Enforce SMBLoris attack protection in default Samba configuration

See https://access.redhat.com/security/vulnerabilities/smbloris for details. There is no recommended value but for IPA DC we can limit with 1000 concurrent connections from unrelated clients. Related: https://pagure.io/freeipa/issue/6951 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-01-11 00:31:56 -06:00 · 2019-04-24 15:03:04 +03:00 · 2019-04-24 15:03:04 +03:00 · b2c5691e73
commit b2c5691e73
parent 4ba888694b
2 changed files with 20 additions and 0 deletions
--- a/install/share/smb.conf.template
+++ b/install/share/smb.conf.template
@ -32,3 +32,4 @@ idmap config * : backend = tdb
 idmap config * : range =  0 - 0
 idmap config $NETBIOS_NAME : backend = sss
 idmap config $NETBIOS_NAME : range = $IPA_LOCAL_RANGE
+max smbd processes = 1000
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@ -335,6 +335,25 @@ def upgrade_adtrust_config():
    except ipautil.CalledProcessError as e:
        logger.warning("Error updating Samba registry: %s", e)

+    logger.info("[Update 'max smbd processes' in Samba configuration "
+                "to prevent unlimited SMBLoris attack amplification]")
+
+    args = [paths.NET, "conf", "getparm", "global", "max smbd processes"]
+
+    try:
+        ipautil.run(args)
+    except ipautil.CalledProcessError as e:
+        if e.returncode == 255:
+            # 'max smbd processes' does not exist
+            args = [paths.NET, "conf", "setparm", "global",
+                    "max smbd processes", "1000"]
+            try:
+                ipautil.run(args)
+            except ipautil.CalledProcessError as e:
+                logger.warning("Error updating Samba registry: %s", e)
+        else:
+            logger.warning("Error updating Samba registry: %s", e)
+

 def ca_configure_profiles_acl(ca):
    logger.info('[Authorizing RA Agent to modify profiles]')