Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Did I just give my box away to the world with Samba?

  1. #1
    Senior Member
    Join Date
    Feb 2002
    Posts
    170

    Did I just give my box away to the world with Samba?

    Hiya,

    I know absolutely nothing of Samba. What I do know is that I have three boxes at home and I run windows on two of them so I installed samba on my debian box acting as a router for my home network.
    I thought that I'd fiddle around with it some time when I have time and see If I could get it to work.

    Yesterday it just so happened that I did a netstat -aN on the debian box and I had a bunch of lines with IP's I didn't recognize. None of them were internal IP's and they were all marked as closed. Judging by the port numbers which I convienintly have forgotten they weren't to my webserver also running on the box so I thought I'd remove samba which I did and all the IP's dissapeard.

    Did samba open my box up in some way or is there another reason why there seemed to have been several external computers connected to my box?

    Any help appreciated,
    Mankan

    \"The purpose of abstraction is not to be vague, but to create a new semantic level in which one can be absolutely precise.\"
    - Edsger Dijkstra

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    170
    I poked around a bit and found stuff like this in my /var/log/smb:

    [2002/04/02 00:03:06, 1] smbd/server.c:main(641)
    smbd version 2.0.8 started.
    Copyright Andrew Tridgell 1992-1998
    [2002/04/02 00:03:06, 0] printing/pcap.c:pcap_printer_fn(366)
    Unable to open printcap file /etc/printcap for read!
    [2002/04/02 00:03:06, 1] smbd/files.c:file_init(216)
    file_init: Information only: requested 10000 open files, 1014 are available.
    [2002/04/02 00:03:06, 1] smbd/password.c:pass_check_smb(492)
    Couldn't find user '4-dogs p.m.' in UNIX password database.
    [2002/04/02 00:03:06, 1] smbd/reply.c:reply_sesssetup_and_X(927)
    Rejecting user '4-dogs p.m.': authentication failed

    I'm pretty sure it isn't supposed to look this way. There are a bunch of usernames, each having its own entry like this. None of the user names matches the users of my box.

    Who is trying what and what can I do to prevent them or raise my security?

    Attached is the rest of my smb-log file. I'd appreciate it deeply If someone could take the time to help me out and explain this to me as it is rather scary.

    Thanks,
    Mankan

    \"The purpose of abstraction is not to be vague, but to create a new semantic level in which one can be absolutely precise.\"
    - Edsger Dijkstra

  3. #3
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,883
    Umm, samba is an awsome program, but I wouldn't install it on a router. Thats like turning on file sharing on a windows box with a dedicated connection.... Not a good idea.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  4. #4
    Senior Member
    Join Date
    Feb 2002
    Posts
    170
    Oh, ok. *lame*. I had no idea .

    But what is showing in the logs are actual hack attempts?
    Mankan

    \"The purpose of abstraction is not to be vague, but to create a new semantic level in which one can be absolutely precise.\"
    - Edsger Dijkstra

  5. #5
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Samba is the devil... bad, bad samba...
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  6. #6
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,883
    Wow, reading that will give you a headache, and nauseated also. It does apear that people were attempting to "hack" your box. Not very well though. Most of them saw that a password was required, and they left. What would be really fun is to match up the times with your router logs and check their ip addys. You already have the login name for many of them....now all you need is a password

    Wait, I didn't just say that did I?
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  7. #7
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Maybe you need to close some ports on your firewall???
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  8. #8
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,883
    [2002/04/02 00:03:06, 1] smbd/server.c:main(641)
    smbd version 2.0.8 started.
    Copyright Andrew Tridgell 1992-1998
    Connection made to your machine
    [2002/04/02 00:03:06, 0] printing/pcap.ccap_printer_fn(366)
    Unable to open printcap file /etc/printcap for read!
    You enabled printing, but don't have a printer on that machine.....
    [2002/04/02 00:03:06, 1] smbd/files.c:file_init(216)
    file_init: Information only: requested 10000 open files, 1014 are available.
    Standard request to see what is shared....(clicking on a computer in Network Neighborhood)
    [2002/04/02 00:03:06, 1] smbd/password.cass_check_smb(492)
    Couldn't find user '4-dogs p.m.' in UNIX password database.
    Looking up username/password.. Can't find...
    [2002/04/02 00:03:06, 1] smbd/reply.c:reply_sesssetup_and_X(927)
    Rejecting user '4-dogs p.m.': authentication failed
    Sending rejection to user...failed username/password.

    Fortunately, you didn't turn on a guest account, or that last line would have been different...
    From what I saw, no one gained access to your system, but I wasn't going to take the time to read all of the log file... You have enought security for 99% of the script kiddies out there, but there is still that 1%, and the people that actually know what they are doing. Then again, the people that REALLY know what they are doing, you are not going to keep out any way....if they really want to get in.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  9. #9
    Greetings,
    Have you considered looking into adjusting your firewall rules on the router? You could allow only requests from your LAN as far as SMB access is concerned. Also, if you get a rash on your backside from dealing w/ Netfilter & IPTables, you could look into a dumb router-firewall box, Linksys makes a 1 port router that goes for $80 - $100 ( I have one and its a very nice).
    LS
    \"Politics is the control of wealth and power...We are being conditioned to condemn politics as petty and boring, thus allowing those in power to stay in power...you are either part of the problem or part of the solution; which side are you on?\" - C.O.C.

  10. #10
    Junior Member
    Join Date
    Nov 2001
    Posts
    3
    You can also specify the networkadapter samba has to bind to.
    It defaults to all adapters listening on 0.0.0.0:137 and 0.0.0.0:138 and the actual ip addresses
    adding the followin to your smb.conf file
    interfaces = 192.168.12.2/24 (bind only to this interface ip)
    hosts allow = 192.168.1. 127. (allow only connections from 192.168.1.x and 127.x.x.x)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •