure (not to mention faster!)...
SMB faster than NFS?!?! I really don't think so.
In the "tests" I have done this is how it seems. I admit that it is really down to configurations/server load etc.. but as far as I can tell it is faster than nfs.. perhaps I should reinforce this statement by saying linux kernel 2.2 nfs, with 15 'average' users... kernel 2.0 nfs is not even worth arguing about, I haven't played with 2.4 nfs yet...
Aah, you have mentioned the unmentionable, I wouldn't use linux as a NFS server ever! I would recommend that you use Solaris for NFS as Sun invented NFS (at work we say definitivly broken) it is the reference platform for other *nix. Linux is a great NFS client though...
so are you saying that being able to "su username" and reading files over nfs is more complicated than cranking up l0phtcrack?.... hhmmm actually you might be right there ;)...
I tend to not give out the root password to random users, If they need root install sudo, although if you are on an internal Lan this can be more difficult as I know from work but on our internet connected hosts you don't get root. Also step up your logging and make a policy that any user who hacks stuff that he will be off the system forever and keep them paranoid by doing random security sweeps, checks etc.
Also I have found that running L0phtcrack 2.5 against the SMB password file at work I got around 90% of the passwords in four hours (we have around 70 username/passwords in the file), and then brute forced the rest with an expanded character set in less than a week with only two passwords remaining uncrackable (I didn't try for the complete character set as that would of taken a month or so).
I havn't tried L0phtcrack version 3 yet but that does support distributed cracking. Compare this to having John the ripper running 24/7 constantly against our Unix passwords we don't get more than one password a week. This does demonstrate how weak NT/LanManager passwords are.
as for spoofing, any non-encrypted protocol can be spoofed, the compexities of which protocol is easier is another matter though ;).. if I had my way I would shove nfs or samba over ssl.. but the client support is somewhat lacking ;(...
Use IPSec for encryption?? I have seen Intel eepro's recently with onboard encrytion capability for the same price as the non-encrypting versions. I just find it is far easier to grab SMB info from the network via packet sniffing to work out what is going on than NFS which doesn't tend to shout out its name every 5 seconds like windows, smbclient -l hostname is your friend here.
SMB doesn't support real host access controls which NFS does, this makes a big difference in real security.
unless I have misunderstood your comment, check the "hosts allow" option of the smb.conf man page....
I didn't say Samba, I did say SMB :-) the hosts option is better but is more *nix thing than a SMB thing.
btw, this email isn't meant as a flame, I just hope that others can gather information from this discussion to make an informed decision....
Same here I really don't want to start flaming, This is a discussion all my comments are my opinion and how I would do things. To be honest I don't really care how anyone sets up their network as its not my problem when it gets hacked and your boss starts shouting at you, my network is my problem and thats the one that I try to make and keep secure. I will however engage in discussions that I think are providing advice to people like this one.
Adam