# serious security issue!

## mlsfit138

I've been running samba for a couple of weeks (well at least I got my print share working) but I just checked my /var/log/samba/ directory and I found some disturbing stuff.  There is a list of computers that have accessed the server, and most of them are not on my network!  Someone please tell me if I'm interpreting this wrong.

 *Quote:*   

> 
> 
> ls -a
> 
> .   log.50163099sp  log.desktop  log.home-71833cad8d  log.mark-u3jdqjaw9d  log.audra         log.rampeiras  log.smbd       log.talentoaa
> ...

 

My guess is that all of those names are names of computers that have at least attempted to connect to my gentoo box via samba somehow.  There are only two computers on my network!  The name "ramonahouse" has something to do w/ my business, but I have no idea why it would end up in my gentoo box.  Makes me think that someone who knows me is trying to hack me (or has succeeded.) 

I'm stopping samba now!

----------

## mlsfit138

by the way, all of those logs are full of errors, which makes me think they didn't get in,(i'm sure if they were skillful enough to get in they would have erased the logs) but still, its pretty scary.

----------

## ekoontz

Hi mlsfit,

In my /etc/samba/smb.conf I have :

```

hosts allow = 192.168.0. 127. 

```

This will keep anyone outside my LAN out of samba. I still have tons of lines in /var/log/messages like :

```

Dec  3 22:55:53 hiro-tan smbd[27522]:   Denied connection from  (61.247.230.149) 

```

but you know, I kind of enjoy seeing who's trying to get in  :Smile: 

----------

## mlsfit138

here are the contents of ramonahouse.log (not on my network but suspiciously familiar)

 *Quote:*   

> [2003/11/22 21:06:34, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1369)
> 
>   unable to open passdb database.
> 
> [2003/11/22 21:06:34, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1369)
> ...

 

and this is from gustavo.log (also not on my network)

 *Quote:*   

> [2003/11/29 02:35:28, 0] printing/print_cups.c:cups_printername_ok(388)
> 
>   Unable to get printer status for c - client-error-not-found
> 
> [2003/11/29 02:35:28, 0] smbd/service.c:make_connection(252)
> ...

 

----------

## mlsfit138

 *ekoontz wrote:*   

> Hi mlsfit,
> 
> In my /etc/samba/smb.conf I have :
> 
> ```
> ...

 

you made me feel a lot better... for a minute, but then i remembered that ramonahouse is an important name for me.  So either someone who knows me tried to break in (unlikely because I highly doubt anyone I know has ever heard of samba) or some sloppy hacker has at least partially compromised my system.Last edited by mlsfit138 on Thu Dec 04, 2003 9:33 am; edited 1 time in total

----------

## mlsfit138

your host allow line has two partial addresses:

192.168.0.

127.

Does that mean that any computer with an ip that starts w/ 192.168.0 or 127. will be have access?  Every Address on my lan starts with 192.168.1, so if I used that partial address, it should work for me right?

----------

## Boris27

 *mlsfit138 wrote:*   

> your host allow line has two partial addresses:
> 
> 192.168.0.
> 
> 127.
> ...

 

Yep. You should use 192.168.1. if you use that. I do.

----------

## fleed

You could also set up iptables to block the smb ports so you won't even get that in your samba logs + the crackers won't know if you have smb on or not.

----------

## mlsfit138

supposing that some inexperienced hacker did manage to get into my computer, where else would I find evidence of this?  I'm a little paranoid now, because whoever was trying to access samba seemed to know a little bit about me (once again ramonahouse is a significant name for me, Its actually the name of one of the sober living homes that I operate).  

For some reason I can't have netfilter, and 3d support at the same time.  Maybe the new kernel would allow this, but in the mean time, I'm blocking all incoming connection requests via my hardware router!

----------

## fleed

Could there be any way in which ramonahouse is associated with your ip address? Do you use that name in a forum, for example? Do you have a website for it on your pc? Have you tried googling it together with your ip address to see what comes up? Have a look at the ip address where the request from ramonahouse came from so you see if there's a match somewhere. 

Oh, BTW, what's a sober living home?

----------

## UberLord

 *mlsfit138 wrote:*   

>  but in the mean time, I'm blocking all incoming connection requests via my hardware router!

 

One has to ask - why are you forwarding SMB ports from the router to your server?

