Caponato's Notebook

Add the following line to the [global] section of smb.conf

# Disable Netbios
disable netbios = yes

Add the following line to the [global] section of smb.conf - If you experience problems with older clients not being able to connect, comment out this one.

# Enforce minimum protolo SMB3
server min protocol = SMB3

Install UFW

apt-get update && apt-get install ufw

If you disabled IPv6 when when you prepared your Debian server for Samba, then disable IPv6 in UFW:

Edit /etc/dafault/ufw, and set

IPV6=no

We assume there is only one network card in the server. Please be careful enabling the firewall on a system . I assume we only need Samba. If you need more services check your requirements first !

Check what ports are open and listening in your system (example for a member server):

netstat -plaunt | egrep "ntp|chro|bind|named|samba|?mbd"| grep -v "ESTABLISHED"
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      1174/smbd                   
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      1174/smbd

[...]

• In my particular case, there's SMTP service running port 25. You may need to open that port on the firewall. I don't.
• We always want to keep 22 open for SSH - don't get ourselves locked out.
• In my system I use monit for basic monitorig, so I'll open port 2812/tcp too.

For an DC create /etc/ufw/applications.d/samba-ad-dc

The ports line can specify multiple ports, with /udp or /tcp, to limit the protocol, otherwise it defaults to both. For port ranges use “:”

[samba-ad-dc]
title=Samba-AD-DC
description=Samba 4 as domain controller
# With netbios enabled, add ports "137/udp|138/udp|139/tcp"
ports=53|88|123/udp|135/tcp|389|445/tcp|464|636/tcp|3268/tcp|3269/tcp|49152:65535/tcp

For a Member Server, create /etc/ufw/applications.d/samba-member

[samba-member]
title=Samba-Member
description=Samba 4 as Member Server
# With netbios enabled, add port "137/udp|138/udp|139/tcp"
# On a Print Server you may want to add CUPS interface port "631/tcp"
ports=445/tcp

Check your config files are valid:

ufw app list | grep samba
samba-ad-dc
samba-member

This is what works for me. If you have more services running on your server, you will need to add more configuration lines. This is beyond the scope of this article.

• Rules for a Domain Controller

# Allow "SSH" instead of "OpenSSH"
ufw allow from 192.168.0.0/24 to any 22 proto tcp
ufw allow from 192.168.0.0/24 to any app samba-ad-dc
ufw enable

• Rules for a Member Server

# Some versions of Debian call the following app "SSH" instead of "OpenSSH"
ufw allow from 192.168.0.0/24 to any 22 proto tcp
ufw allow from 192.168.0.0/24 to any app samba-member
ufw enable

Let's see your rules numbered first:

ufw status numbered

Choose the rule number (x) you need to remove, and then:

ufw delete x

This is only an example, there are many much more powerful tools for the job. We will use fwlogwatch.

• Install fwlogwatch

apt-get update && apt-get install fwlogwatch

• Configure fwlogwatch to your liking, edit /etc/fwlogwatch/fwlogwatch.config and change:

#verbose = no
verbose = yes

#resolve_hosts = no
resolve_services = yes

src_ip = on
dst_ip = on
protocol = on
#src_port = off
dst_port = on
tcp_opts = on

• Check your logs on a daily basis with:

journalctl --since=yesterday -k -p4 -b -0 | /usr/sbin/fwlogwatch - -c /etc/fwlogwatch/fwlogwatch.config -m10

This script will analyze all firewall logs since yesterday on the current boot.

• Or create a cron job:

# Check Firewall logs
0 7 * * * journalctl --since=yesterday -k -p4 -b -0 | fwlogwatch - -c /etc/fwlogwatch/fwlogwatch.config -m10

Caponato's Samba notebook. Start here or else Main menu