[Samba] Samba and firewalling

L.P.H. van Belle belle at bazuin.nl
Wed Dec 5 07:35:46 UTC 2018 

Hai, well, at least you did an attempt.. 

No, there are no crypto miner running in the office here. 
And yes, i know i can set the logging to low to make it disappear, but i would like to know what exact happens.

I dont understand why, when i use id username i see these firewall lines.
And id does work, even with these log lines. 

So im hoping on a next reply but thanks Rowland for the attemp :-) 

Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: dinsdag 4 december 2018 17:04
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba and firewalling
> 
> On Tue, 4 Dec 2018 15:53:29 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> 
> > Hai, 
> >  
> > Just a questions, this might be a bug, might not, but for this one i
> > need some help. 
> > Setup, debian 9. 
> >  
> > Member server samba 4.9.3
> > AD DC servers samba 4.8.7 
> >  
> > Im setting up the member with a very tight firewall, so nothing
> > in/our/routed unless its defined. Im using UFW firewall for it. 
> >  
> > I notice the following in my member its firewall logs, and this only
> > happend when i run : id or getent passwd wbinfo -u  ( any wbinfo
> > command )  no INVALID/BLOCKED in the logs. 
> > And any other thing thats configured, what im testing, as i see, no
> > problems at all. Everything works as it should im only not 
> happy with
> > the lines UFW AUDIT INVALID and BLOCK. And i cant stand i 
> cant figure
> > this out, or at least i'm not sure of. 
> >  
> > IP : .100 is the member 
> > IP: .1 and .2 are DC1 and DC2. 
> >  
> > The Log part. 
> > # The request out to DC2. 
> > Dec  4 14:52:05 kernel: [969364.260134] [UFW AUDIT] IN= OUT=eno1
> > SRC=192.168.0.100 DST=192.168.0.2 LEN=419 TOS=0x00 PREC=0x00 TTL=64
> > ID=19101 DF PROTO=TCP SPT=45690 DPT=389 WINDOW=452 RES=0x00 ACK PSH
> > URGP=0 Dec  4 14:52:05 kernel: [969364.260257] [UFW AUDIT] IN=
> > OUT=eno1 SRC=192.168.0.100 DST=192.168.0.2 LEN=52 TOS=0x00 PREC=0x00
> > TTL=64 ID=19102 DF PROTO=TCP SPT=45690 DPT=389 WINDOW=452 RES=0x00
> > ACK FIN URGP=0 ## DC2 gets invalid and blocked. Dec  4 14:52:05
> > kernel: [969364.260373] [UFW AUDIT INVALID] IN=eno1 OUT=
> > SRC=192.168.0.2 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=64
> > ID=0 DF PROTO=TCP SPT=389 DPT=45690 WINDOW=0 RES=0x00 RST URGP=0 Dec
> > 4 14:52:05 kernel: [969364.260386] [UFW BLOCK] IN=eno1 OUT=
> > SRC=192.168.0.2 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=64
> > ID=0 DF PROTO=TCP SPT=389 DPT=45690 WINDOW=0 RES=0x00 RST URGP=0 #
> 
> I would be more worried about the port: 45690
> 
> The only trace I could find is:
> 
> AEON
> stratum+tcp://aeon.pool.minergate.com:45690
> 
> The good thing is that your firewall blocked it ;-)
> 
> If you don't want those messages in your logs, my 
> understanding is that
> replacing this:
> 
> ufw logging medium
> 
> with this:
> 
> ufw logging low
> 
> will stop them.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list