| View previous topic :: View next topic |
| Author |
Message |
mlsfit138
Guru
Joined: 20 Sep 2003
Posts: 406
Location: Washington
|
 Posted: Thu Dec 04, 2003 8:39 am Post subject: serious security issue! |
 |
|
I've been running samba for a couple of weeks (well at least I got my print share working) but I just checked my /var/log/samba/ directory and I found some disturbing stuff. There is a list of computers that have accessed the server, and most of them are not on my network! Someone please tell me if I'm interpreting this wrong.
| Quote: |
ls -a
. log.50163099sp log.desktop log.home-71833cad8d log.mark-u3jdqjaw9d log.audra log.rampeiras log.smbd log.talentoaa
.. log.alevrius_ log.gustavo log.localhost log.momerdadd log.ramonahouse log.shitbanda log.system138
bash-2.05b$ |
My guess is that all of those names are names of computers that have at least attempted to connect to my gentoo box via samba somehow. There are only two computers on my network! The name "ramonahouse" has something to do w/ my business, but I have no idea why it would end up in my gentoo box. Makes me think that someone who knows me is trying to hack me (or has succeeded.)
I'm stopping samba now! |
|
| Back to top |
|
 |
mlsfit138
Guru
Joined: 20 Sep 2003
Posts: 406
Location: Washington
|
| Posted: Thu Dec 04, 2003 8:41 am Post subject: |
|
|
| by the way, all of those logs are full of errors, which makes me think they didn't get in,(i'm sure if they were skillful enough to get in they would have erased the logs) but still, its pretty scary. |
|
| Back to top |
|
|
ekoontz
n00b
Joined: 18 Apr 2002
Posts: 67
Location: San Francisco, California
|
| Posted: Thu Dec 04, 2003 9:21 am Post subject: |
|
|
Hi mlsfit,
In my /etc/samba/smb.conf I have :
| Code: |
hosts allow = 192.168.0. 127.
|
This will keep anyone outside my LAN out of samba. I still have tons of lines in /var/log/messages like :
| Code: |
Dec 3 22:55:53 hiro-tan smbd[27522]: Denied connection from (61.247.230.149)
|
but you know, I kind of enjoy seeing who's trying to get in 
_________________
In Soviet Gentoo, portage emerges -u! |
|
| Back to top |
|
|
mlsfit138
Guru
Joined: 20 Sep 2003
Posts: 406
Location: Washington
|
| Posted: Thu Dec 04, 2003 9:23 am Post subject: |
|
|
here are the contents of ramonahouse.log (not on my network but suspiciously familiar)
| Quote: | [2003/11/22 21:06:34, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1369)
unable to open passdb database.
[2003/11/22 21:06:34, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1369)
unable to open passdb database.
[2003/11/22 21:07:34, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1369)
unable to open passdb database.
[2003/11/22 21:07:34, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1369)
unable to open passdb database.
[2003/11/22 21:07:45, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1369)
unable to open passdb database.
[2003/11/22 21:07:45, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1369)
unable to open passdb database.
[2003/11/22 21:07:48, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1369)
unable to open passdb database.
[2003/11/22 21:07:48, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1369)
unable to open passdb database.
|
and this is from gustavo.log (also not on my network)
| Quote: | [2003/11/29 02:35:28, 0] printing/print_cups.c:cups_printername_ok(388)
Unable to get printer status for c - client-error-not-found
[2003/11/29 02:35:28, 0] smbd/service.c:make_connection(252)
gustavo (213.16.154.64) couldn't find service c
[2003/11/30 04:38:51, 0] printing/print_cups.c:cups_printername_ok(388)
Unable to get printer status for c - client-error-not-found
[2003/11/30 04:38:51, 0] smbd/service.c:make_connection(252)
gustavo (218.162.20.183) couldn't find service c
[2003/11/30 05:03:07, 0] printing/print_cups.c:cups_printername_ok(388)
Unable to get printer status for c - client-error-not-found
[2003/11/30 05:03:07, 0] smbd/service.c:make_connection(252)
gustavo (24.24.40.223) couldn't find service c
[2003/12/01 02:34:51, 0] printing/print_cups.c:cups_printername_ok(388)
Unable to get printer status for c - client-error-not-found
[2003/12/01 02:34:51, 0] smbd/service.c:make_connection(252)
gustavo (202.57.106.11) couldn't find service c
[2003/12/01 02:41:46, 0] printing/print_cups.c:cups_printername_ok(388)
Unable to get printer status for c - client-error-not-found
[2003/12/01 02:41:46, 0] smbd/service.c:make_connection(252)
gustavo (220.66.8.176) couldn't find service c
|
|
|
| Back to top |
|
|
mlsfit138
Guru
Joined: 20 Sep 2003
Posts: 406
Location: Washington
|
| Posted: Thu Dec 04, 2003 9:27 am Post subject: |
|
|
| ekoontz wrote: | Hi mlsfit,
In my /etc/samba/smb.conf I have :
| Code: |
hosts allow = 192.168.0. 127.
|
This will keep anyone outside my LAN out of samba. I still have tons of lines in /var/log/messages like :
| Code: |
Dec 3 22:55:53 hiro-tan smbd[27522]: Denied connection from (61.247.230.149)
|
but you know, I kind of enjoy seeing who's trying to get in |
you made me feel a lot better... for a minute, but then i remembered that ramonahouse is an important name for me. So either someone who knows me tried to break in (unlikely because I highly doubt anyone I know has ever heard of samba) or some sloppy hacker has at least partially compromised my system.
