--- Neill Newman neill@entora.co.uk wrote:
Adam Bower wrote:
On Thu, 12 Apr 2001, David Freeman wrote:
Can any one make some recommendations as to the best and most
secure
method of sharing files under unix. Th machines are behind a
firewall,
but sat in the DMZ, so we want th minimium number of ports to be
left
open.
Use NFS and make sure that you have it configured properly and
don't allow
any NFS traffic through your routers.
most secure method is definatly not NFS !! use samba instead...
Is this being serious(thats not sarcasm, its a genuine question)? I thought that samba was a MS based protocol and as such was as secure as a wet paper bag? Is it really better than NFS? if it is I will remove the NFS from the plan as samba may be used for the nt support.
Thanks
D
Sz
Adam
Adam Bower, abower@zeus.com Tel: +44 1223 525000 System Administrator Fax: +44 1223 525100 Zeus Technology Ltd http://www.zeus.com Zeus House, Cowley Road Cambridge CB4 0ZT England
alug, the Anglian Linux User Group list Send list replies to alug@stu.uea.ac.uk http://rabbit.stu.uea.ac.uk/cgi-bin/listinfo/alug See the website for instructions on digest or unsub!
-- Open source solutions at http://www.entora.co.uk/
ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s
__________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/
David Freeman wrote:
--- Neill Newman neill@entora.co.uk wrote:
most secure method is definatly not NFS !! use samba instead...
Is this being serious(thats not sarcasm, its a genuine question)? I thought that samba was a MS based protocol and as such was as secure as a wet paper bag? Is it really better than NFS? if it is I will remove the NFS from the plan as samba may be used for the nt support.
I am deadly serious.. NFS assumes that the client is responsible for the authentication, and therefore anybody who has root access on a linux box can 'become' another use, and mount their files, not very secure!!!... Samba, although used by MS, was designed with the authentication stage in the server, thus getting around this problem.. Between NFS and SMB, SMB is more secure (not to mention faster!)... There are some other network filessystems (such as Coda) which may be better than SMB, but I don't really know much about them...
Thanks
D
Sz
Adam
Adam Bower, abower@zeus.com Tel: +44 1223 525000 System Administrator Fax: +44 1223 525100 Zeus Technology Ltd http://www.zeus.com Zeus House, Cowley Road Cambridge CB4 0ZT England
alug, the Anglian Linux User Group list Send list replies to alug@stu.uea.ac.uk http://rabbit.stu.uea.ac.uk/cgi-bin/listinfo/alug See the website for instructions on digest or unsub!
-- Open source solutions at http://www.entora.co.uk/
ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s
Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/
alug, the Anglian Linux User Group list Send list replies to alug@stu.uea.ac.uk http://rabbit.stu.uea.ac.uk/cgi-bin/listinfo/alug See the website for instructions on digest or unsub!
--- Neill Newman neill@entora.co.uk wrote:
David Freeman wrote:
--- Neill Newman neill@entora.co.uk wrote:
most secure method is definatly not NFS !! use samba instead...
Is this being serious(thats not sarcasm, its a genuine question)? I thought that samba was a MS based protocol and as such was as
secure as
a wet paper bag? Is it really better than NFS? if it is I will
remove
the NFS from the plan as samba may be used for the nt support.
I am deadly serious.. NFS assumes that the client is responsible for the authentication, and therefore anybody who has root access on a linux box can 'become' another use, and mount their files, not very secure!!!... Samba, although used by MS, was designed with the authentication stage in the server, thus getting around this problem.. Between NFS and SMB, SMB is more secure (not to mention faster!)... There are some other network filessystems (such as Coda) which may be better than SMB, but I don't really know much about them...
Sorry for doubting you. From what you say samba looks the better option, I will have a play with it and see what I can get to work.
Thanks
D
Thanks
D
Sz
__________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/
David Freeman wrote:
Sorry for doubting you.
no need to apologise ;)
From what you say samba looks the better option, I will have a play with it and see what I can get to work.
If you are using any win98 (or MS machines that use encrypted password authentication), be sure to read the documents that come with samba, I got caught out by this 'feature' a few months ago ;)..
