[silentcreek]

Hi everybody,

first off, I'm new to ArchLinux(ARM) and to setting up servers in general. I got a Pogoplug v3 device and installed ArchLinuchARM on it following the installation guide provided on this website. I like to use the device with a usb harddrive attached as a file server for backups. I only want local access from within my network, no "cloud" functions whatsoever.

So, after the basic installation of ArchLinuxARM I set up Samba with this smb.conf file:
$this->bbcode_second_pass_code('', '[global]
workgroup = WORKGROUP
server string = ArchNAS
security = user
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log file = /var/log/samba/$m.log
max log size = 50
dns proxy = no
disable netbios = yes
hosts deny = 0.0.0.0/0
hosts allow = 192.168.2.0/24
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072

[EXTERNALDRIVE]
path = media/EXTERNALDRIVE/
read only = no
public = no
writeable = yes')

I added a user account to samba and I can logon with it's credentials from my desktop and laptop computer just fine.
Is there anything missing or wrong with my smb.conf file that can cause security issues?
EDIT: Access should be granted only with username and password!

Furthermore, I set up a simple firewall using ufw. The default is deny from everywhere. Then I added two rules so ufw status gives me this:
$this->bbcode_second_pass_code('', '
Status: active

To Action From
__ ______ ____
Anywhere ALLOW 192.168.2.0/24
SSH LIMIT Anywhere
')

Is it safe to say that nobody outside from my network can access my fileserver with this configuration or am I missing something? Of course, I'm aware that there is no absolute saftey except pulling the plug. I just like to know if I should take more measures to secure my fileserver.

Thanks,

Timo

[WarheadsSE]

Unless this device has 137/445 forwarded to it from outside, it won't be visible as samba. I don't see a rule for anything but SSH.

[silentcreek]

Thanks for you reply. Actually my Samba share works just fine (excet for the NETBIOS function which I disabled). And as far as I unterstood the tutorial, my ufw rules should mean this:
By default: deny from all (this you can't see in the status of ufw that I posted)
Allow any traffic (not only SSH) from a client with an ip in the range of 192.168.2.0/24
Limit SSH traffic (which leads to denying requests if an IP has tries to initiate 6 or more connetions within 30s) from all

The commands used to set up the rules were these:
$this->bbcode_second_pass_code('', '# ufw default deny
# ufw allow from 192.168.2.0/24
# ufw limit SSH')

Or did you mean something else?

Timo

[silentcreek]

Oh, and as for the visibility: I directly initiate the connection by accessing $this->bbcode_second_pass_code('', 'net use \\191.168.2.xx\externaldrive
*with 192.168.2.xx being the ip address of my fileserver') from my Windows computer. I don't need the server to show up under networks in Windows Explorer, etc.

[silentcreek]

Oh, now I think I might have misunderstood you.

Did you mean port forwarding from my router? I did not set up any port forwarding on my router since I don't need or want any access from outside. The basic router firewall is active and I didn't change anything there.

[WarheadsSE]

Then I think you are good.

[silentcreek]

Ok, thanks. Semms like setting up Arch and samba was easier than I thought.