Last edited by mlsfit138 on Thu Dec 04, 2003 9:33 am; edited 1 time in total |
|
| Back to top |
|
|
mlsfit138
Guru
Joined: 20 Sep 2003
Posts: 406
Location: Washington
|
| Posted: Thu Dec 04, 2003 9:32 am Post subject: |
|
|
your host allow line has two partial addresses:
192.168.0.
127.
Does that mean that any computer with an ip that starts w/ 192.168.0 or 127. will be have access? Every Address on my lan starts with 192.168.1, so if I used that partial address, it should work for me right? |
|
| Back to top |
|
|
Boris27
Guru
Joined: 05 Nov 2003
Posts: 562
Location: Almelo, The Netherlands
|
| Posted: Thu Dec 04, 2003 9:56 am Post subject: |
|
|
| mlsfit138 wrote: | your host allow line has two partial addresses:
192.168.0.
127.
Does that mean that any computer with an ip that starts w/ 192.168.0 or 127. will be have access? Every Address on my lan starts with 192.168.1, so if I used that partial address, it should work for me right? |
Yep. You should use 192.168.1. if you use that. I do. |
|
| Back to top |
|
|
fleed
l33t
Joined: 28 Aug 2002
Posts: 756
Location: London
|
| Posted: Thu Dec 04, 2003 10:10 am Post subject: |
|
|
| You could also set up iptables to block the smb ports so you won't even get that in your samba logs + the crackers won't know if you have smb on or not. |
|
| Back to top |
|
|
mlsfit138
Guru
Joined: 20 Sep 2003
Posts: 406
Location: Washington
|
| Posted: Thu Dec 04, 2003 10:29 am Post subject: |
|
|
supposing that some inexperienced hacker did manage to get into my computer, where else would I find evidence of this? I'm a little paranoid now, because whoever was trying to access samba seemed to know a little bit about me (once again ramonahouse is a significant name for me, Its actually the name of one of the sober living homes that I operate).
For some reason I can't have netfilter, and 3d support at the same time. Maybe the new kernel would allow this, but in the mean time, I'm blocking all incoming connection requests via my hardware router! |
|
| Back to top |
|
|
fleed
l33t
Joined: 28 Aug 2002
Posts: 756
Location: London
|
| Posted: Thu Dec 04, 2003 12:36 pm Post subject: |
|
|
Could there be any way in which ramonahouse is associated with your ip address? Do you use that name in a forum, for example? Do you have a website for it on your pc? Have you tried googling it together with your ip address to see what comes up? Have a look at the ip address where the request from ramonahouse came from so you see if there's a match somewhere.
Oh, BTW, what's a sober living home? |
|
| Back to top |
|
|
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
|
| Posted: Thu Dec 04, 2003 4:13 pm Post subject: |
|
|
| mlsfit138 wrote: | | but in the mean time, I'm blocking all incoming connection requests via my hardware router! |
One has to ask - why are you forwarding SMB ports from the router to your server? |
|
| Back to top |
|
|
jesterspet
Apprentice
Joined: 05 Feb 2003
Posts: 215
Location: Atlanta
|
| Posted: Fri Dec 05, 2003 2:44 am Post subject: |
|
|
Ports 139 & 445 are your samba ports.
Unfortunatly these are also currently widley attacked ports by viruses.
I am inclined to believe that the activity you are seeing, is not intentional, but from some poor windows user that has (yet another) a virus.
In hindsight (it is always 20/20) an IDS and file integrety checker would most likley have provided you with enough information to acertain the true nature of the connection.
But from the information you have provided, I would have to say viral activity, [personal_rant] and quit emiting SMB traffic onto the internet [/personal_rant].
Where is that blink tag when you need it 
_________________
(X) Yes! I am a brain damaged lemur on crack, and would like to buy your software package for $499.95 |
|
| Back to top |
|
|
mlsfit138
Guru
Joined: 20 Sep 2003
Posts: 406
Location: Washington
|
| Posted: Fri Dec 05, 2003 8:01 am Post subject: |
|
|
| UberLord wrote: | | mlsfit138 wrote: | | but in the mean time, I'm blocking all incoming connection requests via my hardware router! |
One has to ask - why are you forwarding SMB ports from the router to your server? |
Well, I didn't think that i was forwarding ports to the server (except for a couple that I need open). When I was attempting to get freenet running as a permanent node, I completely demilitarized that box a couple of times thinking that my chances of being attacked were pretty slim, maybe it was at those times that the attacks occured.
the port scanner at grc.com says that all of my ports are now stealthed except for port 0. I can't seem to get my router to drop connections to that port for some reason. I hope that isn't much of a security risk... |
|
| Back to top |
|
|
mlsfit138
Guru
Joined: 20 Sep 2003
Posts: 406
Location: Washington
|
| Posted: Fri Dec 05, 2003 8:24 am Post subject: |
|
|
| fleed wrote: | Could there be any way in which ramonahouse is associated with your ip address? Do you use that name in a forum, for example? Do you have a website for it on your pc? Have you tried googling it together with your ip address to see what comes up? Have a look at the ip address where the request from ramonahouse came from so you see if there's a match somewhere.
