We have a SAMBA share on a centos 6 machine.
Question: Can we mount this SAMBA 3 share over the internet? (without VPN/SSH tunnel, so directly!)
1
- 1Regardless of feasability, having a Samba3 remotely accessible without VPN is a big "No" security wise... You may instead try to have an OpenVPN connection that makes the remote Samba3 server "appear as if part of your own lan", or make you appear part of its lan (ex: serverfault.com/questions/137933/…). That way, only have the OpenVPN port accessible (via proper authentification), and OpenVPN encryption would also provide privacy and a bit of security for the travelling packets between local and remote.Olivier Dulac– Olivier Dulac2014-07-08 10:53:46 +00:00Commented Jul 8, 2014 at 10:53
Add a comment |
3 Answers
It depends on some aspects of the protocols and implementations. NetBIOS/NetBEUI is not routable at all and it works sending broadcasts. Workgroups, domain joining, browsing, hostname update and other features of the SMB suite will be restricted to your network due those limitations. It shall work in a local network environment but not over TCP/IP. However, to overcome this issue, NBT (NetBIOS over TCP/IP) and WINS servers where implemented so, things like hostname updates could be done on larger networks where routing is needed.
SMB itself is just an upper-layer protocol (presentation & application), and it will consume lower-layer protocol (network, transport, session) services. It will work across networks, but it heavily depends on the implementation/version of SMB you are using, and the operating system.
The Good:
- It should work (in theory). Its just a matter of accessing the IP addresses where this share is published. Port redirection is probably needed on your modem or your firewall if you are "directly attached" to the Internet.
The Bad:
- SMB is not safe at all. VPNs' (IPSec, OpenVPN, PPTP ...) first purpose on this setup is to solve the encryption and security issues of the SMB protocol, not routing ones. Edit: Maybe another layer of security can be added with Server Signing with samba 3.3.x+
The Ugly:
- Your ISP could be blocking this kind of traffic (
445/tcp) - SMB does not have any kind of check-summing/verification, and it could have performance issues on high-latency networks.
tl,dr; It's better to use other protocols like WebDAV, sftp, scp or ftp.
- 1+1 really nice. Asked that a couple of days to myself. Thanks!Tomblarom– Tomblarom2015-04-26 11:14:33 +00:00Commented Apr 26, 2015 at 11:14
Yes, I once successfully accessed a Samba share over the Internet by enabling 4 ports in the firewall: 137, 138, 139, 445
Obviously, it was a test system. Don't try this at home. Samba is something that should not be accessible from the public Internet.
Instead, you could just use SSH (as suggested). FTP isn't that much better as it's not encrypted by default.
With the right ports open on the firewall then one could mount and access a cifs/smb share over the internet. Just look at the smb share opened at \live.sysinternals.com\Tools for example.
One should never open samba to an untrusted network since a lot of malware and infosec tools can use smb as an attack vector. Because of this one really should use sftp with chroot jails, fail2ban, and pubkey only authentication.
Honestly, I would strongly suggest looking into using iscsi luns or nfsv4 and ipsec to access one's remote storage over a secured vpn instead of using samba.
