-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I recently tried adding a firewall to my Samba 4 server using the port information I found on the wiki. Below is a dump of the resulting rules. root at dc01:~# iptables -S - -P INPUT DROP - -P FORWARD DROP - -P OUTPUT ACCEPT - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set - --name BLOCKED --rsource - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent - --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP - -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT - -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT - -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT - -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset - -A INPUT -p gre -j ACCEPT - -A INPUT -p esp -j ACCEPT - -A INPUT -p ah -j ACCEPT - -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT - -A INPUT -p udp -m state --state NEW -m multiport --dports 53,67,88,123,137,138,389,464 -j ACCEPT - -A INPUT -i lo -j ACCEPT As you can see, I try to prevent brute-force attacks on SSH, but accept data, both TCP and UDP on the ports specified by the wiki article. However, when this firewall is on my AD DC server, logins take eons, everything is SLOW on workstations, and sometimes authentications just plain fail. Why? - -- Lead IT/IS Specialist Reach Technology FP, Inc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWgVZhAAoJEBJm6+aLKsMNWR8H+wY51lD4DauyhTJBA9fULYbG JRMDTfR5C90wwnfZlQI/vS+iA/TUG29MC09rMe6FFk4LS31xRTWtxmXk3r7BUph5 jHWvAohlOxhx1hEnvDgqmK2nULZQ6sWXK9ikZpky7/Z2LFOM3ABt3EUq7i8/MPNd 40TycXR8N13uMBrehs3UOXK3gj8+9KFpkfyeTOr+u/+j5yNOCAS/Uu+tx8ZCMY8H EKW/1G615SxFzd8VJ0HREMWoeKOia+xqCo71zq38SJ6t2N6f+/IFpDxfXthdJSU4 FfbACHeyvVLc17IiTDlLNawZ+X/Cpnj2AsJXKKEuU3SY1K/hISCz18RKnov7QNE=iO++ -----END PGP SIGNATURE-----
On 28/12/15 15:33, Ryan Ashley wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > I recently tried adding a firewall to my Samba 4 server using the port > information I found on the wiki. Below is a dump of the resulting rules. > > root at dc01:~# iptables -S > - -P INPUT DROP > - -P FORWARD DROP > - -P OUTPUT ACCEPT > - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set > - --name BLOCKED --rsource > - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent > - --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP > - -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT > - -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT > - -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT > - -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j > REJECT --reject-with tcp-reset > - -A INPUT -p gre -j ACCEPT > - -A INPUT -p esp -j ACCEPT > - -A INPUT -p ah -j ACCEPT > - -A INPUT -p tcp -m state --state NEW -m multiport --dports > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT > - -A INPUT -p udp -m state --state NEW -m multiport --dports > 53,67,88,123,137,138,389,464 -j ACCEPT > - -A INPUT -i lo -j ACCEPT > > As you can see, I try to prevent brute-force attacks on SSH, but > accept data, both TCP and UDP on the ports specified by the wiki > article.I would check the ports again, if I were you, you need port 389 tcp as well as udp. Also whilst not being a firewall expert, doesn't having port 22 mentioned at the end of the file take precedence over the earlier line ? Rowland
Am 28.12.2015 um 17:12 schrieb Rowland penny:> On 28/12/15 15:33, Ryan Ashley wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> I recently tried adding a firewall to my Samba 4 server using the port >> information I found on the wiki. Below is a dump of the resulting rules. >> >> root at dc01:~# iptables -S >> - -P INPUT DROP >> - -P FORWARD DROP >> - -P OUTPUT ACCEPT >> - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT >> - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set >> - --name BLOCKED --rsource >> - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent >> - --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP >> - -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT >> - -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT >> - -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT >> - -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j >> REJECT --reject-with tcp-reset >> - -A INPUT -p gre -j ACCEPT >> - -A INPUT -p esp -j ACCEPT >> - -A INPUT -p ah -j ACCEPT >> - -A INPUT -p tcp -m state --state NEW -m multiport --dports >> 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT >> - -A INPUT -p udp -m state --state NEW -m multiport --dports >> 53,67,88,123,137,138,389,464 -j ACCEPT >> - -A INPUT -i lo -j ACCEPT >> >> As you can see, I try to prevent brute-force attacks on SSH, but >> accept data, both TCP and UDP on the ports specified by the wiki >> article. > > > I would check the ports again, if I were you, you need port 389 tcp as > well as udp. Also whilst not being a firewall expert, doesn't having > port 22 mentioned at the end of the file take precedence over the > earlier line?iptables work from top to bottom the first rule which hits is a final decision the erlier lines are conditional DROP after more than 4 hits within 600 seconds for a specific IP, the ACCEPT at the bottom is needed because otherwise 22 would be closed at all but never hits for the IP's hitted the rate control at the begin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20151228/ad84ebed/signature.sig>
On 12/28/2015 10:33 AM, Ryan Ashley wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > I recently tried adding a firewall to my Samba 4 server using the port > information I found on the wiki. Below is a dump of the resulting rules. > > root at dc01:~# iptables -S > - -P INPUT DROP > - -P FORWARD DROP > - -P OUTPUT ACCEPT > - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set > - --name BLOCKED --rsource > - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent > - --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP > - -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT > - -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT > - -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT > - -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j > REJECT --reject-with tcp-reset > - -A INPUT -p gre -j ACCEPT > - -A INPUT -p esp -j ACCEPT > - -A INPUT -p ah -j ACCEPT > - -A INPUT -p tcp -m state --state NEW -m multiport --dports > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT > - -A INPUT -p udp -m state --state NEW -m multiport --dports > 53,67,88,123,137,138,389,464 -j ACCEPT > - -A INPUT -i lo -j ACCEPT > > As you can see, I try to prevent brute-force attacks on SSH, but > accept data, both TCP and UDP on the ports specified by the wiki > article. However, when this firewall is on my AD DC server, logins > take eons, everything is SLOW on workstations, and sometimes > authentications just plain fail. Why? > - -- > Lead IT/IS Specialist > Reach Technology FP, Inc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJWgVZhAAoJEBJm6+aLKsMNWR8H+wY51lD4DauyhTJBA9fULYbG > JRMDTfR5C90wwnfZlQI/vS+iA/TUG29MC09rMe6FFk4LS31xRTWtxmXk3r7BUph5 > jHWvAohlOxhx1hEnvDgqmK2nULZQ6sWXK9ikZpky7/Z2LFOM3ABt3EUq7i8/MPNd > 40TycXR8N13uMBrehs3UOXK3gj8+9KFpkfyeTOr+u/+j5yNOCAS/Uu+tx8ZCMY8H > EKW/1G615SxFzd8VJ0HREMWoeKOia+xqCo71zq38SJ6t2N6f+/IFpDxfXthdJSU4 > FfbACHeyvVLc17IiTDlLNawZ+X/Cpnj2AsJXKKEuU3SY1K/hISCz18RKnov7QNE> =iO++ > -----END PGP SIGNATURE----- >I assume this is for a DC. If so are you using functional level 2008? You need to open ports 49152 through 65535 if you are. Level 2003 used 1025 through 5000. -- -James
Hai, Im missing a few things. And maybe time server port to open? Are your dc's time server also? These are the ports i've set. TCP what im having. 22,42,53,88,135,139,389,445,464,636,3268,3269,1024:5000,49612:65535 How you did: 22,53,88,135,139,445,464,636,1024:5000,3268,3269 Your missing 42 389 and range : 49612:65535 UDP what im having. 53,67,68,88,123,137,138,389,464 How you did: 53,67,88,123,137,138,389,464 Your missing 68 ( but i dont know if you need it ) If your not familiar with iptables. I advice you to install ufw for example. I have a nice "base" set of rules, if you need some examples. Ufw isnt that hard and easy to extented. And a handy thing, integrating iptables + GeoIP is really easy. And handy for ssh access/blocks. I only allow ssh acces on my server from the netherlands with a rule like: -A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 22 -m comment --comment 'SSH%20Geoip' -j DROP If you want some extra info on that, just mail me, no problem. