Hardening a Samba server
Disable NetBIOS
Add the following line to the `[global]` section of `smb.conf`:
# Disable NetBIOS disable netbios = yes
Allow minimum SMB3 protocol
Add the following line to the `[global]` section of `smb.conf`. If you experience problems with older clients not being able to connect, comment out this line.
# Enforce minimum protocol SMB3 server min protocol = SMB3
Configuring the firewall for the Samba server
Install UFW:
apt-get update && apt-get install ufw
If you disabled IPv6 when preparing your Debian server for Samba, then disable IPv6 in UFW:
Edit `/etc/default/ufw` and set:
IPV6=no
We assume there is only one network card in the server. Please be careful when enabling the firewall on a system. I assume we only need Samba. If you need more services, check your requirements first!
Check what ports are open and listening in your system (example for a member server):
netstat -plaunt | egrep "ntp|chro|bind|named|samba|mbd" | grep -v "ESTABLISHED" tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 1174/smbd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 1174/smbd [...]
Notes:
- In my particular case, there's an SMTP service running on port 25. You may need to open that port on the firewall — I don't.
- We always want to keep port 22 open for SSH — don't lock yourself out.
- In my system I use Monit for basic monitoring, so I'll open port `2812/tcp` too.
Create Samba AD DC and Member Server app configurations for UFW
For a DC, create `/etc/ufw/applications.d/samba-ad-dc`:
[samba-ad-dc] title=Samba-AD-DC description=Samba 4 as domain controller # With NetBIOS enabled, add ports "137/udp|138/udp|139/tcp" ports=53|88|123/udp|135|389|445/tcp|464|636/tcp|3268/tcp|3269/tcp|49152:65535/tcp
For a member server, create `/etc/ufw/applications.d/samba-member`:
[samba-member] title=Samba-Member description=Samba 4 as Member Server # With NetBIOS enabled, add ports "137/udp|138/udp|139/tcp" # On a print server you may want to add CUPS interface port "631/tcp" ports=445/tcp
Check your config files are valid:
ufw app list | grep samba samba-ad-dc samba-member
Enabling UFW on the server
This is what works for me. If you have more services running on your server, you will need to add more configuration lines. This is beyond the scope of this article.
Rules for a domain controller:
# Allow "SSH" instead of "OpenSSH" ufw allow from 192.168.0.0/24 to any 22 proto tcp ufw allow from 192.168.0.0/24 to any app samba-ad-dc ufw enable
Rules for a member server:
# Some versions of Debian call the following app "SSH" instead of "OpenSSH" ufw allow from 192.168.0.0/24 to any 22 proto tcp ufw allow from 192.168.0.0/24 to any app samba-member ufw enable
Delete UFW entries
Let's see your rules numbered first:
ufw status numbered
Choose the rule number (`x`) you need to remove, and then:
ufw delete x
How to check your firewall logs
This is only an example — there are many more powerful tools for the job. We will use `fwlogwatch`.
Install fwlogwatch:
apt-get update && apt-get install fwlogwatch
Configure fwlogwatch to your liking — edit `/etc/fwlogwatch/fwlogwatch.config` and change:
#verbose = no verbose = yes #resolve_hosts = no resolve_services = yes src_ip = on dst_ip = on protocol = on #src_port = off dst_port = on tcp_opts = on
Check your logs on a daily basis with:
journalctl --since=yesterday -k -p4 -b -0 | /usr/sbin/fwlogwatch - -c /etc/fwlogwatch/fwlogwatch.config -m10
This command will analyze all firewall logs since yesterday on the current boot.
Or create a cron job:
# Check firewall logs 0 7 * * * journalctl --since=yesterday -k -p4 -b -0 | fwlogwatch - -c /etc/fwlogwatch/fwlogwatch.config -m10
Caponato's Samba notebook. Start here or return to Main menu.