----------

## jesterspet

Ports 139 & 445 are your samba ports.

Unfortunatly these are also currently widley attacked ports by viruses.  

I am inclined to believe that the activity you are seeing, is not intentional, but from some poor windows user that has (yet another) a virus.

In hindsight (it is always 20/20) an IDS and file integrety checker would most likley have provided you with enough information to acertain the true nature of the connection.

But from the information you have provided, I would have to say viral activity, [personal_rant] and quit emiting SMB traffic onto the internet [/personal_rant].

Where is that blink tag when you need it  :Question: 

----------

## mlsfit138

 *UberLord wrote:*   

>  *mlsfit138 wrote:*    but in the mean time, I'm blocking all incoming connection requests via my hardware router! 
> 
> One has to ask - why are you forwarding SMB ports from the router to your server?

 

Well, I didn't think that i was forwarding ports to the server (except for a couple that I need open).  When I was attempting to get freenet running as a permanent node, I completely demilitarized that box a couple of times thinking that my chances of being attacked were pretty slim, maybe it was at those times that the attacks occured.

the port scanner at grc.com says that all of my ports are now stealthed except for port 0.   I can't seem to get my router to drop connections to that port for some reason.  I hope that isn't much of a security risk...

----------

## mlsfit138

 *fleed wrote:*   

> Could there be any way in which ramonahouse is associated with your ip address? Do you use that name in a forum, for example? Do you have a website for it on your pc? Have you tried googling it together with your ip address to see what comes up? Have a look at the ip address where the request from ramonahouse came from so you see if there's a match somewhere. 
> 
> Oh, BTW, what's a sober living home?

 

On my windows box, there are some documents that have to do with the ramona house.  That's the only thing I can come up with.  

A sober living house is kind of like a half way house.  It's mostly people with drug problems, and parolee's.  It provides a stuctured environment for people that are getting out of prison, or trying to straighten their lives out.  It's my family's business, which I want out of badly!  Some of these people don't belong on the streets.

jesterspet:  

Maybe I should look into an IDS.  I always thought that they were for servers, and computers that have a high risk of being attacked.  

I've always thought that the fact that I don't run windows would provide a great deal of protection because 99% of the attacks out there are directed at windows platforms.  When that blaster worm was going around, I could watch my firewall report attacks every three or four seconds.  It was ridiculous.

----------

## jesterspet

 *mlsfit138 wrote:*   

> I've always thought that the fact that I don't run windows would provide a great deal of protection because 99% of the attacks out there are directed at windows platforms.

 

While the attacks are only sucessful against windows platforms, they still attempt to run against every OS.  Viruses don't discriminate in their choosing of their attempted next victim.

The important thing to remember, is that while your computer was not compromised during this incident, you have learned that you need to take steps so that future incidents that may not be so benine, can be better researched & identified and hopefully prevented.

----------

## sschlueter

 *ekoontz wrote:*   

> 
> 
> In my /etc/samba/smb.conf I have :
> 
> ```
> ...

 

Even better: 

```

interfaces = 127.0.0.1 192.168.0.1

bind interfaces only = yes

```

----------

## NeighborhoodGullwings

I'm inclined to go with jesterspet on this one. Most likely it is some virused windows boxen on the net that are attacking you, as samba really is no different from windows filesharing to them. I wouldn't worry too much about it, but blocking access would be helpful.

----------

## mlsfit138

 *sschlueter wrote:*   

>  *ekoontz wrote:*   
> 
> In my /etc/samba/smb.conf I have :
> 
> ```
> ...

 

what is the difference?  are you only allowing one host other than localhost to access the server?

----------

## sschlueter

 *mlsfit138 wrote:*   

> 
> 
> what is the difference?  are you only allowing one host other than localhost to access the server?
> 
> 

 

Mmh, do you know the concept of binding to a specific address? 

A listening port can be set up in such a way that it listens on "all addresses" or can be set up that it listens only on specific addresses. 

The difference becomes apparent if the host has multiple ip addresses. If the service is listening on "all addresses", you can connect to the service using any ip address the system has. But if the service is listening only to specific addresses, you can only talk to the service if you connect to an ip address the service is listening on.

And if the service is only listening on private ip addresses, it cannot be connected from the internet.

The interface binding thing is more secure than the hosts allow thing because with the latter solution an attacker can still talk to the service.

