0

I recently realized that my samba server was exposed for about 3 years to the wan (ports opened and smbd was listening). I made a mistake when I configured my firewall and failed to check it.

This was the content of my smb.conf:

workgroup = WORKGROUP
dns proxy = no
interfaces = eth2 eth4
bind interfaces only = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
[homes]
    comment = homes
    browseable = no
    valid users = %S
    create mode = 0600
    directory mode = 0700
    writeable = yes
[smb]
    path = /home/smb
    comment = share
    guest ok = no
    force create mode = 0775
    force directory mode = 0775
    writeable = yes
    browseable = yes
    valid users = @smb
    force group = smb
[www]
    path = /www
    comment = nginx
    valid users = admin
    browseable = no
    guest ok = no
    writeable = yes
    force create mode = 0774
    force directory mode = 0774
    force group = www-data

I've briefly reviewed the list of Samba vulnerabilities in recent years and wow ... many possibilities.

The server was updated regularly every 2 weeks.

Should I "nuke my server" and reinstall everything?

There have been no signs of compromise to this day, but I would like to stay safe.

schroeder
  • 123,438
  • 55
  • 284
  • 319
PostMan
  • 1
  • 1

1 Answers1

1

As with many things in security, it depends. It depends on the risks of not nuking it weighed against the risks of nuking it.

If you want to "stay safe", then the obvious answer is to nuke it. You don't know what you don't know.

However, if the risks of not nuking it (hacker using it as a base of operations and able to read all data) are lower than the risks of nuking it (loss of unrecoverable data), then you should not nuke it until you can mitigate the risks.

What I'm guessing is that you don't want to go through the time costs of nuking it, and you are looking for an excuse not to. That's valid, too! If your time is more valuable than the disclosure of the data to the public and the potential impact of a hacker camping on the machine, then the cost/benefit analysis is clear.

If you are looking for professionals to tell you, "meh, probably nothing happened" then I'm not sure anyone here would take the risk to tell you that or be qualified to make that call.

You had unpatched vulnerabilities for 1 week on average over a 3 year period. There are no known indications of compromise, but you might not be qualified to assess that. That's a lot of unknowns to play with. How lucky do you feel?

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • You are right. I will reset it. The server was also connected to 3 different LANs and 1 vpn tunnel (windows and linux machines). Should I reset all machines or would this be an overreaction? How would you proceed? – PostMan Oct 08 '18 at 15:09