[Samba] Samba and firewalling
L.P.H. van Belle
belle at bazuin.nl
Wed Dec 5 07:35:46 UTC 2018
Hai, well, at least you did an attempt..
No, there are no crypto miner running in the office here.
And yes, i know i can set the logging to low to make it disappear, but i would like to know what exact happens.
I dont understand why, when i use id username i see these firewall lines.
And id does work, even with these log lines.
So im hoping on a next reply but thanks Rowland for the attemp :-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: dinsdag 4 december 2018 17:04
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba and firewalling
>
> On Tue, 4 Dec 2018 15:53:29 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
> > Hai,
> >
> > Just a questions, this might be a bug, might not, but for this one i
> > need some help.
> > Setup, debian 9.
> >
> > Member server samba 4.9.3
> > AD DC servers samba 4.8.7
> >
> > Im setting up the member with a very tight firewall, so nothing
> > in/our/routed unless its defined. Im using UFW firewall for it.
> >
> > I notice the following in my member its firewall logs, and this only
> > happend when i run : id or getent passwd wbinfo -u ( any wbinfo
> > command ) no INVALID/BLOCKED in the logs.
> > And any other thing thats configured, what im testing, as i see, no
> > problems at all. Everything works as it should im only not
> happy with
> > the lines UFW AUDIT INVALID and BLOCK. And i cant stand i
> cant figure
> > this out, or at least i'm not sure of.
> >
> > IP : .100 is the member
> > IP: .1 and .2 are DC1 and DC2.
> >
> > The Log part.
> > # The request out to DC2.
> > Dec 4 14:52:05 kernel: [969364.260134] [UFW AUDIT] IN= OUT=eno1
> > SRC=192.168.0.100 DST=192.168.0.2 LEN=419 TOS=0x00 PREC=0x00 TTL=64
> > ID=19101 DF PROTO=TCP SPT=45690 DPT=389 WINDOW=452 RES=0x00 ACK PSH
> > URGP=0 Dec 4 14:52:05 kernel: [969364.260257] [UFW AUDIT] IN=
> > OUT=eno1 SRC=192.168.0.100 DST=192.168.0.2 LEN=52 TOS=0x00 PREC=0x00
> > TTL=64 ID=19102 DF PROTO=TCP SPT=45690 DPT=389 WINDOW=452 RES=0x00
> > ACK FIN URGP=0 ## DC2 gets invalid and blocked. Dec 4 14:52:05
> > kernel: [969364.260373] [UFW AUDIT INVALID] IN=eno1 OUT=
> > SRC=192.168.0.2 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=64
> > ID=0 DF PROTO=TCP SPT=389 DPT=45690 WINDOW=0 RES=0x00 RST URGP=0 Dec
> > 4 14:52:05 kernel: [969364.260386] [UFW BLOCK] IN=eno1 OUT=
> > SRC=192.168.0.2 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=64
> > ID=0 DF PROTO=TCP SPT=389 DPT=45690 WINDOW=0 RES=0x00 RST URGP=0 #
>
> I would be more worried about the port: 45690
>
> The only trace I could find is:
>
> AEON
> stratum+tcp://aeon.pool.minergate.com:45690
>
> The good thing is that your firewall blocked it ;-)
>
> If you don't want those messages in your logs, my
> understanding is that
> replacing this:
>
> ufw logging medium
>
> with this:
>
> ufw logging low
>
> will stop them.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list