How to protect Samba from the SambaCry exploit
You’ve already heard of WannaCry, a ransomware attack that can lock down data on Windows machines. This particular exploit comes by way of an SMB vulnerability. Naturally, if you use Linux you know about Samba; but did you also know that, according to CVE-2017-7494:
All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
For anyone that has to administer Samba servers, you probably want to know what can be done, immediately, to prevent this vulnerability from affecting your systems. Fortunately, Debian has already pushed out a patch for this problem (see DSA-3860-1 samba) and the official Samba patch can be found here. As long as you’re running the Debian version of Samba >= 2:4.2.14+dfsg-0+deb8u6, or Samba 4.6.4, 4.5.10, or 4.4.14 you’re good to go.
But what else can you do to better protect your Samba shares? I have two tips that will go a very long way to prevent the likes of SambaCry from taking down your data.
Never open your shares to the public
Samba shares should never be made available to the public. If you’re sharing out directories with SMB, those shares should only be made available to your private LAN. There’s a handy option that can be used in the /etc/samba/smb.conf file that works to restrict connections from certain IP addresses. If you add the hosts allow = IP_ADDRESS (Where IP_ADDRESS is either a single address or a range of addresses), you can easily limit connections to your Samba shares to your internal LAN. Say you need to limit connections to your entire 192.168.1.x network. To accomplish this, add the following line under the Networking section in /etc/samba/smb.conf file:
hosts allow = 192.168.1.
Save and close the file and then restart Samba.
If you know of IP addresses that have attempted to breach your network, you can make use of the hosts deny = option like so:
hosts deny = X.X.X.X
Where X.X.X.X is an actual IP address you need to block.
You can also combine those like so:
hosts deny = ALL hosts allow = 192.168.1.
The above would block all addresses, except for those defined in the hosts allow statement.
Another thing you can do is disable SMBv1 on your Linux servers that share via the SMB protocol. To do this, open up the /etc/samba/smb.conf file for editing and append the following statements at the end of the [global] section:
server min protocol = SMB2_10 client max protocol = SMB3 client min protocol = SMB2_10
Once you’ve added that line, save and close the file, and restart Samba with the following command:
sudo systemctl restart smbd
The addition of the above statements shouldn’t prevent your clients from logging into their shares. However, if you have Windows XP clients, they could present issues.
Update, update, update
Remember, WannaCry attacks a vulnerability in the Windows implementation of the SMB protocol, not the protocol itself. Because of this, the Linux implementation of the SMB protocol is immune to the attack. That applies only to this particular strain of the malware. Who’s to say a new version of the attack won’t be found in the wild to affect Linux systems. To that end, you must make sure you are keeping all of your systems up to date, be they Windows, Linux, or Mac. Keeping your servers and clients as up to date as possible will go a long way to preventing you from getting caught by a vulnerability. Yes, it might be a hassle, but succumbing to the likes of WannaCry is far more problematic than an update/upgrade.
Do everything you can
This isn’t a perfect solution, and it’s only a matter of time before a piece of malicious code takes down SMBv3 as well. Even so, you must be diligent and do everything in your power to prevent such an attack. With just a bit of work, you can help secure your Samba shares from falling prey to the likes of SambaCry.