You can use "netstat -tulpn" to check the listening ports.

This is a service that listens on "all addresses".

```

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2041/sshd

```

This is a service that listens on specific address only:

```

tcp        0      0 127.0.0.1:139           0.0.0.0:*               LISTEN      30572/smbd

tcp        0      0 192.168.1.1:139         0.0.0.0:*               LISTEN      30572/smbd

```

----------

## Suicidal

I get attacks lie that on my exchange server web logs all the time, alot of them coming from as far away as tiawan and india, I have taken a few down by deleting thier boot.ini. 

 viri like blast and nimda will be around for at least 15 more years. I would concentrate more on iptables rules and less on SMB.conf as it really doesnt matter what is in smb.conf if your iptables rules are correctly set up.

Even microsoft is going this way, in XP SP2 they are implementing a stateful firewall that will only allow computers on the local subnet to connect with the computer.

----------

## Mnemia

BTW,

You mentioned something about 3D support not working at the same time as iptables.  I would recommend you stop using the Gentoo kernels if you are using them, and see what happens. The vanilla kernel seems a lot less likely to break in ways like that in my experience.  I stopped using the gentoo-sources kernel because of repeated iptables breakage.

And iptables is VERY important if you want to have a secure setup...

----------

## mlsfit138

 *Suicidal wrote:*   

> I get attacks lie that on my exchange server web logs all the time, alot of them coming from as far away as tiawan and india, I have taken a few down by deleting thier boot.ini. 
> 
>  viri like blast and nimda will be around for at least 15 more years. I would concentrate more on iptables rules and less on SMB.conf as it really doesnt matter what is in smb.conf if your iptables rules are correctly set up.
> 
> Even microsoft is going this way, in XP SP2 they are implementing a stateful firewall that will only allow computers on the local subnet to connect with the computer.

 

what makes you say 15 years? 

Mnenia:  I'll look into that.  I wonder if  ck sources have similar problems... also, I've been messing around with 2.6.  can't get everything working correctly, but that may solve that problem eventually.

----------

## Suicidal

 *Quote:*   

> what makes you say 15 years? 

 

Because I will give windows XP at least that long until almost no one on this planet uses it, since by default it sets up the computer with blank passwords and that is just begging nimda and/or msblast to ow3n your box. Most users are totally ignorant of simple issues such as password protection and I doubt it will get much better with time. 

The average user will get smarter but there will always be some n00b without a clue allowing theese viri to stay alive.

 *Quote:*   

> I would concentrate more on iptables rules and less on SMB.conf as it really doesnt matter what is in smb.conf if your iptables rules are correctly set up.

 

I must have been tired when I wrote that. What i meant was layer the security. First concentrate on your firewall in your gateway/router then concentrate on iptables then the ACL in smb.conf

The more layers of security you have the more likely they will give up and look elsewhere.

----------

## i3839

To prevent any confusion: What sschlueter said is a bit wrong.

Binding to a specific interface means that the application only listens for data on that interface. An interface is something totally different than an address, although each interface has an address. eth0, ppp0 and lo are interfaces. Binding to a specific interface makes only sense if the host is also the router (there are more exotic configurations possible of course), because then one interface can be considered trusted (e.g. eth0, the networkcard connected to LAN for instance), and one as untrusted (e.g. ppp0, an internet modem). 

If the host is just a pc on LAN, then every connection will come through the same interface anyway. Binding restricts the listening interface/address, but doesn't restrict the source address of the connections. That's what firewalls are for. Or the "hosts allow" setting. But mlsfit138's host isn't also the router, and letting samba bind to all the interfaces the host has doesn't make anything more secure. So doing it ekoontz's way is much smarter.

 *sschlueter wrote:*   

> 
> 
> Mmh, do you know the concept of binding to a specific address? 
> 
> A listening port can be set up in such a way that it listens on "all addresses" or can be set up that it listens only on specific addresses. 
> ...

 

----------

## ekoontz

 *Quote:*   

> If the host is just a pc on LAN, then every connection will come through the same interface anyway.

 

I quite agree; in my case, I have a single ethernet interface. Binding only one interface does nothing to restrict who connects. I think perhaps sschlueter was thinking of hosts with two network interfaces; one connected to the Internet and one to a LAN, in which case it would make sense to bind to only one interface.

----------

