Samba Server Analysis - Case Study Example

1 Why Samba? Almost every organization spends a large amount of money for securing networks, hiring Information Technology security professionals andpays them good. Expensive security devices also been purchased which also require firmware updates on regular basis, even small antivirus software also require a regular updates otherwise the operating system and the data would not be any longer protected. The Microsoft Windows is the most widely used operating system and therefore, most of the viruses created targets this platform. As far as the computer viruses are concerned, Linux is more secure than the Microsoft environment. Organizations use Linux servers when it comes to the protection, reliability and perfection. Although, the Microsoft has a vast variety of software and products, still Linux based server are maintained for storing research data, financial data, demographics of any sort vice versa. Due to Linux non user friendly environment, it cannot be used for workstations. A Microsoft window is more users friendly and has lots of accessibility options which make it advanced in this compartment. These days most of the organization wants to provide access to the data which has been maintained on the Linux server. Apart from the Linux server, all the servers and workstation are running on the Microsoft Windows environment. The Samba server needs to be installed on either any one of them; it can be installed on Linux server or Microsoft windows server for providing access to the files stored in Linux server. If printing services are required from the Linux machine to the Windows Platform, or either way, the Samba server will do it for you. There are many definitions on the World Wide Web. www.Stason.org defines that “SAMBA is a suite of programs which work together to allow clients to access UNIX file space and printers via the SMB (Session Message Block) protocol”. Another good definition is given on www.Ubuntu .com which states that “Samba is an implementation of the SMB/CIFS protocol for the Unix systems, providing support for cross-platform file and printer sharing with the Microsoft Windows, the OS X, and the other Unix systems”. Therefore, keeping in view the above definitions, it is now clear that the basic purpose of the Samba server is to synchronize the file and print services on any platform. 1.1 The Definition “Open Source” The word open source is not just the access to the source code. The software has to meet the following criteria in order to be called open source: 1.1.1 Free Redistribution The software can be distributed anywhere to anybody without any fee or charge. 1.1.2 Source Code The software must contain the source code and there will be no restriction in distribution of the source code. The source code can be easily accessible through a free-of-charge website. The source code must be in a programmable form so that the programmer can modify the software as per requirement. 1.1.3 Derived Work If the changes are been made to the software, the license should give permission to distribute the software as per the original software. 1.1.4 Integrity of the Authors Source Code The license must allow a different name or version number of the software if the software is modified. If there is a restriction of distributing source code in small files or patch files then the modified source code cannot be distributed. 1.1.5 No Discrimination against Persons or Groups There should be no categorization in the license. 1.1.6 No Discrimination against Fields of Endeavor The software license cannot restrict the software to be used in any field. For example Business or any sort of research. 1.1.7 Distribution of License There should be no requirement for a separate license for those who are using the modified program. 1.1.8 License Must Not Be Specific to a Product License must not restrict the software for distribution and modification. The modified program will also contain the same right as the original one. 1.1.9 License Must Not Restrict Other Software There should be no restriction of other software to be opened sourced. 1.1.10 License Must Be Technology-Neutral License must not be pro claimed on any specific technology, expertise, equipment and skills. By understanding the open source definition and concept, it will be easy for us to understand the purposes and usage for Samba server 2 Samba Server Security Features As the organizations maintain the critical data in the UNIX based servers, it is necessary to protect the transmission and data from the Linux server to the Windows based networks. Everyone can easily access or destroy the data stored on the Linux server. The shared resources must not be always open, and has to be locked when not in use. A very good power point presentation is given on the Yale University website in which, it is described how Access can be prevented by the following categorized ways: 2.1 User Level Security The level of security is the most common. The services will receive a username and a password of a specific client who wishes to access the data. The server can accept or reject the request. After successfully logging in, the user can further perform actions without the password. 