Sz
Thanks
D
Thanks
D
Sz
Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/
alug, the Anglian Linux User Group list Send list replies to alug@stu.uea.ac.uk http://rabbit.stu.uea.ac.uk/cgi-bin/listinfo/alug See the website for instructions on digest or unsub!
On Thu, 12 Apr 2001, Neill Newman wrote:
David Freeman wrote:
--- Neill Newman neill@entora.co.uk wrote:
most secure method is definatly not NFS !! use samba instead...
Yeah but the network is firewalled so it is not a problem, most big ISP's use NFS for serving webpages from NetApp's and big Sun's (trust me on this). I would also argue you are completly wrong about using Samba instead.
I am deadly serious.. NFS assumes that the client is responsible for the authentication, and therefore anybody who has root access on a linux box can 'become' another use, and mount their files, not very secure!!!...
Aah there are some very simple ways of spoofing with the M$ protocols, I know which one I would choose, also it you look at the man pages for nfs you can see it is very easy enable some fairly strong access controls.
Samba, although used by MS, was designed with the authentication stage in the server, thus getting around this problem.. Between NFS and SMB, SMB is more secure (not to mention faster!)...
SMB faster than NFS?!?! I really don't think so. Also the way passwords get chucked around the network with SMB is dangerously insecure as If you grab a copy of L0phtcrack and a packet sniffer you can get them dead easily, or if you are on a switched network you can easily craft a message to exploit SMB. SMB doesn't support real host access controls which NFS does, this makes a big difference in real security.
There are some other network filessystems (such as Coda) which may be better than SMB, but I don't really know much about them...
Coda is a really good idea, just not quite there yet most of the people I know who have used it have reported the same as me and that it breaks severely at random.
Adam
--- Adam Bower abower@zeus.com wrote:
On Thu, 12 Apr 2001, Neill Newman wrote:
David Freeman scribbled in yet another email:
--- Neill Newman neill@entora.co.uk wrote:
most secure method is definatly not NFS !! use samba instead...
Yeah but the network is firewalled so it is not a problem, most big ISP's use NFS for serving webpages from NetApp's and big Sun's (trust me on this). I would also argue you are completly wrong about using Samba instead.
Despite being behind what is probably the biggest firewall in th UK I am still skeptical. A few months back a friend and I had a HackFest(no its not what you might think) in which we set up a network of machines and attempted to hack it. The results will be published on my web site when we have it all finished. Basically the Mac was impossible to get into! The un hardened Linux and Solaris box where very easy, just run brutus at the machine over night, result access. This isn't a great test as the password used(on all machines for consistancy) was zombie which is a dictionary work, using a better password like Z0mb1e might have given different results. Lophtcrack against Nt was very quick in only a couple of hows we had zombie and it was brute forcing a non dictionary word quite nicely.
I am deadly serious.. NFS assumes that the client is responsible
for the
authentication, and therefore anybody who has root access on a
linux box
can 'become' another use, and mount their files, not very
secure!!!...
Aah there are some very simple ways of spoofing with the M$ protocols, I know which one I would choose, also it you look at the man pages for nfs you can see it is very easy enable some fairly strong access controls.
I think I may use samba as I use it at home and understand it better than nfs.
Samba, although used by MS, was designed with the authentication
stage
in the server, thus getting around this problem.. Between NFS and
SMB,
SMB is more secure (not to mention faster!)...
just noticed acontradiction here, MS designed something with authentication in mind? that must be a first :o)
SMB faster than NFS?!?! I really don't think so. Also the way passwords get chucked around the network with SMB is dangerously insecure as If you grab a copy of L0phtcrack and a packet sniffer you can get them dead easily, or if you are on a switched network you can easily craft a message to exploit SMB. SMB doesn't support real host access controls which NFS does, this makes a big difference in real security.
The speed isn't much of a problem both machines are running 100Mbps ethernet dirrectly connected to a router! I only want access from the two machines, so I can mount a drive from one machine on the other to back it up.
There are some other network filessystems (such as Coda) which may
be
better than SMB, but I don't really know much about them...
Coda is a really good idea, just not quite there yet most of the people I know who have used it have reported the same as me and that it breaks severely at random.
