Заставляем слушать самбу только на определённых интерфейсах

Глянул недвано в логи сабы и охнул :). В папке около 100 000 файлов. Это все, кто ломился на мою самбу (сервак с самбой смотрит в мир). Нужно как-то ограничинить это дело, закрыть порт наружу. Указываем самбе, какой интерфейс слушать (а то по дефолту она слушает все доступные, кроме loopback’a).

bind interfaces only = yes
interfaces = rl0
socket address = 10.0.3.33

Кстати, после установки этих параметров — самбу нужно перезапустить (выполнить restart, а неreload), так как демоны должны прекратить слушать другие интерфейсы.

Ниже приведу справу по каждому параметру, на всякий случай, что бы знать, что писать.

bind interfaces only (G)

This global parameter allows the Samba admin to limit what
interfaces on a machine will serve SMB requests. It affects file
service smbd(8) and name service nmbd(8) in a slightly different
ways.

For name service it causes nmbd to bind to ports 137 and 138 on the
interfaces listed in the interfaces parameter.  nmbd also binds to
the «all addresses» interface (0.0.0.0) on ports 137 and 138 for
the purposes of reading broadcast messages. If this option is not
set then nmbd will service name requests on all of these sockets.
If bind interfaces only is set then nmbd will check the source
address of any packets coming in on the broadcast sockets and
discard any that don’t match the broadcast addresses of the
interfaces in the interfaces parameter list. As unicast packets are
received on the other sockets it allows nmbd to refuse to serve
names to machines that send packets that arrive through any
interfaces not listed in the interfaces list. IP Source address
spoofing does defeat this simple check, however, so it must not be
used seriously as a security feature for nmbd.

For file service it causes smbd(8) to bind only to the interface
list given in the interfaces parameter. This restricts the networks
that smbd will serve to packets coming in those interfaces. Note
that you should not use this parameter for machines that are
serving PPP or other intermittent or non-broadcast network
interfaces as it will not cope with non-permanent interfaces.

If bind interfaces only is set then unless the network address
127.0.0.1 is added to the interfaces parameter list smbpasswd(8)
and swat(8) may not work as expected due to the reasons covered
below.

To change a users SMB password, the smbpasswd by default connects
to the localhost — 127.0.0.1 address as an SMB client to issue the
password change request. If bind interfaces only is set then unless
the network address 127.0.0.1 is added to the interfaces parameter
list then
smbpasswd will fail to connect in it’s default mode.  smbpasswd
can be forced to use the primary IP interface of the local host by
using its smbpasswd(8) -r remote machine parameter, with remote
machine set to the IP name of the primary interface of the local
host.

The swat status page tries to connect with smbd and nmbd at the
address 127.0.0.1 to determine if they are running. Not adding
127.0.0.1 will cause
smbd and nmbd to always show «not running» even if they really
are. This can prevent
swat from starting/stopping/restarting smbd and nmbd.

Default: bind interfaces only = no

interfaces (G)

This option allows you to override the default network interfaces
list that Samba will use for browsing, name registration and other
NBT traffic. By default Samba will query the kernel for the list of
all active interfaces and use any interfaces except 127.0.0.1 that
are broadcast capable.

The option takes a list of interface strings. Each string can be in
any of the following forms:

o   a network interface name (such as eth0). This may include
shell-like wildcards so eth* will match any interface starting
with the substring «eth»

o   an IP address. In this case the netmask is determined from the
list of interfaces obtained from the kernel

o   an IP/mask pair.

o   a broadcast/mask pair.

The «mask» parameters can either be a bit length (such as 24 for a
C class network) or a full netmask in dotted decimal form.

The «IP» parameters above can either be a full dotted decimal IP
address or a hostname which will be looked up via the OS’s normal
hostname resolution mechanisms.

By default Samba enables all active interfaces that are broadcast
capable except the loopback adaptor (IP address 127.0.0.1).

The example below configures three network interfaces corresponding
to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
The netmasks of the latter two interfaces would be set to
255.255.255.0.

Default: interfaces =

Example: interfaces = eth0 192.168.2.10/24
192.168.3.10/255.255.255.0

socket address (G)

This option allows you to control what address Samba will listen
for connections on. This is used to support multiple virtual
interfaces on the one server, each with a different configuration.

Setting this option should never be necessary on usual Samba
servers running only one nmbd.

By default Samba will accept connections on any address.

Default: socket address =

Example: socket address = 192.168.2.20

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *