# smbd[PID]:   Denied connection from IP

## felixo

Hello gentoo forum. I am having some serious packet loss problems. I need some advice in terms of security.

I started getting my packeloss problem when I upgraded to udev and kernel 2.6.10. I also did an emerge world, which upgraded many things including samba, sshd and rp-pppoe. My internet connection is PPPoE with rp-pppoe. At first I thought it could have been a combination of the above, so I fiddled with the kernel/ my modules etc. Eventually I was able to connect (at first I was having a device does not exist error) but I was having about 50% packet loss!

I did not test the connection on another ocmputer, which is very stupid in my part, but I do not know of any pppoe software that runs on windows 2000.

Anyways, I then did an emerge -C on udev, and went back to my old 2.6.4 kernel, using defvs. Please note this is after many hours of frustration.

Once connected with 2.6.4 and devfs, the same packet loss persisted. 

Checking logs shows this, many of these:

smbd[PID]: [2005/01/31 11:01:32, 0] lib/access.c:check_access(328)

smbd[PID]:   Denied connection from IP

My router is also acting as my samba box, which is also not a good idea, The scary thing is that the IP's are numerous (samba log dir has access attempts/denials from thousands of IPs)

Well I guess my question is could this be the reason why I am having such great packetloss??

If I do a samba stop, the packetloss still persists, so he smbd denials cannot be the cause.  but I wonder if someone is trying to compromise my machine, perhaps they are using other means to contact it. How do i check who is trying to contact me? With tcpdump?

I dont know how to fix this packetloss!

----------

## felixo

Since I am using pppoe, I get a new IP every time I reconnect, so how are these other machines getting my IP so fast in order to contact me? the smbd denials occur within minutes of my dsl connection initiation.

----------

## Need4Speed

wow weird, I was just going to ask about all these smbd errors in my logs too:

```
Jan 30 21:03:46 linux smbd[25600]: [2005/01/30 21:03:46, 0] lib/util_sock.c:get_peer_addr(1000)

Jan 30 21:03:46 linux smbd[25600]:   getpeername failed. Error was Transport endpoint is not connected

Jan 30 21:03:46 linux smbd[25600]: [2005/01/30 21:03:46, 0] lib/access.c:check_access(328)

Jan 30 21:03:46 linux smbd[25600]: [2005/01/30 21:03:46, 0] lib/util_sock.c:get_peer_addr(1000)

Jan 30 21:03:46 linux smbd[25600]:   getpeername failed. Error was Transport endpoint is not connected

Jan 30 21:03:46 linux smbd[25600]:   Denied connection from  (0.0.0.0)

Jan 30 21:03:46 linux smbd[25600]: [2005/01/30 21:03:46, 0] lib/util_sock.c:get_peer_addr(1000)

Jan 30 21:03:46 linux smbd[25600]:   getpeername failed. Error was Transport endpoint is not connected

Jan 30 21:03:46 linux smbd[25600]:   Connection denied from 0.0.0.0

Jan 30 21:03:46 linux smbd[25600]: [2005/01/30 21:03:46, 0] lib/util_sock.c:write_socket_data(430)

Jan 30 21:03:46 linux smbd[25600]:   write_socket_data: write failure. Error = Connection reset by peer

Jan 30 21:03:46 linux smbd[25600]: [2005/01/30 21:03:46, 0] lib/util_sock.c:write_socket(455)

Jan 30 21:03:46 linux smbd[25600]:   write_socket: Error writing 5 bytes to socket 5: ERRNO = Connection reset by peer

```

I've been getting them for a while, it seems that we have the same problem... What I don't understand is why the ip address is listed as 0.0.0.0   :Confused:   Are your errors like that too?

----------

## felixo

No, mine have IP addresses, they seem to be zombie boxes. There is TON of them within hours of clearing. I am not getting the denied message as you, mine says connection denied.

"getpeername failed. Error was Transport endpoint is not connected " I do not have that. I am worried :(.

Anyways I had so many that rm * could not remove them all.

----------

## CriminalMastermind

 *felixo wrote:*   

> My router is also acting as my samba box, which is also not a good idea, The scary thing is that the IP's are numerous (samba log dir has access attempts/denials from thousands of IPs) 

 

i'd be much more conserned about this then 50% packet loss at the moment.  it sounds like 100% packet loss would be much better on this box.

are you running a firewall on this box?

if you are, it sounds like there is a serious problem with it.  i would look into that right away.  you can scan your ports and see what is open at grc (look for shilds up test).

if you aren't running a firewall i'd get one up asap.

this is probably a good place to start.  i'd load the page in your web browser...  then unplug the cable to the internet while you work on it if you don't have a firewall.  i haven't read it, but i'm sure it's very good.

hope that helps

----------

## felixo

I am already running a firewall with iptables, but I will check out what you said :D

Also, I AM concerned about the box, but every incoming connection is denied, also there are numerous brute force sshd logins that are denied.

I worry why someone is trying so hard to get in??

----------

## CriminalMastermind

 *felixo wrote:*   

> I am already running a firewall with iptables, but I will check out what you said  

 

i'd see what the shields up test from grc has to say about your firewall.

 *felixo wrote:*   

> Also, I AM concerned about the box, but every incoming connection is denied, also there are numerous brute force sshd logins that are denied. 

 

if every incoming connection was denied using iptables, then you would see nothing in your samba error log, or you wouldn't see any faild loggin attempts in sshd.

when packets are blocked with iptables, they are filtered at the kernel level.  so nothing would reach your smbd or sshd programs.  packets would be dropped before that.

 *felixo wrote:*   

> I worry why someone is trying so hard to get in??

 

probably just automated tools/zombie boxes blindly trying exploits and username/password combo's.  they probably aren't putting much effort into it.

----------

## felixo

I am in the process of building another box (I posted about it in here) specifically to route the connection now, unfortunatelly I need to be able to ssh in to my box, but for all other connections, you are right, I should have been using iptables to block it off.

I am a newbie :D

----------

