Samba на Debian

cat /etc/samba/smb.conf
[global]

    bind interfaces only = yes
    workgroup = WORKGROUP          #Укажите здесь имя рабочей группы 
    netbios name = server2         
    server string = %h
    security = SHARE
    null passwords = Yes
    guest ok = Yes
    browseable = Yes
    guest account = nobody 
    public = yes
    domain master = no
    local master = no
    preferred master = no
    os level = 0
    usershare allow guests = yes

#Public read/write
[pub]                     #Эта секция описывает директорию с публичным доступом
    path = /srv/smb/pub/           #которую все могут читать и писать
    browseable = Yes
    guest only = Yes
    read only = no    
    writable = yes
    create mask = 0644

#Archive read only        #Эта секция описывает директорию с публичным доступом
[Archive]                 #которую все могут читать но никто не может писать 
    path = /srv/smb/archive/
    browseable = Yes
    guest only = Yes
    read only = Yes
    writable = No
    create mask = 0644

#Archive read/write hidden  #Эта секция описывает директорию с публичным доступом
[Archive_rw]              #которую все могут читать и писать, но не отображается 
    path = /srv/smb/archive/  #в списке ресурсов то есть если чтобы зайти в неё  
    browseable = No           #нужно будет указать полный путь к ней
    guest only = Yes          #пример для Linux smb://server/archive_rw/
    read only = no            #пример для Winndows \\server\archive_rw\
    writable = yes
    create mask = 0644

http://sc0rp1us.blogspot.com/2012/01/samba-debian.html

squidview

• l    — enter — генерация отчета, вы также можете настроить дополнительные настройки
• T   — начинется учет статистики по размеру скачиваемого
• O  — просмотре кто чё качал по юзерам, после T

iptables features

Makes iptables wait 15 seconds between new connections from the same IP:

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

Same, but with counting of attempts: 

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH 

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j DROP 

Block Well-Known TCP Attacks

Blocking portscan

# Attempt to block portscans
# Anyone who tried to portscan us is locked out for an entire day.
iptables -A INPUT   -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
iptables -A INPUT   -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

Spoofed/Invalid packets

# Reject spoofed packets
# These adresses are mostly used for LAN's, so if these would come to a WAN-only server, drop them.
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP

#Multicast-adresses.
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP

# Drop all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

Block Smurf attacks

# Stop smurf attacks
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp -j DROP

# Drop excessive RST packets to avoid smurf attacks
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

Optimize netfilter's Performance Using ipset

If you write a lot of similar rules based on mere IP, port, or both, consider using ipset to optimize netfilter's performance.
For example:

iptables -s 192.168.1.11 -j ACCEPT
iptables -s 192.168.1.27 -j ACCEPT
iptables -s 192.168.1.44 -j ACCEPT
... hundreds of similar rules ...
iptables -s 192.168.251.177 -j ACCEPT

This means that a packet with the source address of 192.168.251.177 must first traverse hundreds of rules before it can get its verdict of ACCEPT.
Of course, experienced sysadmins will split the rules by subnet. But that still means hundreds of rules.
ipset to the rescue!
First, define an IP Set of ipmap type:

ipset -N Allowed_Hosts ipmap --network 192.168.0.0/16

Then, populate it with the addresses:

for ip in $LIST_OF_ALLOWED_IP; do ipset -A Allowed_Hosts $ip; done

Finally, replace the hundreds of iptables rules above with one rule:

iptables -m set --match-set Allowed_Hosts src -j ACCEPT

http://serverfault.com/questions/245711/iptables-tips-tricks