# besides updating, config, and firewall, what else can I do to secure Samba?



## Swapjim (Dec 13, 2015)

I've installed Samba 4.2 (the net/samba42 package) and I keep it up to date.

I only allow LAN hosts in the smb4.conf:


```
[global]
hosts allow = 127.0.0.1 localhost 10.0.0.0/24
hosts deny = 0.0.0.0/0
```
and I've opened the Samba ports only to LAN.

I trust all LAN clients not to crack my server and there is a username and password feature so that a friend that connects on the LAN (rare but happens) with his laptop will not accidentally see personal stuff.

Is there anything else I can do?


----------



## Swapjim (Dec 25, 2015)

Nothing?! So I'm good?


----------



## tingo (Dec 25, 2015)

Well, you can always run a scan for open ports / services from an (trusted) online service outside of your network to see if you find anything else that you think should be secured / turned off.
AFAICT, you have done the right things; exposing services only to you local network, only allowing access from machines on your local network, and requiring authentication for accessing services.


----------



## Swapjim (Dec 30, 2015)

Well, nice to hear! I'm always anxious about what I can do to make things even better.

An nmap scan on my external IP from the FreeBSD machine itself will not cut it, eh?

I think I can get my computer scanned with nmap from an external (on WAN) machine I can trust.

Thank you!


----------