2.2 Share Level Security The share level security is applicable on a sharing resource. If a user wants to access a shared resource, a separate password is required to access that file. The username will not be applicable on that occasion. 2.3 Domain Level security All the user names and accounts are stored centrally in a repository. The domain controllers of the network will share this repository to provide the authentication and validation services to all the clients within the network 2.4 ADS (Active Directory) The samba server can be synchronized with the ADS by using the RPC based security. “Realm is used to describe a kerebos – based security architecture (such as used in my Microsoft ADS)”, without knowing the Realm name Samba cannot identify the correct ADS. Password server option is used in smb.conf 2.5 Server Level security As samba is not compatible with the domain server, it is not recommended to use this option as there are many drawbacks for this feature of Samba server. Server level security functionality is whenever user lies on the user level security, it ask the user for username and password, after receiving these parameters from the client, samba server passes this information to the password server for accessing that particular resource. 2.6 Advanced Security Features Samba server can be more secure. There are more advanced security methodologies which make it more secure. The security features and descriptions are taken from www.samba.org 2.6.1 Limiting the number of concurrent connections In Samba, the network administrators can limit the number of concurrent connection with the help of the samba smbd daemons. There is a file named smbd.conf which gives the freedom for the network administrators to define how many smbd processes will run at any time. If the system will create a process above the given limit, the request will be rejected. 2.6.2 Using host based protection The most immediate threat after configuring the system on the network is the host of the network itself. The default options for samba is to accept any connection from any host on the network, and if any host is connected to the internet, then certainly samba will be vulnerable to all threats and virus which will come via the internet. The best option for the network administrator is to configure “Host allow” and “Host deny” options which will be configured in the smb.conf file. The best practice will be to give access to limited number of host which are not connected to the internet. An example might be Hosts allow = 127.0.0.1 192.169.2.0/24 192.169.3.0/24 Hosts deny = 0.0.0.0/0 This command will only allow connection from the local host (the computer on which Samba is installed). Two private networks are also allowed 1) 192.169.2.0 2) 192.169.3.0. Apart from these all other connection will not be accepted and will be refused by the samba server. 2.6.3 Interface Protection As mentioned before, Samba will accept connections from all the interfaces. The interfaces may include ISDN, DSL, PPP, and Fast Ethernet. The network administrator can eliminate this factor and put restrictions as per their network requirements by the following command: Interfaces = eth* lo Bind interfaces only = yes The “interface” is telling samba to accept which interface. In the above command, only eth interface is allowed. The name of the interfaces may differ for different Operating Systems. Linux Ethernet interface names are used in these commands. 2.6.4 Samba Firewall Firewall is a popular technique for securing the inbound network. Samba has a built in firewall for inbound network protection. For configuring the firewall in Samba, knowledge of port numbers and types is essential. For example 137, 138 are UDP ports and 139, 445 are TCP ports. The network administrator must know the ports numbers and types of the running applications and services on the network. The commands for allowing access of the mentioned TCP and UDP ports are: UDP/137 - used by nmbd UDP/138 - used by nmbd TCP/139 - used by smbd TCP/445 - used by smbd 2.6.5 Inter Process Communication share (IPC) Denial: In Wikipedia, the definition of IPC states that “The Inter-Process Communication (IPC) share or ipc$ is a network share on computers running Microsoft Windows. This virtual share is used to facilitate communication between processes and computers over SMB, often to exchange data between computers that have been authenticated.” The IPC share denial is often used for preventing the sharing from anonymous hosts. The command which is used for IPC denial is as follows: [ipc$] Hosts allow = 192.168.117.0/24 127.0.0.1 Hosts deny = 0.0.0.0/0 This command will convey samba to only accept the connection from the mentioned subnets. In this case, we have local host and local subnet. The IPC share is always open to accept connections but by using this feature it will provide protection of advance level to the network and hence will be more secure from anonymous users. 