Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.misc > #35496

Re: Not Strictly Linux - How To Do SMB2/SMB3 Efficiently With FreeBSD & Derivatives

From "25B.Z969" <25B.Z969@noda.net>
Newsgroups comp.os.linux.misc
Subject Re: Not Strictly Linux - How To Do SMB2/SMB3 Efficiently With FreeBSD & Derivatives
Date 2022-08-25 01:41 -0400
Organization Aioe.org NNTP Server
Message-ID <te721g$1uu4$1@gioia.aioe.org> (permalink)
References <Yi2dnVr7RNd5wJn-nZ2dnZfqnPrNnZ2d@earthlink.com> <te287l$2v73v$1@dont-email.me>

Show all headers | View raw

On 8/23/22 5:56 AM, The Natural Philosopher wrote:
> On 23/08/2022 05:57, 25B.Z969 wrote:
>> I'd like to build a very secure 'server' based on
>> FreeBSD or perhaps the even more anal OpenBSD  ..
>> and one requirement is to back up several existing
>> NAS systems and float a small DB to assist in
>> searching about 40tb worth of files dating back
>> into the mid 80s - by name/date/type and to some
>> extent content. This is a LOT of stuff and the
>> newer stuff changes quite a bit, quite often, as
>> people move big folders around on the source units.
>> Slow/insecure is NOT an option. SMB1 is OUT. GVFS
>> is OUT.
>>
>> I'm left with hardening Debian, or maybe the Oracle
>> "unbreakable" Linux - but as it's a RH deriv I wonder
>> if it's now all alpha packages since IBM bought out
>> RH, just like Centos. (oh, and that HORRIBLE Gnome
>> desktop & accessory pack - GAK !!!).
>>
>> Any words of wisdom here ???
> 
> Well it all depends.
> 
> Do you want to have the fun and satisfaction of making BSD work by 
> porting later SAMBA code?or is it simply easier to use what is already 
> tried and tested - Linux - and patch round whatever you consider to be 
> its deficiencies?

   I'd *like* BSD to do what I want it to do. But apparently
   it won't without making a major mess.

  mes to security, its never the complicated attack vector that
> gets exploited, unless you have the CIA against you. It's the simple 
> thing like breaking into your office and snapping all the root passwords 
> pinned up on the wall.

   LARGELY true - unless you're a BIG target like a bank
   or fed/defense.

   I keep the master PWs pinned in my brain. In a recent job they
   are kept in a file ON PAPER, in the document safe (in a public
   corridor so nobody could not SEE you in there).

   The file has a mis-leading label and a page from a monthly
   expense report on top. Scratch-out the old lines and fill in
   the next lines with the master PWs for THIS year/month.

   Only The Boss and one IT person know where to look. Physical
   access to the premises and a key to the document safe and to
   KNOW what to look for are all required. THIS is the level
   of paranoia I'm seeing now - and it's driven not so much by
   facts as "perception" driven by news reports and professional
   paranoids (who want you to store it all on THEIR "cloud" which
   they SWEAR is super-duper-secure) ....

   What's next ... the old-fashioned wax seal you have to
   break ?

   This place was NOT a bank, NOT the CIA or DoD. They are
   a NOTHING Target. Yet ...

   BSDs, esp OpenBSD, ARE a bit more secure than Linux. Part of
   that is because they are, um, "less developed" ... Lini love
   to incorporate lots of modern user-friendly features but each
   one theoretically multiplies the vulnerability level. A seriously
   cropped-down Debian or RH is probably as secure as any BSD in
   the ways that count.

   BUT - now we get into "perceptions" ... and certain employers
   heard, somewhere, that BSDs were "more secure" by nature (even
   though in some ways, including that mentioned in the title,
   they aren't), and want to get brownie points by insisting BSDs
   be used in the latest project. Hey, they're signing the
   paychecks, so ..........

> 
> My security mostly consists of backing up what I cant bear to lose, and 
> accepting that the rest is vulnerable to online hacking, and yet, in 11 
> years of RATware and script kiddies knocking on the (open) SSH , SMTP 
> and POP doors, they have never divined the way I organise user names and 
> SUDO security.


   Disk-space is CHEAP these days - losing the IMPORTANT stuff
   is NOT cheap. Multiple and multi-layered backups are the only
   way to go. DO pre-encrypt ANYTHING going to "the cloud" though.
   I trust those people less than the local street-corner
   crackhead .......


> Most of the attempts expect root to be a ssh user. Or user@maildomain to 
> be a pop or smtp login name.

   Oh yea ... I see the hackbots going after THAT stuff
   all the time. 'root' should NEVER be an SSH user or
   mail-server name !