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens James > Verzonden: maandag 28 december 2015 17:27 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Firewall trouble? > > On 12/28/2015 10:33 AM, Ryan Ashley wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > I recently tried adding a firewall to my Samba 4 server using the port > > information I found on the wiki. Below is a dump of the resulting rules. > > > > root at dc01:~# iptables -S > > - -P INPUT DROP > > - -P FORWARD DROP > > - -P OUTPUT ACCEPT > > - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > > - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set > > - --name BLOCKED --rsource > > - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent > > - --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP > > - -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT > > - -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT > > - -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT > > - -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j > > REJECT --reject-with tcp-reset > > - -A INPUT -p gre -j ACCEPT > > - -A INPUT -p esp -j ACCEPT > > - -A INPUT -p ah -j ACCEPT > > - -A INPUT -p tcp -m state --state NEW -m multiport --dports > > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT > > - -A INPUT -p udp -m state --state NEW -m multiport --dports > > 53,67,88,123,137,138,389,464 -j ACCEPT > > - -A INPUT -i lo -j ACCEPT > > > > As you can see, I try to prevent brute-force attacks on SSH, but > > accept data, both TCP and UDP on the ports specified by the wiki > > article. However, when this firewall is on my AD DC server, logins > > take eons, everything is SLOW on workstations, and sometimes > > authentications just plain fail. Why? > > - -- > > Lead IT/IS Specialist > > Reach Technology FP, Inc > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v2 > > > > iQEcBAEBCAAGBQJWgVZhAAoJEBJm6+aLKsMNWR8H+wY51lD4DauyhTJBA9fULYbG > > JRMDTfR5C90wwnfZlQI/vS+iA/TUG29MC09rMe6FFk4LS31xRTWtxmXk3r7BUph5 > > jHWvAohlOxhx1hEnvDgqmK2nULZQ6sWXK9ikZpky7/Z2LFOM3ABt3EUq7i8/MPNd > > 40TycXR8N13uMBrehs3UOXK3gj8+9KFpkfyeTOr+u/+j5yNOCAS/Uu+tx8ZCMY8H > > EKW/1G615SxFzd8VJ0HREMWoeKOia+xqCo71zq38SJ6t2N6f+/IFpDxfXthdJSU4 > > FfbACHeyvVLc17IiTDlLNawZ+X/Cpnj2AsJXKKEuU3SY1K/hISCz18RKnov7QNE> > =iO++ > > -----END PGP SIGNATURE----- > > > I assume this is for a DC. If so are you using functional level 2008? > You need to open ports 49152 through 65535 if you are. Level 2003 used > 1025 through 5000. > > -- > -James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
No, iptables will first hit the line: -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name BLOCKED --rsource This line adds the IP to the "BLOCKED" list and increments the attempts to connect by one. The next line checks to see if there are four or more attempts to connect in under ten minutes. If so, drop the connection. If not, continue processing the rules. The rule allowing it later is only reach by somebody who has not tried to repeatedly login to SSH. Yes, I now see I forgot 389 TCP. I will add it and give it a shot. Thank you for pointing that out. Lead IT/IS Specialist Reach Technology FP, Inc On 12/28/2015 11:12 AM, Rowland penny wrote:> On 28/12/15 15:33, Ryan Ashley wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> I recently tried adding a firewall to my Samba 4 server using >> the port information I found on the wiki. Below is a dump of the >> resulting rules. >> >> root at dc01:~# iptables -S - -P INPUT DROP - -P FORWARD DROP - -P >> OUTPUT ACCEPT - -A INPUT -m conntrack --ctstate >> RELATED,ESTABLISHED -j ACCEPT - -A INPUT -p tcp -m tcp --dport >> 22 -m state --state NEW -m recent --set - --name BLOCKED >> --rsource - -A INPUT -p tcp -m tcp --dport 22 -m state --state >> NEW -m recent - --update --seconds 600 --hitcount 4 --name >> BLOCKED --rsource -j DROP - -A INPUT -p icmp -m icmp --icmp-type >> 3 -j ACCEPT - -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT - >> -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT - -A INPUT -p >> tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT >> --reject-with tcp-reset - -A INPUT -p gre -j ACCEPT - -A INPUT -p >> esp -j ACCEPT - -A INPUT -p ah -j ACCEPT - -A INPUT -p tcp -m >> state --state NEW -m multiport --dports >> 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT - -A >> INPUT -p udp -m state --state NEW -m multiport --dports >> 53,67,88,123,137,138,389,464 -j ACCEPT - -A INPUT -i lo -j >> ACCEPT >> >> As you can see, I try to prevent brute-force attacks on SSH, but >> accept data, both TCP and UDP on the ports specified by the wiki >> article. > > > I would check the ports again, if I were you, you need port 389 > tcp as well as udp. Also whilst not being a firewall expert, > doesn't having port 22 mentioned at the end of the file take > precedence over the earlier line ? > > Rowland >
James, I am at 2008 R2 level. What you just told me is not mentioned on the wiki and could very well be my problem. I am first going to open 389 TCP and, should that not solve it, allow the ports you specified, but only from the LAN. Lead IT/IS Specialist Reach Technology FP, Inc On 12/28/2015 11:27 AM, James wrote:> On 12/28/2015 10:33 AM, Ryan Ashley wrote: > I recently tried adding a firewall to my Samba 4 server using the port > information I found on the wiki. Below is a dump of the resulting rules. > > root at dc01:~# iptables -S > -P INPUT DROP > -P FORWARD DROP > -P OUTPUT ACCEPT > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set > --name BLOCKED --rsource > -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent > --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP > -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j > REJECT --reject-with tcp-reset > -A INPUT -p gre -j ACCEPT > -A INPUT -p esp -j ACCEPT > -A INPUT -p ah -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m multiport --dports > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT > -A INPUT -p udp -m state --state NEW -m multiport --dports > 53,67,88,123,137,138,389,464 -j ACCEPT > -A INPUT -i lo -j ACCEPT > > As you can see, I try to prevent brute-force attacks on SSH, but > accept data, both TCP and UDP on the ports specified by the wiki > article. However, when this firewall is on my AD DC server, logins > take eons, everything is SLOW on workstations, and sometimes > authentications just plain fail. Why? > -- Lead IT/IS Specialist > Reach Technology FP, Inc >> > I assume this is for a DC. If so are you using functional level 2008? > You need to open ports 49152 through 65535 if you are. Level 2003 used > 1025 through 5000. >
Louis, I love iptables and while I am NOT a pro, I know it fairly well. You should see the magic I have running on our VPN server and SIP server! Still, you mention TCP 42 and UDP 68. What are these two ports for? The range you mentioned I was just told about in another response. The only range listed on the wiki is apparently for 2003. Do I still need 1024-500 on the 2008 R2 level? Lead IT/IS Specialist Reach Technology FP, Inc On 12/29/2015 03:58 AM, L.P.H. van Belle wrote:> Hai, > > Im missing a few things. > > And maybe time server port to open? Are your dc's time server also? > These are the ports i've set. > > TCP what im having. > 22,42,53,88,135,139,389,445,464,636,3268,3269,1024:5000,49612:65535 > > How you did: > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 > Your missing 42 389 and range : 49612:65535 > > > UDP what im having. > 53,67,68,88,123,137,138,389,464 > > How you did: > 53,67,88,123,137,138,389,464 > Your missing 68 ( but i dont know if you need it ) > > If your not familiar with iptables. > I advice you to install ufw for example. > I have a nice "base" set of rules, if you need some examples. > Ufw isnt that hard and easy to extented. > And a handy thing, integrating iptables + GeoIP is really easy. > And handy for ssh access/blocks. > I only allow ssh acces on my server from the netherlands with a rule like: > > -A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 22 -m comment --comment 'SSH%20Geoip' -j DROP > > If you want some extra info on that, just mail me, no