I want to stick with standard systems. But I will watch this one carefully.
Thanks
D
Adam
Adam Bower, abower@zeus.com Tel: +44 1223 525000 System Administrator Fax: +44 1223 525100 Zeus Technology Ltd http://www.zeus.com Zeus House, Cowley Road Cambridge CB4 0ZT England
__________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/
Adam Bower wrote:
Yeah but the network is firewalled so it is not a problem, most big ISP's use NFS for serving webpages from NetApp's and big Sun's (trust me on this). I would also argue you are completly wrong about using Samba instead.
that depends on who you trust, some organisations I have worked in have firewalls and then assume that they are safe so they drop all internal security.. when they get unwanted access from within, people go ape and ask why!!
It can be argued either way, I'm a little paranoid about these kind of things...
I am deadly serious.. NFS assumes that the client is responsible for the authentication, and therefore anybody who has root access on a linux box can 'become' another use, and mount their files, not very secure!!!...
Aah there are some very simple ways of spoofing with the M$ protocols, I know which one I would choose, also it you look at the man pages for nfs you can see it is very easy enable some fairly strong access controls.
I have no doubt that it could be spoofed, but to be honest most machines that get broken into are due to misconfigurations or failure to apply security patches.. In this case I am just highlighting a problem that occurs with nfs which many people seem to either not know about or ignore.. as for access controls, they are present in many of the networked files systems around (including nfs and samba)
Samba, although used by MS, was designed with the authentication stage in the server, thus getting around this problem.. Between NFS and SMB, SMB is more secure (not to mention faster!)...
SMB faster than NFS?!?! I really don't think so.
In the "tests" I have done this is how it seems. I admit that it is really down to configurations/server load etc.. but as far as I can tell it is faster than nfs.. perhaps I should reinforce this statement by saying linux kernel 2.2 nfs, with 15 'average' users... kernel 2.0 nfs is not even worth arguing about, I haven't played with 2.4 nfs yet...
Also the way passwords get chucked around the network with SMB is dangerously insecure as If you grab a copy of L0phtcrack and a packet sniffer you can get them dead easily, or if you are on a switched network you can easily craft a message to exploit SMB.
so are you saying that being able to "su username" and reading files over nfs is more complicated than cranking up l0phtcrack?.... hhmmm actually you might be right there ;)...
as for spoofing, any non-encrypted protocol can be spoofed, the compexities of which protocol is easier is another matter though ;).. if I had my way I would shove nfs or samba over ssl.. but the client support is somewhat lacking ;(...
SMB doesn't support real host access controls which NFS does, this makes a big difference in real security.
unless I have misunderstood your comment, check the "hosts allow" option of the smb.conf man page....
There are some other network filessystems (such as Coda) which may be better than SMB, but I don't really know much about them...
Coda is a really good idea, just not quite there yet most of the people I know who have used it have reported the same as me and that it breaks severely at random.
yeah, I had that problem with coda a while ago so I didn't look at it further.. when it is stable (which I hope is sometime soon) I will be looking into it again......
btw, this email isn't meant as a flame, I just hope that others can gather information from this discussion to make an informed decision....
Regards Sz
Adam
Adam Bower, abower@zeus.com Tel: +44 1223 525000 System Administrator Fax: +44 1223 525100 Zeus Technology Ltd http://www.zeus.com Zeus House, Cowley Road Cambridge CB4 0ZT England
alug, the Anglian Linux User Group list Send list replies to alug@stu.uea.ac.uk http://rabbit.stu.uea.ac.uk/cgi-bin/listinfo/alug See the website for instructions on digest or unsub!
Neill Newman wrote:
Samba, although used by MS, was designed with the authentication stage in the server, thus getting around this problem.. Between NFS and SMB, SMB is more secure (not to mention faster!)...
SMB faster than NFS?!?! I really don't think so.
In the "tests" I have done this is how it seems. I admit that it is really down to configurations/server load etc.. but as far as I can tell it is faster than nfs.. perhaps I should reinforce this statement by saying linux kernel 2.2 nfs, with 15 'average' users... kernel 2.0 nfs is not even worth arguing about, I haven't played with 2.4 nfs yet...
