2

I have installed a Windows machine with update 1909 (build 18363.720 (March 2020) (On which I try to find vulnerabilities with nmap), which includes smb 3.1.1 with the latest fixed bugs. I created a shared folder on this machine and made the various configurations on the firewall so that the shared folder can be accessed from the outside (private, public and domain firewall enabled and let connections access the share if the password is given). Of course with a password complex enough not to be cracked easily.

I then opened the smb port 445 (for smb 3) on my router, which I redirect to the local ip of this machine only.

(I also created a dyndns so that the ip updates of my router are updated automatically.)

So I can access my share from anywhere.

I can already see people coming from afar saying that it's very dangerous to open ports directly on the internet, and they will be right (VPN is better, obviously). But I wouldn't like to have to have a debate about VPN.

"Is it secure enough for a small home system" to reasonably imagine sharing files, media and vacation pictures with colleagues (by being explaining to them that they just have to create a network shortcut on the network path of my dyndns), without having to worry about getting hacked in 3 minutes? Of course I will patch my system each time I find it necessary (2 or 3 times a year). It's also an easier way to set up file-sharing without having to install third-party tools like with NAS Synology etc.

Here are my target machine firewall configs associated to port 445

smb port

and here we see that domain, public and private are active

firewall configs

and this is what is displayed when someone tries to connect to my share from the internet (with ubuntu) with a wrong password

smbconnect

I did some tests with nmap in order to find possible flaws in the port I opened. Here are the results with vulscan and nmap-vulner.

Here Nmap-Vulner

enter image description here

Here vulscan: vulscan

Are there other tools which i can test to check the security of the smb server?

Would it be reasonable to buy extra hardware in order to enhance security?

Otherwise, should I just shut down my smb port and install a VPN with a NAS Synology or other hardware?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Andy McRae
  • 121
  • 3
  • The issue isn't really about whether or not the password is sufficiently secure. It is about whether or not you can close the port before a zero-day vulnerability gets disclosed publicly. And whether or not you'd been pwed before that zero-day had been disclosed. – roaima Jun 29 '20 at 19:20
  • I wouldn't be comfortable exposing NMB/SMB traffic to the open internet. https://superuser.com/questions/311658/make-a-network-drive-available-over-the-internet. This one too - https://arstechnica.com/civis/viewtopic.php?f=17&t=1435021. – slm Jun 29 '20 at 19:42
  • potential duplicate: https://security.stackexchange.com/questions/155169/is-it-risky-to-allow-smb-traffic-to-the-internet – schroeder Jun 29 '20 at 20:25
  • I also offer this recent news: https://redmondmag.com/articles/2020/03/11/microsoft-security-advisory-smb-3.aspx – schroeder Jun 29 '20 at 20:28
  • 1
    I'm not going to suggest a VPN nor NAS Synology, but rather, the obvious: Google Drive/Dropbox/Box/Github/etc/etc. – schroeder Jun 29 '20 at 20:31
  • Thanks for all the comments. I've red the links you've sent me. I've red about the 'Critical' SMB 3 Flaw, where.."The exploit also can be triggered on Windows clients by convincing users to connect to "a malicious SMBv3 Server". So I've already executed a script to "disabling SMBv3 compression" on my server's registry. Thanks Schroeder for the input. The reason I try to make my own smb server is because I want to get out of the "big boys" (Google, etc.) cloud system. I don't want them to have all my files stored. But thanks. I will probably have to set up a ssh system like suggested in a post – Andy McRae Jun 30 '20 at 09:33

2 Answers2

1

All your questions have nothing to do with Unix but I guess you want an input from experts so here it goes.

  1. It's secure as long as your password is complex enough and your Windows system is patched and rebooted immediately as soon as Microsoft releases a new Windows update and that happens each month. Updating your system 3-4 times a year like you said is a very bad idea.

  2. There are security scanners like XSpider. nmap is mostly used for open ports and services discovery - it's not a security scanner.

  3. Extra hardware is unlikely to help you if you have CIFS ports exposed to the entire Internet. What could help you is putting your Windows host in a DMZ or in a VM to minimize the damage to other hosts in your LAN in case this particular PC gets hacked into.

Artem S. Tashkinov
  • 1,389
  • 5
  • 13
  • Thanks for the input. I will at first patch my system every month, but like suggested in the comments above, I will probably have to set up ssh (or vpn) soon. One thing about Xspider is that, i've checked their website and I did not find any small tool or security checker. I only found a bbs.ptsecurity checker for websites. It seems that they make some expensive software for companies. So nothing really related to my "home svr" concerns. Probably suggesting some kali linux tools would have been interesting. And nmap is actually far more than just an open ports scanner. – Andy McRae Jun 30 '20 at 09:46
0

It is too risky to expose this protocol in a public network. There is a similar question that goes the other way arround: is there any reason to allow smb traffic over the Internet?

SMB has been consistently successfully attacked over the years, and even some of the exploits have even got their own name, website and/or theme song, like Eternalblue, SMBGhost or SMBleed. This occurs once and once again. Why exposing your assets? Even if you patch the server, or if you use some dedicated commercial hardware, it likely will found to be vulnerable to some new attack.

The solution of using a VPN to encrypt SMB traffic is better, in that case, your port should not be exposed. There are other solutions like using other protocols altogether, like SSH.

ram0nvaldez
  • 204
  • 1
  • 2
  • 9