problem. > > > Greetz, > > Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens James >> Verzonden: maandag 28 december 2015 17:27 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Firewall trouble? >> >> On 12/28/2015 10:33 AM, Ryan Ashley wrote: > I recently tried adding a firewall to my Samba 4 server using the port > information I found on the wiki. Below is a dump of the resulting rules. > > root at dc01:~# iptables -S > -P INPUT DROP > -P FORWARD DROP > -P OUTPUT ACCEPT > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set > --name BLOCKED --rsource > -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent > --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP > -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j > REJECT --reject-with tcp-reset > -A INPUT -p gre -j ACCEPT > -A INPUT -p esp -j ACCEPT > -A INPUT -p ah -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m multiport --dports > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT > -A INPUT -p udp -m state --state NEW -m multiport --dports > 53,67,88,123,137,138,389,464 -j ACCEPT > -A INPUT -i lo -j ACCEPT > > As you can see, I try to prevent brute-force attacks on SSH, but > accept data, both TCP and UDP on the ports specified by the wiki > article. However, when this firewall is on my AD DC server, logins > take eons, everything is SLOW on workstations, and sometimes > authentications just plain fail. Why? >>> >> I assume this is for a DC. If so are you using functional level 2008? >> You need to open ports 49152 through 65535 if you are. Level 2003 used >> 1025 through 5000. >> >> -- >> -James >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > >
I just looked up 42 and 68. I do not use WINS or BOOTP. I am removing range 1024-5000 and replacing it with 49612-65535 now. I already allowed 389 TCP. Lead IT/IS Specialist Reach Technology FP, Inc On 12/29/2015 03:58 AM, L.P.H. van Belle wrote:> Hai, > > Im missing a few things. > > And maybe time server port to open? Are your dc's time server also? > These are the ports i've set. > > TCP what im having. > 22,42,53,88,135,139,389,445,464,636,3268,3269,1024:5000,49612:65535 > > How you did: > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 > Your missing 42 389 and range : 49612:65535 > > > UDP what im having. > 53,67,68,88,123,137,138,389,464 > > How you did: > 53,67,88,123,137,138,389,464 > Your missing 68 ( but i dont know if you need it ) > > If your not familiar with iptables. > I advice you to install ufw for example. > I have a nice "base" set of rules, if you need some examples. > Ufw isnt that hard and easy to extented. > And a handy thing, integrating iptables + GeoIP is really easy. > And handy for ssh access/blocks. > I only allow ssh acces on my server from the netherlands with a rule like: > > -A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 22 -m comment --comment 'SSH%20Geoip' -j DROP > > If you want some extra info on that, just mail me, no problem. > > > Greetz, > > Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens James >> Verzonden: maandag 28 december 2015 17:27 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Firewall trouble? >> >> On 12/28/2015 10:33 AM, Ryan Ashley wrote: > I recently tried adding a firewall to my Samba 4 server using the port > information I found on the wiki. Below is a dump of the resulting rules. > > root at dc01:~# iptables -S > -P INPUT DROP > -P FORWARD DROP > -P OUTPUT ACCEPT > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set > --name BLOCKED --rsource > -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent > --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP > -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j > REJECT --reject-with tcp-reset > -A INPUT -p gre -j ACCEPT > -A INPUT -p esp -j ACCEPT > -A INPUT -p ah -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m multiport --dports > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT > -A INPUT -p udp -m state --state NEW -m multiport --dports > 53,67,88,123,137,138,389,464 -j ACCEPT > -A INPUT -i lo -j ACCEPT > > As you can see, I try to prevent brute-force attacks on SSH, but > accept data, both TCP and UDP on the ports specified by the wiki > article. However, when this firewall is on my AD DC server, logins > take eons, everything is SLOW on workstations, and sometimes > authentications just plain fail. Why? >>> >> I assume this is for a DC. If so are you using functional level 2008? >> You need to open ports 49152 through 65535 if you are. Level 2003 used >> 1025 through 5000. >> >> -- >> -James >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > >
