LinkedInGitHubYouTube

Improve security by disabling SMB 1 on Linux clients

Summary β€” Disable SMB1 on Linux clients

Why this matters

  • SMB 1 (CIFS) is outdated, inefficient, and insecure. Many organizations/ISPs block SMB port 445 because of risks tied to legacy SMB versions.

  • Azure Files does not support SMB 1. Linux kernels starting with 4.18 expose a module parameter to disable legacy SMB dialects; you should disable SMB 1 on Linux clients before using SMB shares in production (see https://aka.ms/stopusingsmb1).

Caution

  • The article references CentOS, which reached end-of-life after June 2024. Plan accordingly: https://docs.azure.cn/en-us/virtual-machines/workloads/centos/centos-end-of-life.

Distribution support

  • The CIFS kernel module (cifs) exposes the disable_legacy_dialects parameter starting in kernel 4.18; some vendors backported it to older supported kernels.

  • Examples from the article (support = can disable SMB1): Ubuntu 18.04+, Debian 10+, Fedora 29+, CentOS 8+, RHEL 8+, openSUSE Leap 15.1+, Tumbleweed, etc. Older releases (Ubuntu 14.04–16.04, Debian 8–9, CentOS 7, RHEL 6–7, various SLE versions) do not support it.

How to check if your system supports the parameter

  • Run: sudo modinfo -p cifs | grep disable_legacy_dialects

  • Expected output explains the parameter and shows a default (n/N/0).

How to disable SMB 1 (high level steps)

  1. Confirm the cifs module is not loaded:

    • lsmod | grep cifs (no output means not loaded)

  2. If SMB shares are mounted, identify and unmount them:

    • mount | grep cifs

    • umount for each mounted SMB share

  3. Unload the cifs module:

    • sudo modprobe -r cifs

  4. Load cifs with SMB1 disabled (manual, one-time):

    • sudo modprobe cifs disable_legacy_dialects=Y

  5. Verify the parameter is active:

    • cat /sys/module/cifs/parameters/disable_legacy_dialects

Persistently disable SMB1 on Debian/Ubuntu

  • Add the option to modprobe config (create or append to /etc/modprobe.d/local.conf): echo "options cifs disable_legacy_dialects=Y" | sudo tee -a /etc/modprobe.d/local.conf > /dev/null

  • Then load cifs and verify: sudo modprobe cifs cat /sys/module/cifs/parameters/disable_legacy_dialects

Next steps / further reading

  • Planning for Azure Files: https://docs.azure.cn/en-us/storage/files/storage-files-planning

  • Use Azure Files with Linux: https://docs.azure.cn/en-us/storage/files/storage-how-to-use-files-linux

  • Troubleshoot SMB on Linux: https://learn.microsoft.com/troubleshoot/azure/azure-storage/files-troubleshoot-linux-smb?toc=/storage/files/toc.json

  • Troubleshoot NFS on Linux: https://learn.microsoft.com/troubleshoot/azure/azure-storage/files-troubleshoot-linux-nfs?toc=/storage/files/toc.json

Last updated: 09/05/2024

(Kept all original links and commands unchanged.)

PreviousChange Redundancy Configuration for Azure FilesNextOverview - Azure Files Authorization and Access Control

Was this helpful?