mcclenbw (at) oneonta (dot) edu [email concealed] wrote:
> True SSH and WebDAV are better options, but that's changing the topic.
> I'm guess since it's an "untrusted server" that someone else is
> administering it. So using a different protocol probably isn't an
> option.

Maybe.. sometimes the best solution to an awkward problem is to rewrite
the problem. The OP did ask for "ammunition", too - an easy, securer
alternative way of transferring files certainly seems like
anti-SMB-over-the-internet ammunition to me! :)

I've had success in rewriting the problem such that I could deploy
webdav on a number of occasions in the past where SMB or FTP were being
considered for file transfer.

It sells quite well in this respect based on the fact that it has great
client support (better than SCP/SFTP) and in both the linux and windows
worlds very rarely requires any extra software for anyone who already
has any web infrastructure in place. At worst, the extra software is an
apache module..

> As far as being less likely to draw attention from attackers than
> opening up SMB ports, the key here is to only open SMB ports to allow
> communication between the server and client. Don't just open SMB ports
> to the world because you need to communicate with one IP address on the
> other side of your firewall. That's as silly as opening all ports on a
> server, just because you need one open.

Agreed - but in most scenarios, opening up SMB, even to quasi-trusted
partners or clients over a WAN isn't ideal either way; too many holes
that go too deep for my liking, and they're holes that (unlike
HTTP(s)/Webdav) generally can't be partially mitigated with
application-layer filtering.

The addition of IP / IP Range filtering makes this scenario less awful,
but not unawful, imo. :)

- James.

--
James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org

"The universe is run by the complex interweaving of three
elements: Energy, matter, and enlightened self-interest." - G'Kar

https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
--
0? *?H?÷

 ?0?

10 +0? *?H?÷


 ? ü0?ú0?â 
`0
 *?H?÷


0y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0 *?H?÷


support (at) cacert (dot) org0 [email concealed]
061218190127Z
071218190127Z0B10UCAcert WoT User1&0$ *?H?÷


james.mailing (at) gmail (dot) com0 [email concealed]?
"0
 *?H?÷



?
0?

?

ër&âQ?p?ËOÏD±x??D÷u?)¢×?O?K·¨í̳u#ú/¹CFu'ܳiÖHhþZ}?¾p¯?1.)ó?W
ȶº`æ¦à®?»zÓçµ?XQ?ځZ±5!¥5°Í* êX¿?i?«>ïð¼¬å½mt?E?@
Txúj&U=bh&¼??ø¶·lÙӐj¦È@ÄÞ?j?¬??â3EiíKÁ??;À»ÅËD?
¶ô@Ï¥?/;>r¹»ü??ñýÇñ?X?º/e¿S®}?'?6öâÅ???^¡êG?ål`P{?r»{@Û6¼B¹ j!Õ?X«

£Á0¾0U

ÿ00V `?H
?øB

IGTo get your own certificate for FREE head over to http://www.CAcert.org02+


&0$0"+
0
?http://ocsp.cacert.or
g0"U0james.mailing (at) gmail (dot) com0 [email concealed]
 *?H?÷


?
s@UgOrþ´²?ãMÈ{P±"MôØÀÅ¢zp«?ø1+ HX[M?ƝbÞñ@H½]pÆté?X¼à/öïN
+Aå{??FÅ8lf§/2ïÙ²Ü)µü2ýt?®Ô¸~?ên<?°2?Åã? CÝ8¥?Gå?oþ°´x³¹ß4Lsî¸LÌ?&lZ¡Ú?Â^Ӂ,
?Àþ/NrÌZô°Ê¤Ö?~"i0*yYí¡
[ÈF4¥#ÎP¨t?® Ã{è¤{?
ªg?#-9Ö<®iFãª"À?"Û¸FJFûÏýQÅÔßhv~
Ü.?®N?oK7Yãk?w¤H?ñ1w\je!Õ2
å?³óåÒÿ?òµ¡?eþrL*©Ñ;~"Ë×N#âéÊ6Û?]Vkx¬D³Èñ°??¬J?tbµ?ÔʪíäÖs:
t??xSbö5¯fû¿$IGÅóâÔ7·âm?ÞYô<í <üxõ¯jBÑ4"êt?«»ÕÎä¸?[˳a5-̨^ËWÙÓ1ìvc$¹ñ?ÀNÝS[ÜÁý¢)ó?Ï%{¿ üg=ë?å»uS¬BQ~Õ®3?GÛX?gbé~àBÚ?eàÑn%ót?vÊF?gG̺?þ?^,*èx3k?÷táZrf'¥??Å0
?ú0?â 
`0
 *?H?÷


0y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0 *?H?÷


support (at) cacert (dot) org0 [email concealed]
061218190127Z
071218190127Z0B10UCAcert WoT User1&0$ *?H?÷


james.mailing (at) gmail (dot) com0 [email concealed]?
"0
 *?H?÷



?
0?