Alright, I have setup the new rules and am waiting to see if I have any issues. If I do, I will keep working on it. I also read the article below, which mentions exactly what you I was told about 2008 and newer using different ports. https://support.microsoft.com/en-us/kb/929851 Here is the new configuration: root at dc01:~# iptables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name BLOCKED --rsource -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset -A INPUT -s 10.0.0.0/22 -p tcp -m state --state NEW -m multiport --dports 22,53,88,135,139,389,445,464,636,3268,3269,49152:65535 -j ACCEPT -A INPUT -s 10.0.0.0/22 -p udp -m state --state NEW -m multiport --dports 53,67,88,123,137,138,389,464 -j ACCEPT -A INPUT -i lo -j ACCEPT As you can see, I only allow access from my LAN now, thus further securing the server. VPN users get a LAN address so they will work with this setup also. Lead IT/IS Specialist Reach Technology FP, Inc On 12/29/2015 03:58 AM, L.P.H. van Belle wrote:> Hai, > > Im missing a few things. > > And maybe time server port to open? Are your dc's time server also? > These are the ports i've set. > > TCP what im having. > 22,42,53,88,135,139,389,445,464,636,3268,3269,1024:5000,49612:65535 > > How you did: > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 > Your missing 42 389 and range : 49612:65535 > > > UDP what im having. > 53,67,68,88,123,137,138,389,464 > > How you did: > 53,67,88,123,137,138,389,464 > Your missing 68 ( but i dont know if you need it ) > > If your not familiar with iptables. > I advice you to install ufw for example. > I have a nice "base" set of rules, if you need some examples. > Ufw isnt that hard and easy to extented. > And a handy thing, integrating iptables + GeoIP is really easy. > And handy for ssh access/blocks. > I only allow ssh acces on my server from the netherlands with a rule like: > > -A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 22 -m comment --comment 'SSH%20Geoip' -j DROP > > If you want some extra info on that, just mail me, no problem. > > > Greetz, > > Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens James >> Verzonden: maandag 28 december 2015 17:27 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Firewall trouble? >> >> On 12/28/2015 10:33 AM, Ryan Ashley wrote: > I recently tried adding a firewall to my Samba 4 server using the port > information I found on the wiki. Below is a dump of the resulting rules. > > root at dc01:~# iptables -S > -P INPUT DROP > -P FORWARD DROP > -P OUTPUT ACCEPT > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set > --name BLOCKED --rsource > -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent > --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP > -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j > REJECT --reject-with tcp-reset > -A INPUT -p gre -j ACCEPT > -A INPUT -p esp -j ACCEPT > -A INPUT -p ah -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m multiport --dports > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT > -A INPUT -p udp -m state --state NEW -m multiport --dports > 53,67,88,123,137,138,389,464 -j ACCEPT > -A INPUT -i lo -j ACCEPT > > As you can see, I try to prevent brute-force attacks on SSH, but > accept data, both TCP and UDP on the ports specified by the wiki > article. However, when this firewall is on my AD DC server, logins > take eons, everything is SLOW on workstations, and sometimes > authentications just plain fail. Why? >>> >> I assume this is for a DC. If so are you using functional level 2008? >> You need to open ports 49152 through 65535 if you are. Level 2003 used >> 1025 through 5000. >> >> -- >> -James >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > >