Hardening a Samba server
Disable NetBIOS
Add the following line to the [global] section of smb.conf
# Disable Netbios disable netbios = yes
Allow minimum SMB3 protocol
Add the following line to the [global] section of smb.conf - If you experience problems with older clients not being able to connect, comment out this one.
# Enforce minimum protolo SMB3 server min protocol = SMB3
Configuring the firewall for the Samba server
Install UFW
apt-get update && apt-get install ufw
If you disabled IPv6 when when you prepared your Debian server for Samba, then disable IPv6 in UFW:
Edit /etc/dafault/ufw, and set
IPV6=no
We assume there is only one network card in the server. Please be careful enabling the firewall on a system . I assume we only need Samba. If you need more services check your requirements first !
Check what ports are open and listening in your system (example for a member server):
netstat -plaunt | egrep "ntp|chro|bind|named|samba|?mbd"| grep -v "ESTABLISHED" tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 1174/smbd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 1174/smbd [...]
- In my particular case, there's SMTP service running port 25. You may need to open that port on the firewall. I don't.
- We always want to keep 22 open for SSH - don't get ourselves locked out.
- In my system I use monit for basic monitorig, so I'll open port 2812/tcp too.
Create Samba AD DC and Member Server app configurations for UFW:
For an DC create /etc/ufw/applications.d/samba-ad-dc
The ports line can specify multiple ports, with /udp or /tcp, to limit the protocol, otherwise it defaults to both. For port ranges use “:”
[samba-ad-dc] title=Samba-AD-DC description=Samba 4 as domain controller # With netbios enabled, add ports "137/udp|138/udp|139/tcp" ports=53|88|123/udp|135/tcp|389|445/tcp|464|636/tcp|3268/tcp|3269/tcp|49152:65535/tcp
For a Member Server, create /etc/ufw/applications.d/samba-member
[samba-member] title=Samba-Member description=Samba 4 as Member Server # With netbios enabled, add port "137/udp|138/udp|139/tcp" # On a Print Server you may want to add CUPS interface port "631/tcp" ports=445/tcp
Check your config files are valid:
ufw app list | grep samba samba-ad-dc samba-member
Enabling UFW on the server
This is what works for me. If you have more services running on your server, you will need to add more configuration lines. This is beyond the scope of this article.
- Rules for a Domain Controller
# Allow "SSH" instead of "OpenSSH" ufw allow from 192.168.0.0/24 to any 22 proto tcp ufw allow from 192.168.0.0/24 to any app samba-ad-dc ufw enable
- Rules for a Member Server
# Some versions of Debian call the following app "SSH" instead of "OpenSSH" ufw allow from 192.168.0.0/24 to any 22 proto tcp ufw allow from 192.168.0.0/24 to any app samba-member ufw enable
Delete ufw entries
Let's see your rules numbered first:
ufw status numbered
Choose the rule number (x) you need to remove, and then:
ufw delete x
How to check your firewall logs
This is only an example, there are many much more powerful tools for the job. We will use fwlogwatch.
- Install fwlogwatch
apt-get update && apt-get install fwlogwatch
- Configure fwlogwatch to your liking, edit /etc/fwlogwatch/fwlogwatch.config and change:
#verbose = no verbose = yes #resolve_hosts = no resolve_services = yes src_ip = on dst_ip = on protocol = on #src_port = off dst_port = on tcp_opts = on
- Check your logs on a daily basis with:
journalctl --since=yesterday -k -p4 -b -0 | /usr/sbin/fwlogwatch - -c /etc/fwlogwatch/fwlogwatch.config -m10
This script will analyze all firewall logs since yesterday on the current boot.
- Or create a cron job:
# Check Firewall logs 0 7 * * * journalctl --since=yesterday -k -p4 -b -0 | fwlogwatch - -c /etc/fwlogwatch/fwlogwatch.config -m10
Caponato's Samba notebook. Start here or else Main menu