我用于QEMU/KVM各种来宾系统的虚拟化,并Samba在主机操作系统和来宾操作系统之间提供交换文件夹(共享文件夹)。
现在我想保护这个Samba提供的共享文件夹免受外部访问。它应该只能由QEMU虚拟来宾访问,而不能由同一网络中的其他第三方人员访问。
我当前的配置/etc/samba/smb.conf如下所示:
[global]
workgroup = WORKGROUP
security = user
map to guest = Bad User
server string = %h server (Samba, Ubuntu)
dns proxy = No
wins support = Yes
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
lanman auth = no
ntlm auth = no
follow symlinks = yes
wide links = yes
load printers = no
disable spoolss = yes
[Shared]
comment = Shared Folder for QEMU
path = /home/myusername/Exchange
public = no
browseable = yes
writeable = yes
read only = no
guest ok = yes
force user = myusername
现在的中心问题是:
您对如何实现这样的安全强化功能有什么建议吗?
非常感谢!
答案1
将您的 samba 绑定到来宾 VM 和主机之间的虚拟接口。编辑 smb配置文件 并添加以下行
bind interfaces only = yes
interfaces = lo br0