I don't need any broadcasting/autodiscovery, everything is deterministic and strictly configured in my nets. I drop trash SAMBA broadcasts by firewall anyway, can't I just disable them to keep my network traffic clean?
In Debian at least, you could use the option 'disable netbios = yes' in your smb.conf file. I think this is a better option than edit the init scripts. This way you will not have to edit the init scripts every time they get overwritten by upgrades.
edit your rc/init scripts that launch smbd and nmbd so they don't run nmbd.
nmbd is the automatic discovery component of samba. Disabling it will cut down on the traffic.
Just using disable netbios = yes in your config file won't stop the nmbd from running from the init.d script. You need to manually comment out the nmbd options from the script after killing nmbd because nmbd will start again after restarting samba services or a reboot.
You can check if netbios isn't running any more by using the following command:
netstat -an | grep 137 (or 138)
This will show if there are listeners active on your system using the port numbers 137 (netbios name) and 138 (Netbios datagram).
For me, on Debian 10, even after adding disable netbios = yes to /etc/init/nmbd.conf in a [global] section, sudo netstat -an | grep 137 and sudo netstat -an | grep 138 still showed nmbd was running and using those ports.
I've actually did some iptable rules about netbios instead of disabling it.
(But of course you can disable it with adding disable netbios = yes through smb.conf file in the [global] section).
I were running a dedicated server but they actually continuously told me there are netbios attacks so I made a VPN for my clients.
(if you are running a server through a router you don't need to set up a VPN but if you are using remote connections from TCP/IP for network sharing, I really advise you to do one).
So there is my solution (replace the IP range by yours like 192.168.0.0/24 depending on your router's IP assignments):
First reject all connections used by netbios ports through iptables:
iptables -A INPUT -p udp -m udp --dport 137 -j REJECT
iptables -A INPUT -p udp -m udp --dport 138 -j REJECT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j REJECT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j REJECT
This is blocking:
UDP port 137 for NetBios Name Service
UDP port 138 for NetBios Datagram services
TCP port 139 for NetBios Session services
TCP port 445 for NetBios Microsoft Discovery Service
Second you'll accept all local (or VPN) clients to access netbios ports through iptables:
iptables -A INPUT -p udp -m udp -s 10.8.0.0/24 --dport 137 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 10.8.0.0/24 --dport 138 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 10.8.0.0/24 --dport 139 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 10.8.0.0/24 --dport 445 -j ACCEPT
According this config that will accept connections from all ip with 10.8.0.1 through 10.8.0.254.
In Debian at least, you could use the option 'disable netbios = yes' in your smb.conf file. I think this is a better option than edit the init scripts. This way you will not have to edit the init scripts every time they get overwritten by upgrades.
Kill nmbd
edit your rc/init scripts that launch smbd and nmbd so they don't run nmbd. nmbd is the automatic discovery component of samba. Disabling it will cut down on the traffic.
http://www.samba.org/samba/docs/man/manpages-3/nmbd.8.html
Just using
disable netbios = yesin your config file won't stop the nmbd from running from the init.d script. You need to manually comment out the nmbd options from the script after killing nmbd because nmbd will start again after restarting samba services or a reboot.You can check if netbios isn't running any more by using the following command:
netstat -an | grep 137 (or 138)This will show if there are listeners active on your system using the port numbers 137 (netbios name) and 138 (Netbios datagram).
For me, on Debian 10, even after adding
disable netbios = yesto/etc/init/nmbd.confin a[global]section,sudo netstat -an | grep 137andsudo netstat -an | grep 138still showednmbdwas running and using those ports.I had to do this to disable
nmbd:I've actually did some iptable rules about netbios instead of disabling it.
(But of course you can disable it with adding
disable netbios = yesthroughsmb.conffile in the[global]section).I were running a dedicated server but they actually continuously told me there are netbios attacks so I made a VPN for my clients.
(if you are running a server through a router you don't need to set up a VPN but if you are using remote connections from TCP/IP for network sharing, I really advise you to do one).
So there is my solution (replace the IP range by yours like 192.168.0.0/24 depending on your router's IP assignments):
First reject all connections used by netbios ports through iptables:
This is blocking:
Second you'll accept all local (or VPN) clients to access netbios ports through iptables:
According this config that will accept connections from all ip with 10.8.0.1 through 10.8.0.254.
You might find more info for IP routing there: https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation
I hope that helps.