?

ër&âQ?p?ËOÏD±x??D÷u?)¢×?O?K·¨í̳u#ú/¹CFu'ܳiÖHhþZ}?¾p¯?1.)ó?W
ȶº`æ¦à®?»zÓçµ?XQ?ځZ±5!¥5°Í* êX¿?i?«>ïð¼¬å½mt?E?@
Txúj&U=bh&¼??ø¶·lÙӐj¦È@ÄÞ?j?¬??â3EiíKÁ??;À»ÅËD?
¶ô@Ï¥?/;>r¹»ü??ñýÇñ?X?º/e¿S®}?'?6öâÅ???^¡êG?ål`P{?r»{@Û6¼B¹ j!Õ?X«

£Á0¾0U

ÿ00V `?H
?øB

IGTo get your own certificate for FREE head over to http://www.CAcert.org02+


&0$0"+
0
?http://ocsp.cacert.or
g0"U0james.mailing (at) gmail (dot) com0 [email concealed]
 *?H?÷


?
s@UgOrþ´²?ãMÈ{P±"MôØÀÅ¢zp«?ø1+ HX[M?ƝbÞñ@H½]pÆté?X¼à/öïN
+Aå{??FÅ8lf§/2ïÙ²Ü)µü2ýt?®Ô¸~?ên<?°2?Åã? CÝ8¥?Gå?oþ°´x³¹ß4Lsî¸LÌ?&lZ¡Ú?Â^Ӂ,
?Àþ/NrÌZô°Ê¤Ö?~"i0*yYí¡
[ÈF4¥#ÎP¨t?® Ã{è¤{?
ªg?#-9Ö<®iFãª"À?"Û¸FJFûÏýQÅÔßhv~
Ü.?®N?oK7Yãk?w¤H?ñ1w\je!Õ2
å?³óåÒÿ?òµ¡?eþrL*©Ñ;~"Ë×N#âéÊ6Û?]Vkx¬D³Èñ°??¬J?tbµ?ÔʪíäÖs:
t??xSbö5¯fû¿$IGÅóâÔ7·âm?ÞYô<í <üxõ¯jBÑ4"êt?«»ÕÎä¸?[˳a5-̨^ËWÙÓ1ìvc$¹ñ?ÀNÝS[ÜÁý¢)ó?Ï%{¿ üg=ë?å»uS¬BQ~Õ®3?GÛX?gbé~àBÚ?eàÑn%ót?vÊF?gG̺?þ?^,*èx3k?÷táZrf'¥??Å1
??0??

0?0y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0 *?H?÷


support (at) cacert (dot) org [email concealed]`0 + ?
Û0 *?H?÷

1 *?H?÷


0 *?H?÷

1
070322201435Z0# *?H?÷

1ÈuÎÞ×ÒP¸Îç,0¸8Á)«u¨0R *?H?÷

1E0C0
*?H?÷
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0? +

?71?0?0y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0 *?H?÷


support (at) cacert (dot) org [email concealed]`0?*?H?÷

1? ?0y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0 *?H?÷


support (at) cacert (dot) org [email concealed]`0
 *?H?÷



?
i-Ð(?18Y kc#jlLp?%í4òH??ØlÝXÂ?r±ù^M?ØNÐe?Q@]MB´eKÂ5tÀjçÎ¥¼oÌ
bl?tY)lÇÅeÀ`Ù?¤l9?&IÜ!??Ò´?¶þ@Å=bQ®Þ­åk§¿
* FdY&WýR¦h«
6H¦)¤?±rÜ?(@ ¤-dHU?ÚBÊ
úÔ#P¤âåjî\²Qü?à@öÝÇ?pXC¶å>(½`">µ'?esúÁ)üÿÉù²ë(2Âu5!?0°Rd¹¶n¾-õ3Úmg
oè?x¦î?ën9 Þ
3 ?ÉÂìWõRfÒÏ

[ reply ]