Securing Samba

[Donboy]

I have Samba up and running fine, however I want to be sure my server is very secure. When I run...

netstat -tanup | grep LISTEN

I see that it's listening on all interfaces (0.0.0.0).

However, in the smb.conf file, I have...

hosts allow = 192.168.0. 127.

So to my understanding, this should effectively stop any connections from those other than my LAN. Is this secure enough? From what I've been reading, I believe that it would be safer to have the service NOT listening to anything other than 192.168.0 instead of 0.0.0.0.

So my question is... is what I have safe enough? Do I need to change something so that it's not listening on 0.0.0.0 or will the "hosts allow" directive take care of everything? If I need to change it, can somebody explain what I need to change so it will only listen for connections from my LAN?

Thanks in advance.

 

[onepair]

You can also tell it which IP to listen on .

interfaces = 192.168.1.2
bind interfaces only = yes

 

[Donboy]

Hmmm... it doesn't seem to be working. I've got...

interfaces = 192.168.0.100
bind interfaces only = yes

And when I restart samba, I can't connect from 192.168.0.100. I get some error in Windows when I try to connect to the mapped drives, but as soon as I go back and comment out those lines again and restart Samba, I can connect again.

Any advice? Must be some bonehead thing I'm doing wrong.

 

[winxpert]

These are my security settings, they go on the global

[global]
...
hosts allow= 192.168.1.0/24 127.0.0.1
hosts deny = 0.0.0.0/0
valid users = @smbusers
interfaces = eth* lo
...