Hi Centos community,
i have a requirement of installing CentOs7 for SFTP service to be published on internet.
for achieving SFTP HA - there was a recommendation from my colleague to mount CIFS/SMB share on CentOs7 server which will be on Internet.
from security perspective is it OK to mount to CIFS/SMB share on CentOs which is on internet ?
Is Mounting SMB/CIFS share secure on SFTP server hosted on Internet
Re: Is Mounting SMB/CIFS share secure on SFTP server hosted on Internet
I dislike "on internet" ... everything either is or is not connected. Although, type of connection can differ.
It seems that you describe three machines:
* Storage server S that shares a volume with SMB/CIFS protocol
* Storage server F that shares a volume with SFTP protocol. The F does access volume of S as SMB/CIFS client
* Client C that will access F with SFTP
The "SFTP" does usually mean "SSH file transfer protocol". The client C will connect to F with SSH.
The F dictates who can be C. F's config sets how easy it is to break in through the SSH that is exposed to "the internet".
The security of the SMB/CIFS connection depends on the network between S and F.
Whether someone can inject a man in the middle between them.
The F, being only a client, is probably smaller target than the S.
It seems that you describe three machines:
* Storage server S that shares a volume with SMB/CIFS protocol
* Storage server F that shares a volume with SFTP protocol. The F does access volume of S as SMB/CIFS client
* Client C that will access F with SFTP
The "SFTP" does usually mean "SSH file transfer protocol". The client C will connect to F with SSH.
The F dictates who can be C. F's config sets how easy it is to break in through the SSH that is exposed to "the internet".
The security of the SMB/CIFS connection depends on the network between S and F.
Whether someone can inject a man in the middle between them.
The F, being only a client, is probably smaller target than the S.
Re: Is Mounting SMB/CIFS share secure on SFTP server hosted on Internet
Hi @Jlehtone, appreciate your prompt response.
Let me give more clarity.
I have installed 2 CentOs VM on DMZ nutanix (hypervisor). And SFTP service (openssh ) is running on both the servers. Keepalived (floating IP) is used for HA & this floating ip is mapped with public IP.
For SFTP data disk I m not using local vmdk storage . I intend to use local NW share to be mounted on both DMZ VM via SMB/CIFS. So that in case one server is down - sftp data will still be accessible from another server.
My query from security perspective is that - is it ok to mount CIFS/SMB share of internal Local Lan windows box on CentOS DMZ VM which is exposed on internet?
If NO, what are the possible vulnerabilities that can be exploited ?
The idea of mapping the local lan NW shared drive onto DMZ sftp server is that - this local lan NW shared drive is mapped to end points VDI. So when users logs into VDI machine , they can access their sftp files from NW shared path instead logging into SFTP
Kazim
Let me give more clarity.
I have installed 2 CentOs VM on DMZ nutanix (hypervisor). And SFTP service (openssh ) is running on both the servers. Keepalived (floating IP) is used for HA & this floating ip is mapped with public IP.
For SFTP data disk I m not using local vmdk storage . I intend to use local NW share to be mounted on both DMZ VM via SMB/CIFS. So that in case one server is down - sftp data will still be accessible from another server.
My query from security perspective is that - is it ok to mount CIFS/SMB share of internal Local Lan windows box on CentOS DMZ VM which is exposed on internet?
If NO, what are the possible vulnerabilities that can be exploited ?
The idea of mapping the local lan NW shared drive onto DMZ sftp server is that - this local lan NW shared drive is mapped to end points VDI. So when users logs into VDI machine , they can access their sftp files from NW shared path instead logging into SFTP
Kazim
Re: Is Mounting SMB/CIFS share secure on SFTP server hosted on Internet
SMBv3 and above is generally a lot better from a security perspective than all previous generations.
From a security perspective I would urge you to think about what happens if the SFTP is compromised, what's the fall out? Let's say that the intruder gains shell level access and can read or reverse the credentials for the CIFS mount, what happens then? Can those credentials be used to get to another node and so on? Can you constrain such a scenario? As an thought, think about SELinux, it is really useful in this kind of scenario.
As another thought, what happens if your CIFS mount goes away? It's supposed to be HA, it may be that's a design limitation, it's up to you.
From a security perspective I would urge you to think about what happens if the SFTP is compromised, what's the fall out? Let's say that the intruder gains shell level access and can read or reverse the credentials for the CIFS mount, what happens then? Can those credentials be used to get to another node and so on? Can you constrain such a scenario? As an thought, think about SELinux, it is really useful in this kind of scenario.
As another thought, what happens if your CIFS mount goes away? It's supposed to be HA, it may be that's a design limitation, it's up to you.