Secure Remote Samba Access: SSH Tunneling vs Port Forwarding for Linux Admins


2 views

Forwarding Samba ports (TCP 139/445) directly to the internet is like leaving your front door unlocked in a bad neighborhood. The SMB protocol has a notorious history of vulnerabilities (remember EternalBlue from WannaCry?). Even with modern Samba implementations, exposing these ports publicly invites brute force attacks and protocol exploits.

Creating an SSH tunnel encrypts all SMB traffic while requiring authentication before any file access occurs. Here's how to set it up properly:


# Local port forwarding example (client-side)
ssh -L 4450:localhost:445 username@samba-server.example.com -N -f

# Then mount using the tunnel
sudo mount -t cifs //localhost:4450/sharename /mnt/remote -o username=sambauser,password=xxx

For production environments, harden your SSH setup:


# /etc/ssh/sshd_config on server
Port 2222
PermitRootLogin no
PasswordAuthentication no
AllowUsers samba_admin

Combine this with key-based authentication and fail2ban for maximum security.

For organizations, consider these enterprise-grade options:

  • WireGuard VPN with kernel module for high performance
  • OpenVPN with TLS certificate authentication
  • Tailscale for zero-config networking

If you encounter "Connection refused" errors during SSH tunneling:


# Ensure Samba is bound to localhost
# /etc/samba/smb.conf
interfaces = lo 127.0.0.1
bind interfaces only = yes

For permission issues, verify your local user has access to both the SSH account and Samba shares.

Exposing Samba (SMB/CIFS) ports directly to the internet (TCP 139/445) is strongly discouraged due to:

  • Vulnerability to brute force attacks (SMB has had numerous CVEs)
  • Protocol weaknesses like NTLMv1 authentication issues
  • Potential for worm propagation (remember WannaCry?)

Creating an encrypted SSH tunnel is the professional approach. Here's why it works:


# Basic SSH tunnel for Samba
ssh -L 1445:localhost:445 user@your-server.com

Then mount using localhost port 1445:


mount -t cifs //localhost/sharename /mnt/point -o port=1445,username=xxx

For persistent connections and better performance:


# ~/.ssh/config
Host samba-tunnel
    HostName your-server.com
    User remoteuser
    LocalForward 1445 127.0.0.1:445
    ServerAliveInterval 60
    ExitOnForwardFailure yes

For multiple users, consider:

  • WireGuard VPN setup
  • OpenVPN with TLS authentication
  • Tailscale mesh network

Create a reliable automount unit:


# /etc/systemd/system/mnt-smb.mount
[Unit]
Description=Samba Mount
Requires=network-online.target
After=network-online.target

[Mount]
What=//127.0.0.1/share
Where=/mnt/smb
Type=cifs
Options=port=1445,credentials=/etc/smb-credentials,uid=1000,gid=1000

[Install]
WantedBy=multi-user.target

Essential security steps regardless of method:


# On the Samba server:
sudo ufw limit 22/tcp   # SSH rate limiting
sudo ufw deny 139/tcp
sudo ufw deny 445/tcp