3 ACL on Samba ACL defines who will access what? Access control list is implemented for accessing the data specified for that person to use. For getting an idea what ACL’s are, we can simply right click the folder and click the security tab for viewing the access control list of that specific folder. (Only in Microsoft windows environment) When we install Linux, we only have basic file access options enabled. There are 3 set of options Owner Group Owner Others For implementing ACL on Linux, the other system must have an ACL support. The most common ACL which is used on Linux / UNIX is POSIX ACL. Although it is not a standard but is used widely. The POSIX ACL is not compatible with one to one mapping with Windows based ACL. 3.1 Activating ACL We have to execute a mount command to activate the ACL on the machine. The command is: # mount –o remount,acl /samba 3.2 Using ACL To implement ACL on a specific file these commands are used: # mkdir /samba/share3 # chgrp “Domain Users” /samba/share3 # chmod 775 /samba/share3 # cd /samba/share3 By running this command we can create a directory /samba/share3. Group owner will be the “Domain users”. They will have full read, write and execute access. In this way, we can create groups, files and give them rights as per requirements (Puryean, 2007). 4 Samba Auditing Features Samba uses syslog a built-in feature for auditing. It performs the following tasks: 4.1 Sharing It logs when and on which location user is activating the sharing option. 4.2 Connect / Disconnect It logs how many times a session between a shared resources has been established / de-established. 4.3 Directory open / Creates / remove It logs when a new directory has been created, how many times it has been accessed and when it was removed. 4.4 File open / close/ rename / unlink / chmod It logs when a file has been accessed and opened, when it is closed, how many times it was renamed, how many times it was shared / UN shared. 5 Detection of Brute force Attacks in Samba server The Samba server can be protected by the brute force attack with the help of a real secure network sensor. The Real secure network sensor continuously monitors the suspicious behavior of the system, if any changes have been made to any file, sessions are closing or some changes have been made suspiciously in the firewall. It also decodes Samba CIFS protocols before transferring the data to the Windows platform. The Real Secure is comprised of 3 modules: 5.1 Network Sensor The network sensor works rules which are defined in the policies. It compares the types of traffic and then decides whether to allow / dis allow the data for transmitting further. 5.2 Operating System Sensor Like the other processes running on the server, the OS sensor also runs like the service on the server. In real time, a log file is generated on the system; the OS sensor becomes active and reads the file for comparing with the signatures. If the signature matches, the OS sensor takes the applicable action. The OS sensor corrects the local attacks and threats which are normally missed by the network sensor. 5.3 Console The console is an administrative component for the network and OS sensors. The console and the sensors communicate with each other. The policy is defined for each sensor via the console. The components for the policy are: Network sensor security events Connection Events OS sensor security Events References Norman, Richard. (n.d.). What is SAMBA and is it available? Available: http://stason.org/TULARC/pc/amiga/networking/31-What-is-SAMBA-and-is-it-available.html. Last accessed 8 April 2010. Puryear, Dustin. (2007). ACLs on Samba. Available: http://aisalen.wordpress.com/2007/08/10/acls-on-samba/. Last accessed 6 April 2010. Rinaldi, Lou. (n.d.). Samba security. Available: www.yale.edu/its/security/presentations/files/SambaSecurity.ppt. Last accessed 5 April 2010 Samba. (n.d.). Opening Windows to a Wider World. Available: http://samba.org/samba/what_is_samba.html. Last accessed 6 April 2010 Samba. (n.d.). Protecting an unpatched samba server. Available: http://www.samba.org/samba/docs/server_security.html. Last accessed 8 April 2010. Sharif University. (). NAT, Samba. Available: http://ce.sharif.edu/courses/84-85/2/ce317/resources/root/lecture%20slides/9-NAT-Samba.ppt#265,10,Samba/SMB. Last accessed 8 April 2010 Ubuntu. (n.d.). What is Samba?. Available: https://help.ubuntu.com/community/SettingUpSamba. Last accessed 8 April 2010 Wikipedia . (n.d.). IPC share. Available: http://en.wikipedia.org/wiki/IPC_share. Last accessed 8 April 2010. Wikipedia. (n.d.). open source defination. Available: http://en.wikipedia.org/wiki/Open-source_software. Last accessed 6 April 2010. Read More