Samba AD DC Port Usage: Difference between revisions
m (→Introduction: better English) |
m (/* Samba AD DC port usage, Altered for better English) |
||
Line 3: | Line 3: | ||
If you need to secure your Samba installation with a firewall, you will need to know what ports and protocols are used. This page supplies an overview. |
If you need to secure your Samba installation with a firewall, you will need to know what ports and protocols are used. This page supplies an overview. |
||
= Identify |
= Identify which ports and interfaces Samba is listening on= |
||
You can use "netstat" to identify which ports Samba and related daemons are listening on |
You can use "netstat" to identify which ports and IPs, Samba and related daemons are listening on: |
||
# netstat -tulpn | egrep "samba|smbd|nmbd|winbind" |
# netstat -tulpn | egrep "samba|smbd|nmbd|winbind" |
||
Line 19: | Line 19: | ||
..... |
..... |
||
The above example shows |
The above example shows that the services are listening on localhost (127.0.0.1) and the interface with IP 10.0.0.1 - on each of the listed ports (139, 88, 445,...). |
||
Line 91: | Line 91: | ||
<nowiki>*</nowiki> Samba, like Windows, supports dynamic RPC services. The range starts at 1024. If something occupies this port for some reason, it will be a different port (literally walked up from 1024). |
<nowiki>*</nowiki> Samba, like Windows, supports dynamic RPC services. The range starts at 1024. If something occupies this port for some reason, it will be a different port (literally walked up from 1024). |
||
'''Remember, |
'''Remember, there can be other ports as well , these are related to your Samba installation but are not provided by Samba itself, e.g. an NTP server run for time synchronisation as well.''' |
||
Line 99: | Line 99: | ||
= Prevent Samba from listening on all interfaces = |
= Prevent Samba from listening on all interfaces = |
||
Sometimes you don't want Samba to listen on all interfaces of your host. For example, |
Sometimes you don't want Samba to listen on all interfaces of your host. For example, if the host is directly connected to the internet, you definitely will not want to provide your shares to the rest of the world. If you limit Samba to listen only on the internal NIC(s), you don't need a firewall to prevent access from the outside. |
||
Add the following to the "[global]" section of your smb.conf to bind Samba to eth0 and loopback: |
Add the following to the "[global]" section of your smb.conf to bind Samba to eth0 and loopback: |
Revision as of 14:30, 27 August 2015
Introduction
If you need to secure your Samba installation with a firewall, you will need to know what ports and protocols are used. This page supplies an overview.
Identify which ports and interfaces Samba is listening on
You can use "netstat" to identify which ports and IPs, Samba and related daemons are listening on:
# netstat -tulpn | egrep "samba|smbd|nmbd|winbind"
The following is a snippet of an example output:
tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 43270/smbd tcp 0 0 10.0.0.1:139 0.0.0.0:* LISTEN 43270/smbd tcp 0 0 10.0.0.1:88 0.0.0.0:* LISTEN 43273/samba tcp 0 0 127.0.0.1:88 0.0.0.0:* LISTEN 43273/samba tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN 43270/smbd tcp 0 0 10.0.0.1:445 0.0.0.0:* LISTEN 43270/smbd .....
The above example shows that the services are listening on localhost (127.0.0.1) and the interface with IP 10.0.0.1 - on each of the listed ports (139, 88, 445,...).
Port usage when Samba runs as an Active Directory Domain Controller
Service | Port | protocol |
---|---|---|
DNS | 53 | tcp/udp |
Kerberos | 88 | tcp/udp |
End Point Mapper (DCE/RPC Locator Service) | 135 | tcp |
NetBIOS Name Service | 137 | udp |
NetBIOS Datagram | 138 | udp |
NetBIOS Session | 139 | tcp |
LDAP | 389 | tcp/udp |
SMB over TCP | 445 | tcp |
Kerberos kpasswd | 464 | tcp/udp |
LDAPS (only if "tls enabled = yes") | 636 | tcp |
Dynamic RPC Ports* | 1024-5000 | tcp |
Global Cataloge | 3268 | tcp |
Global Cataloge SSL (only if "tls enabled = yes") | 3269 | tcp |
Multicast DNS | 5353 | tcp/udp |
* Samba, like Windows, supports dynamic RPC services. The range starts at 1024. If something occupies this port for some reason, it will be a different port (literally walked up from 1024).
Remember, there can be other ports as well , these are related to your Samba installation but are not provided by Samba itself, e.g. an NTP server run for time synchronisation as well.
Prevent Samba from listening on all interfaces
Sometimes you don't want Samba to listen on all interfaces of your host. For example, if the host is directly connected to the internet, you definitely will not want to provide your shares to the rest of the world. If you limit Samba to listen only on the internal NIC(s), you don't need a firewall to prevent access from the outside.
Add the following to the "[global]" section of your smb.conf to bind Samba to eth0 and loopback:
bind interfaces only = yes interfaces = lo eth0
The "interfaces" parameter allows various ways to restrict. See the manpage for more details.
After the changes, restart Samba.