7

I don't need any broadcasting/autodiscovery, everything is deterministic and strictly configured in my nets. I drop trash SAMBA broadcasts by firewall anyway, can't I just disable them to keep my network traffic clean?

Ivan
  • 3,398
  • 19
  • 50
  • 71
  • 1. You wil get better answers if you indicate your OS and version, and Samba version as well. 2. Does Samba generate enough broadcast traffic that it actually causes anything bad to happen? In other words, why are you worried about this? – mfinni Jun 29 '10 at 02:05
  • No problem there is, but I'd like only meaningful traffic to take place - just for tidiness. The OS is Ubuntu 10.04 Serer x64, SAMBA is the standard one from the repo. – Ivan Jun 29 '10 at 04:49

5 Answers5

11

In Debian at least, you could use the option 'disable netbios = yes' in your smb.conf file. I think this is a better option than edit the init scripts. This way you will not have to edit the init scripts every time they get overwritten by upgrades.

Stefan
  • 111
  • 1
  • 3
  • 2
    I can confirm that this is the best option on Ubuntu 14.04 too - the `/etc/init/nmbd.conf` file checks to see if `disable netbios = yes` is found in `/etc/samba/smb.conf` and does not launch nmbd. – Adam Kerz May 26 '15 at 03:34
5

Kill nmbd

edit your rc/init scripts that launch smbd and nmbd so they don't run nmbd. nmbd is the automatic discovery component of samba. Disabling it will cut down on the traffic.

http://www.samba.org/samba/docs/man/manpages-3/nmbd.8.html

JeffG
  • 1,194
  • 6
  • 18
2

For me, on Debian 10, even after adding disable netbios = yes to /etc/init/nmbd.conf in a [global] section, sudo netstat -an | grep 137 and sudo netstat -an | grep 138 still showed nmbd was running and using those ports.

I had to do this to disable nmbd:

sudo systemctl stop nmbd
sudo systemctl disable nmbd
sudo systemctl mask nmbd
IMTheNachoMan
  • 255
  • 4
  • 16
2

Just using disable netbios = yes in your config file won't stop the nmbd from running from the init.d script. You need to manually comment out the nmbd options from the script after killing nmbd because nmbd will start again after restarting samba services or a reboot.

You can check if netbios isn't running any more by using the following command:

netstat -an | grep 137 (or 138)

This will show if there are listeners active on your system using the port numbers 137 (netbios name) and 138 (Netbios datagram).

BE77Y
  • 2,667
  • 3
  • 18
  • 23
pascal
  • 21
  • 1
1

I've actually did some iptable rules about netbios instead of disabling it.
(But of course you can disable it with adding disable netbios = yes through smb.conf file in the [global] section).

I were running a dedicated server but they actually continuously told me there are netbios attacks so I made a VPN for my clients.
(if you are running a server through a router you don't need to set up a VPN but if you are using remote connections from TCP/IP for network sharing, I really advise you to do one).

So there is my solution (replace the IP range by yours like 192.168.0.0/24 depending on your router's IP assignments):

First reject all connections used by netbios ports through iptables:

iptables -A INPUT -p udp -m udp --dport 137 -j REJECT
iptables -A INPUT -p udp -m udp --dport 138 -j REJECT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j REJECT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j REJECT

This is blocking:

  • UDP port 137 for NetBios Name Service
  • UDP port 138 for NetBios Datagram services
  • TCP port 139 for NetBios Session services
  • TCP port 445 for NetBios Microsoft Discovery Service

Second you'll accept all local (or VPN) clients to access netbios ports through iptables:

iptables -A INPUT -p udp -m udp -s 10.8.0.0/24 --dport 137 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 10.8.0.0/24 --dport 138 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 10.8.0.0/24 --dport 139 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 10.8.0.0/24 --dport 445 -j ACCEPT

According this config that will accept connections from all ip with 10.8.0.1 through 10.8.0.254.

You might find more info for IP routing there: https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation

I hope that helps.

chicks
  • 3,793
  • 10
  • 27
  • 36
Armentis Spiritus
  • 11
  • 1
  • The order of `iptables` rules is important: if the any-address REJECT rules are placed before more specific ACCEPT rules, the ACCEPT rules will be ineffective. The first matching rule wins. – telcoM Sep 25 '19 at 11:18