[3.6.6] nmbd reachable on 0.0.0.0: Safe?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[3.6.6] nmbd reachable on 0.0.0.0: Safe?

Winfried
Hello

I'm running Samba 3.6.6 on a Linux host on a LAN connected to the Net, with my ADSL modem acting as firewall/router so as to keep local services like Samba unaccessible from the Net.

Still, I wanted to check if it's safe to have nmbd reachable from 0.0.0.0 on UDP137/138:

~# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN      1917/smbd
tcp        0      0 192.168.0.15:445        0.0.0.0:*               LISTEN      1917/smbd
tcp        0      0 127.0.0.1:139           0.0.0.0:*               LISTEN      1917/smbd
tcp        0      0 192.168.0.15:139        0.0.0.0:*               LISTEN      1917/smbd
tcp6       0      0 ::1:445                 :::*                    LISTEN      1917/smbd
tcp6       0      0 fe80::50:43ff:fee7::445 :::*                    LISTEN      1917/smbd
tcp6       0      0 ::1:139                 :::*                    LISTEN      1917/smbd
tcp6       0      0 fe80::50:43ff:fee7::139 :::*                    LISTEN      1917/smbd
udp        0      0 192.168.0.255:137       0.0.0.0:*                           1913/nmbd
udp        0      0 192.168.0.15:137        0.0.0.0:*                           1913/nmbd
udp        0      0 0.0.0.0:137             0.0.0.0:*                           1913/nmbd
udp        0      0 192.168.0.255:138       0.0.0.0:*                           1913/nmbd
udp        0      0 192.168.0.15:138        0.0.0.0:*                           1913/nmbd
udp        0      0 0.0.0.0:138             0.0.0.0:*                           1913/nmbd

Also, do I really need to use IPv6 on my LAN?

Thank you.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [3.6.6] nmbd reachable on 0.0.0.0: Safe?

Samba - General mailing list
On Sun, 9 Jul 2017 03:24:16 -0700 (PDT)
Winfried via samba <[hidden email]> wrote:

> Hello
>
> I'm running Samba 3.6.6 on a Linux host on a LAN connected to the
> Net, with my ADSL modem acting as firewall/router so as to keep local
> services like Samba unaccessible from the Net.
>
> Still, I wanted to check if it's safe to have nmbd reachable from
> 0.0.0.0 on UDP137

0.0.0.0 in this context refers to the default route, so yes it is
safe, I would be more worried about the fact you are still using a
version of Samba that went EOL quite some time ago ;-)

For more info on 0.0.0.0, see here:

https://www.howtogeek.com/225487/what-is-the-difference-between-127.0.0.1-and-0.0.0.0/

>
> ~# netstat -tunlp
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address
> State PID/Program name
> tcp        0      0 127.0.0.1:445           0.0.0.0:*
> LISTEN 1917/smbd
> tcp        0      0 192.168.0.15:445        0.0.0.0:*
> LISTEN 1917/smbd
> tcp        0      0 127.0.0.1:139           0.0.0.0:*
> LISTEN 1917/smbd
> tcp        0      0 192.168.0.15:139        0.0.0.0:*
> LISTEN 1917/smbd
> tcp6       0      0 ::1:445                 :::*
> LISTEN 1917/smbd
> tcp6       0      0 fe80::50:43ff:fee7::445 :::*
> LISTEN 1917/smbd
> tcp6       0      0 ::1:139                 :::*
> LISTEN 1917/smbd
> tcp6       0      0 fe80::50:43ff:fee7::139 :::*
> LISTEN 1917/smbd
> udp        0      0 192.168.0.255:137
> 0.0.0.0:* 1913/nmbd
> udp        0      0 192.168.0.15:137
> 0.0.0.0:* 1913/nmbd
> udp        0      0 0.0.0.0:137
> 0.0.0.0:* 1913/nmbd
> udp        0      0 192.168.0.255:138
> 0.0.0.0:* 1913/nmbd
> udp        0      0 192.168.0.15:138
> 0.0.0.0:* 1913/nmbd
> udp        0      0 0.0.0.0:138
> 0.0.0.0:* 1913/nmbd
>
> Also, do I really need to use IPv6 on my LAN?

Only if you actually use IPv6 on your network.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [3.6.6] nmbd reachable on 0.0.0.0: Safe?

Winfried
Samba - General mailing list wrote
I would be more worried about the fact you are still using a version of Samba that went EOL quite some time ago ;-)
Thanks for the infos.

This is an ARM-based (Marvell Kirkwood Feroceon 88FR131) appliance that is running Debian 7.11. "apt-get update ; apt-get upgrade" provides no more recent release of Samba. Is there a way to force APT to install a more recent release?  I prefer using it to manage applications.

==============
~# cat /etc/apt/sources.list
# deb http://ftp.fr.debian.org/debian/ wheezy main

deb http://ftp.fr.debian.org/debian/ wheezy main
deb-src http://ftp.fr.debian.org/debian/ wheezy main

deb http://security.debian.org/ wheezy/updates main
deb-src http://security.debian.org/ wheezy/updates main

# wheezy-updates, previously known as 'volatile'
deb http://ftp.fr.debian.org/debian/ wheezy-updates main
deb-src http://ftp.fr.debian.org/debian/ wheezy-updates main
==============
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [3.6.6] nmbd reachable on 0.0.0.0: Safe?