Aah, you have mentioned the unmentionable, I wouldn't use linux as a NFS server ever! I would recommend that you use Solaris for NFS as Sun invented NFS (at work we say definitivly broken) it is the reference platform for other *nix. Linux is a great NFS client though...
so are you saying that being able to "su username" and reading files over nfs is more complicated than cranking up l0phtcrack?.... hhmmm actually you might be right there ;)...
I tend to not give out the root password to random users, If they need root install sudo, although if you are on an internal Lan this can be more difficult as I know from work but on our internet connected hosts you don't get root. Also step up your logging and make a policy that any user who hacks stuff that he will be off the system forever and keep them paranoid by doing random security sweeps, checks etc.
Also I have found that running L0phtcrack 2.5 against the SMB password file at work I got around 90% of the passwords in four hours (we have around 70 username/passwords in the file), and then brute forced the rest with an expanded character set in less than a week with only two passwords remaining uncrackable (I didn't try for the complete character set as that would of taken a month or so).
I havn't tried L0phtcrack version 3 yet but that does support distributed cracking. Compare this to having John the ripper running 24/7 constantly against our Unix passwords we don't get more than one password a week. This does demonstrate how weak NT/LanManager passwords are.
as for spoofing, any non-encrypted protocol can be spoofed, the compexities of which protocol is easier is another matter though ;).. if I had my way I would shove nfs or samba over ssl.. but the client support is somewhat lacking ;(...
Use IPSec for encryption?? I have seen Intel eepro's recently with onboard encrytion capability for the same price as the non-encrypting versions. I just find it is far easier to grab SMB info from the network via packet sniffing to work out what is going on than NFS which doesn't tend to shout out its name every 5 seconds like windows, smbclient -l hostname is your friend here.
SMB doesn't support real host access controls which NFS does, this makes a big difference in real security.
unless I have misunderstood your comment, check the "hosts allow" option of the smb.conf man page....
I didn't say Samba, I did say SMB :-) the hosts option is better but is more *nix thing than a SMB thing.
btw, this email isn't meant as a flame, I just hope that others can gather information from this discussion to make an informed decision....
Same here I really don't want to start flaming, This is a discussion all my comments are my opinion and how I would do things. To be honest I don't really care how anyone sets up their network as its not my problem when it gets hacked and your boss starts shouting at you, my network is my problem and thats the one that I try to make and keep secure. I will however engage in discussions that I think are providing advice to people like this one.
Adam
On Fri, 13 Apr 2001, Adam Bower wrote:
Neill Newman wrote:
Samba, although used by MS, was designed with the authentication stage in the server, thus getting around this problem.. Between NFS and SMB, SMB is more secure (not to mention faster!)...
It appears that the worry I had about the security of the SMB protocol now has a severe exploit against it The Register is reporting it here http://www.theregister.co.uk/content/8/18370.html
Adam
Adam Bower wrote:
On Fri, 13 Apr 2001, Adam Bower wrote:
Neill Newman wrote:
Samba, although used by MS, was designed with the authentication stage in the server, thus getting around this problem.. Between NFS and SMB, SMB is more secure (not to mention faster!)...
It appears that the worry I had about the security of the SMB protocol now has a severe exploit against it The Register is reporting it here http://www.theregister.co.uk/content/8/18370.html
very interesting.... I guess this means that samba is affected ;(...
since our last emails I have done some digging..It seems as if some people are using samba over SSL with windows 98/NT and stunnel..hhmmm interesting I might have to investigate this further... (check the samba archives for details.)
I liked this quote though ;) "Do not assume that because you have a firewall you are safe, because as soon as a host inside that firewall is compromised, even a UNIX or Win9x box, this method can be used to compromise any host that is within broadcast range, on the same LAN,"
food for thought, things are never as secure as you would like ;).. Sz
Adam
Adam Bower, abower@zeus.com Tel: +44 1223 525000 System Administrator Fax: +44 1223 525100 Zeus Technology Ltd http://www.zeus.com Zeus House, Cowley Road Cambridge CB4 0ZT England
-
Adam Bower -
David Freeman -
Neill Newman