I've got a problem with my debian server. Probably there is some vulnerable script at my web-serser, which is running from www-data user. I also have samba with winbind installed, and samba is joined to windows domain.
So, probably this vulnerable script allows hacker to bruteforce out domain controller through winbind unix domain socket.
Actually I have lots of such lines at netstat -a output:
unix 3 [ ] STREAM CONNECTED 509027 /var/run/samba/winbindd_privileged/pipe
And our DC logs contain lots of recorded authentication attems from root or guest accounts.
How can I restrict my apaches access to winbind? I had an idea to use some kind of firewall for IPC sockets. Is it possible?