Samba - General mailing list


Am 09.07.2017 um 14:18 schrieb Winfried via samba:

> Samba - General mailing list wrote
>> I would be more worried about the fact you are still using a version of
>> Samba that went EOL quite some time ago ;-)
>
> Thanks for the infos.
>
> This is an ARM-based (Marvell Kirkwood Feroceon 88FR131) appliance that is
> running Debian 7.11. "apt-get update ; apt-get upgrade" provides no more
> recent release of Samba. Is there a way to force APT to install a more
> recent release?  I prefer using it to manage applications.
>
> ==============
> ~# cat /etc/apt/sources.list
> # deb http://ftp.fr.debian.org/debian/ wheezy main

well, that's how Debian works adn especially appliances built on debian,
but you need to consider something newer anyways


https://en.wikipedia.org/wiki/Debian_version_history#Debian_7_.28Wheezy.29

Security support until: 26 April 2016
Long-term support: May 2018

don't ask me what "long time support" is worth when security support
ends a year before, i won't touch based on Debian anyways because of
their idiotic backporting attitude even when upstream releases a update
which only fix critical bugs and when i have to use testing repos in
production i can then also install a sane distribution where i get
packages like samba-4.5.10-0.fc25.x86_64

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [3.6.6] nmbd reachable on 0.0.0.0: Safe?

Samba - General mailing list
In reply to this post by Winfried
On Sun, 9 Jul 2017 05:18:29 -0700 (PDT)
Winfried via samba <[hidden email]> wrote:

> Samba - General mailing list wrote
> > I would be more worried about the fact you are still using a
> > version of Samba that went EOL quite some time ago ;-)
>
> Thanks for the infos.
>
> This is an ARM-based (Marvell Kirkwood Feroceon 88FR131) appliance
> that is running Debian 7.11. "apt-get update ; apt-get upgrade"
> provides no more recent release of Samba. Is there a way to force APT
> to install a more recent release?  I prefer using it to manage
> applications.
>
> ==============
> ~# cat /etc/apt/sources.list
> # deb http://ftp.fr.debian.org/debian/ wheezy main
>
> deb http://ftp.fr.debian.org/debian/ wheezy main
> deb-src http://ftp.fr.debian.org/debian/ wheezy main
>
> deb http://security.debian.org/ wheezy/updates main
> deb-src http://security.debian.org/ wheezy/updates main
>
> # wheezy-updates, previously known as 'volatile'
> deb http://ftp.fr.debian.org/debian/ wheezy-updates main
> deb-src http://ftp.fr.debian.org/debian/ wheezy-updates main
> ==============

You can only get what the OS supplies with apt-get upgrade. Is there a
later version of debian available ?
If there isn't, you may be stuck with 3.6

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [3.6.6] nmbd reachable on 0.0.0.0: Safe?

Samba - General mailing list
Am 09.07.2017 um 15:02 schrieb Rowland Penny via samba:

> On Sun, 9 Jul 2017 05:18:29 -0700 (PDT)
> Winfried via samba <[hidden email]> wrote:
>
>> Samba - General mailing list wrote
>>> I would be more worried about the fact you are still using a
>>> version of Samba that went EOL quite some time ago ;-)
>> Thanks for the infos.
>>
>> This is an ARM-based (Marvell Kirkwood Feroceon 88FR131) appliance
>> that is running Debian 7.11. "apt-get update ; apt-get upgrade"
>> provides no more recent release of Samba. Is there a way to force APT
>> to install a more recent release?  I prefer using it to manage
>> applications.
>>
>> ==============
>> ~# cat /etc/apt/sources.list
>> # deb http://ftp.fr.debian.org/debian/ wheezy main
>>
>> deb http://ftp.fr.debian.org/debian/ wheezy main
>> deb-src http://ftp.fr.debian.org/debian/ wheezy main
>>
>> deb http://security.debian.org/ wheezy/updates main
>> deb-src http://security.debian.org/ wheezy/updates main
>>
>> # wheezy-updates, previously known as 'volatile'
>> deb http://ftp.fr.debian.org/debian/ wheezy-updates main
>> deb-src http://ftp.fr.debian.org/debian/ wheezy-updates main
>> ==============
> You can only get what the OS supplies with apt-get upgrade. Is there a
> later version of debian available ?
> If there isn't, you may be stuck with 3.6
>
> Rowland
Debian version 8 and 9 are available for the armel architecture, which
includes Kirkwood CPUs. However, distribution upgrades are not performed
with 'apt-get update' alone. You will need to modify
/etc/apt/sources.list to point to a newer release first, then run
'apt-get update ; apt-get dist-upgrade'.

It should be enough to replace every occurrence of 'wheezy' in the
sources.list with 'jessie' to upgrade to Debian 8. If everything works
after that, replace 'jessie' again with 'stretch' and run the
update/dist-upgrade again to upgrade to Debian 9. Don't try to upgrade
from7 to 9 in one step! You could stick with Debian 8 for a while since
it will continue to get security updates for at least a year or so.

Andreas
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [3.6.6] nmbd reachable on 0.0.0.0: Safe?

Winfried
Thanks the infos.

I bit the bullet and upgraded to Debian 8 by following this tutorial.

I'm now a happy Samba 4.2.14 user.
Loading...