[Samba] Samba and firewalling
L.P.H. van Belle
belle at bazuin.nl
Fri Dec 14 10:51:46 UTC 2018
Hai,
And update on this, a reply to myself in the hope someone knows or is able to verify the findings below.
I've changed my rule sets a bit and i've tracked down the following.
I notice a pattern. This is a repeat of 1x per hour, exact 1 hour. (+- 1-2 seconds)
SRC = a AD-DC.
DST = the member
[UFW AUDIT INVALID] IN=eno1 OUT= SRC=192.168.x.1 DST=192.168.x.10 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=389 DPT=34298 WINDOW=0 RES=0x00 RST URGP=0
[UFW BLOCK] IN=eno1 OUT= SRC=192.168.x.1 DST=192.168.x.10 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=389 DPT=34298 WINDOW=0 RES=0x00 RST URGP=0
And this is once every hour and can be any DC.
I needed to change the dynamic port ranges due some there software im running also.
# IN to member server
ufw allow in proto tcp from 192.168.x.1 port 389,1024:65535 to any port 1024:65535
ufw allow in proto tcp from 192.168.x.2 port 389,1024:65535 to any port 1024:65535
# Out to DC1
ufw allow out proto udp from any port 1024:65535 to 192.168.x.1 port 137,138
ufw allow out proto tcp from any port 1024:65535 to 192.168.x.1 port 135,139,445,636,3268,3269
ufw allow out proto udp from any port 53,1024:65535 to 192.168.x.1 port 53,88,123,389,464,1024:65535
ufw allow out proto tcp from any port 53,1024:65535 to 192.168.x.1 port 53,88,123,389,464,1024:65535
# Out to DC2
ufw allow out proto udp from any port 1024:65535 to 192.168.x.2 port 137,138
ufw allow out proto tcp from any port 1024:65535 to 192.168.x.2 port 135,139,445,636,3268,3269
ufw allow out proto udp from any port 53,1024:65535 to 192.168.x.2 port 53,88,123,389,464,1024:65535
ufw allow out proto tcp from any port 53,1024:65535 to 192.168.x.2 port 53,88,123,389,464,1024:65535
# In to Member, Allow fileshare access.
ufw allow in on eno1 proto tcp from 192.168.x.0/24 to any port 139,445
#ufw allow in on eno1 proto udp from 192.168.x.0/24 to any port 137,138
So im my opionion, it might be a normal thing here, i've notice 2 things if you use ufw as firewall.
Iptables and conntracking and the changing request to/from the DC's are giving the : [UFW AUDIT INVALID] and [UFW BLOCK]
If you dont use the authentication of samba for a while, and you run : id username.
You see the same block and a full set of new request to/from AD, without UFW blocking things.
Which make me think its a normal thing.
Anyone suggestions opinions on this or can someone verify this asumption?
I've tested this with iptables (1.6.0+snapshot20161117-6) and (1.8.2-2) and Ufw 0.35-4 and 0.35-6
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> L.P.H. van Belle via samba
> Verzonden: woensdag 5 december 2018 8:36
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba and firewalling
>
> Hai, well, at least you did an attempt..
>
> No, there are no crypto miner running in the office here.
> And yes, i know i can set the logging to low to make it
> disappear, but i would like to know what exact happens.
>
> I dont understand why, when i use id username i see these
> firewall lines.
> And id does work, even with these log lines.
>
> So im hoping on a next reply but thanks Rowland for the attemp :-)
>
> Greetz,
>
> Louis
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Rowland Penny via samba
> > Verzonden: dinsdag 4 december 2018 17:04
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Samba and firewalling
> >
> > On Tue, 4 Dec 2018 15:53:29 +0100
> > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> >
> > > Hai,
> > >
> > > Just a questions, this might be a bug, might not, but for
> this one i
> > > need some help.
> > > Setup, debian 9.
> > >
> > > Member server samba 4.9.3
> > > AD DC servers samba 4.8.7
> > >
> > > Im setting up the member with a very tight firewall, so nothing
> > > in/our/routed unless its defined. Im using UFW firewall for it.
> > >
> > > I notice the following in my member its firewall logs,
> and this only
> > > happend when i run : id or getent passwd wbinfo -u ( any wbinfo
> > > command ) no INVALID/BLOCKED in the logs.
> > > And any other thing thats configured, what im testing, as
> i see, no
> > > problems at all. Everything works as it should im only not
> > happy with
> > > the lines UFW AUDIT INVALID and BLOCK. And i cant stand i
> > cant figure
> > > this out, or at least i'm not sure of.
> > >
> > > IP : .100 is the member
> > > IP: .1 and .2 are DC1 and DC2.
> > >
> > > The Log part.
> > > # The request out to DC2.
> > > Dec 4 14:52:05 kernel: [969364.260134] [UFW AUDIT] IN= OUT=eno1
> > > SRC=192.168.0.100 DST=192.168.0.2 LEN=419 TOS=0x00
> PREC=0x00 TTL=64
> > > ID=19101 DF PROTO=TCP SPT=45690 DPT=389 WINDOW=452
> RES=0x00 ACK PSH
> > > URGP=0 Dec 4 14:52:05 kernel: [969364.260257] [UFW AUDIT] IN=
> > > OUT=eno1 SRC=192.168.0.100 DST=192.168.0.2 LEN=52
> TOS=0x00 PREC=0x00
> > > TTL=64 ID=19102 DF PROTO=TCP SPT=45690 DPT=389 WINDOW=452 RES=0x00
> > > ACK FIN URGP=0 ## DC2 gets invalid and blocked. Dec 4 14:52:05
> > > kernel: [969364.260373] [UFW AUDIT INVALID] IN=eno1 OUT=
> > > SRC=192.168.0.2 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=64
> > > ID=0 DF PROTO=TCP SPT=389 DPT=45690 WINDOW=0 RES=0x00 RST
> URGP=0 Dec
> > > 4 14:52:05 kernel: [969364.260386] [UFW BLOCK] IN=eno1 OUT=
> > > SRC=192.168.0.2 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=64
> > > ID=0 DF PROTO=TCP SPT=389 DPT=45690 WINDOW=0 RES=0x00 RST URGP=0 #
> >
> > I would be more worried about the port: 45690
> >
> > The only trace I could find is:
> >
> > AEON
> > stratum+tcp://aeon.pool.minergate.com:45690
> >
> > The good thing is that your firewall blocked it ;-)
> >
> > If you don't want those messages in your logs, my
> > understanding is that
> > replacing this:
> >
> > ufw logging medium
> >
> > with this:
> >
> > ufw logging low
> >
> > will stop them.
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list