> They are not. 95% security by that very simple means.

   Yep. Also, if possible, edit sshd_config and cut way
   back on the number of tolerated login tries/connections.

> In short I am not an easy target, and they give up.

   Almost ALL of this is done by bots these days. They
   target thousands, millions. Their masters require
   only a tiny percentage of idiot users/IT and they'll
   make their money. Almost none are interested in
   'hard' targets, just those 'soft' targets. Sheer
   volume makes it profitable. The movie hacker who
   spends weeks/months outsmarting ONE system barely
   exists anymore.

> They say  - academics, who are fond of talking out of their anal 
> orifices - that security by obscurity doesnt work.
> 
> It does.

   Agreed. It's now because of the BOTS. They won't waste
   time searching/analyzing 65534 ports for every possible
   service. Always redirect your common external traffic to
   obscure ports. For fun, try something like zenmap and
   have it do the "intensive search" on a remote target.
   Even with gigabit networking that probe can take like
   half an hour. This is NOT time-efficient. The bots
   will look for RDP on the default RDP port, VNC on the
   default VNC port, MS-SQL on the default MS-SQL port
   and a few others. No response, they MOVE ON to the
   next potential victim.

   However the OTHER, human-factor, approaches like the
   poisoned link and "Click Me Now For Big Saving" tricks
   CAN be more useful. The latest plague seems to be
   fake invoices - and some of them LOOK real good (but
   most are so crappy/vague/weird that even the secretarial
   pool can spot 'em). Today's basically boiled-down to
   "Hi ! Please send me your credit-card number." - and
   I bet a thousand targets DID just that ..........

   Ugly is skin deep - but STUPID is to the bone.

   Always make a short-ish e-mail EXPLAINING why the
   mystery mail was "weird" and evil. Half a page max.
   Send it to those who do the most online biz for
   the company. A gentle education. Was a company
   address subtly mis-spelled, ended with an odd
   domain ? Does a link for a 'local' outfit really
   go to Russia ? Does the billing co actually even
   DO what it supposedly wants you to pay for ?

   I keep a Kali VM for interrogating mystery e-mails.
   If it gets destroyed, just make another one ....

> If the key is not under the flowerpot by the front door, but tucked up 
> on a shelf in the woodshed, thieves won't find it, because they will 
> give up and go and look under next doors flower pot instead.
> 
> I got burgled once. Did they pick the expensive door lock? No. They 
> walked round the back and jemmied a (locked) window open.

   Yep, a $19.95 pry-bar from Home Depot will open most ANY
   door ... the $29.95 sledge/wedge will take apart brick walls
   in 30 seconds.

   However an alarm system within CAN be useful. I'd
   suggest multiple Really-High-Decible alarm sounders
   within - loud enough to HURT and prevent thought ...

   Nobody pays attention to external alarm sounders
   anymore and the cops will FINE you for fake alarms.

   'Security' is mostly an illusion, a game. The perps
   want it to be an EASY game, or they'll go elsewhere.

   But the pointy-haired bosses don't know that.

   If you want to know the latest insanity, read 'Dilbert'.
   Last year the pointy-haired bosses wanted blockchain
   for EVERYTHING because they'd read something about it
   in a managerial-trends blog ......

   And sometimes you just have to bullshit them with
   long technical-sounding buzzwords .........

Back to comp.os.linux.misc | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Not Strictly Linux - How To Do SMB2/SMB3 Efficiently With FreeBSD & Derivatives "25B.Z969" <25B.Z969@noda.net> - 2022-08-23 00:57 -0400
  Re: Not Strictly Linux - How To Do SMB2/SMB3 Efficiently With FreeBSD & Derivatives The Natural Philosopher <tnp@invalid.invalid> - 2022-08-23 10:56 +0100
    Re: Not Strictly Linux - How To Do SMB2/SMB3 Efficiently With FreeBSD & Derivatives "25B.Z969" <25B.Z969@noda.net> - 2022-08-25 01:41 -0400
      Re: Not Strictly Linux - How To Do SMB2/SMB3 Efficiently With FreeBSD & Derivatives The Natural Philosopher <tnp@invalid.invalid> - 2022-08-25 10:38 +0100
        Re: Not Strictly Linux - How To Do SMB2/SMB3 Efficiently With FreeBSD & Derivatives "25B.Z969" <25B.Z969@noda.net> - 2022-08-25 20:55 -0400
        Re: Not Strictly Linux - How To Do SMB2/SMB3 Efficiently With FreeBSD & Derivatives "25B.Z969" <25B.Z969@noda.net> - 2022-08-25 21:33 -0400

csiph-web