Oh, BTW, what's a sober living home? |
On my windows box, there are some documents that have to do with the ramona house. That's the only thing I can come up with.
A sober living house is kind of like a half way house. It's mostly people with drug problems, and parolee's. It provides a stuctured environment for people that are getting out of prison, or trying to straighten their lives out. It's my family's business, which I want out of badly! Some of these people don't belong on the streets.
jesterspet:
Maybe I should look into an IDS. I always thought that they were for servers, and computers that have a high risk of being attacked.
I've always thought that the fact that I don't run windows would provide a great deal of protection because 99% of the attacks out there are directed at windows platforms. When that blaster worm was going around, I could watch my firewall report attacks every three or four seconds. It was ridiculous. |
|
| Back to top |
|
|
jesterspet
Apprentice
Joined: 05 Feb 2003
Posts: 215
Location: Atlanta
|
| Posted: Sat Dec 06, 2003 3:49 am Post subject: |
|
|
| mlsfit138 wrote: | | I've always thought that the fact that I don't run windows would provide a great deal of protection because 99% of the attacks out there are directed at windows platforms. |
While the attacks are only sucessful against windows platforms, they still attempt to run against every OS. Viruses don't discriminate in their choosing of their attempted next victim.
The important thing to remember, is that while your computer was not compromised during this incident, you have learned that you need to take steps so that future incidents that may not be so benine, can be better researched & identified and hopefully prevented.
_________________
(X) Yes! I am a brain damaged lemur on crack, and would like to buy your software package for $499.95 |
|
| Back to top |
|
|
sschlueter
Guru
Joined: 26 Jul 2002
Posts: 578
Location: Dortmund, Germany
|
| Posted: Sun Dec 07, 2003 2:08 am Post subject: |
|
|
| ekoontz wrote: |
In my /etc/samba/smb.conf I have :
| Code: |
hosts allow = 192.168.0. 127.
|
|
Even better:
| Code: |
interfaces = 127.0.0.1 192.168.0.1
bind interfaces only = yes
|
|
|
| Back to top |
|
|
NeighborhoodGullwings
Apprentice
Joined: 05 Dec 2003
Posts: 159
|
| Posted: Sun Dec 07, 2003 4:23 am Post subject: |
|
|
| I'm inclined to go with jesterspet on this one. Most likely it is some virused windows boxen on the net that are attacking you, as samba really is no different from windows filesharing to them. I wouldn't worry too much about it, but blocking access would be helpful. |
|
| Back to top |
|
|
mlsfit138
Guru
Joined: 20 Sep 2003
Posts: 406
Location: Washington
|
| Posted: Sun Dec 07, 2003 7:01 am Post subject: |
|
|
| sschlueter wrote: | | ekoontz wrote: |
In my /etc/samba/smb.conf I have :
| Code: |
hosts allow = 192.168.0. 127.
|
|
Even better:
| Code: |
interfaces = 127.0.0.1 192.168.0.1
bind interfaces only = yes
|
|
what is the difference? are you only allowing one host other than localhost to access the server? |
|
| Back to top |
|
|
sschlueter
Guru
Joined: 26 Jul 2002
Posts: 578
Location: Dortmund, Germany
|
| Posted: Sun Dec 07, 2003 11:28 am Post subject: |
|
|
| mlsfit138 wrote: |
what is the difference? are you only allowing one host other than localhost to access the server?
|
Mmh, do you know the concept of binding to a specific address?
A listening port can be set up in such a way that it listens on "all addresses" or can be set up that it listens only on specific addresses.
The difference becomes apparent if the host has multiple ip addresses. If the service is listening on "all addresses", you can connect to the service using any ip address the system has. But if the service is listening only to specific addresses, you can only talk to the service if you connect to an ip address the service is listening on.
And if the service is only listening on private ip addresses, it cannot be connected from the internet.
The interface binding thing is more secure than the hosts allow thing because with the latter solution an attacker can still talk to the service.
You can use "netstat -tulpn" to check the listening ports.
This is a service that listens on "all addresses".
| Code: |
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2041/sshd
|
This is a service that listens on specific address only:
| Code: |
tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 30572/smbd
tcp 0 0 192.168.1.1:139 0.0.0.0:* LISTEN 30572/smbd
|
|
|
| Back to top |
|
|
Suicidal
l33t
Joined: 30 Jul 2003
Posts: 959
Location: /dev/null
|
| Posted: Sun Dec 21, 2003 10:08 pm Post subject: I agree most likely viri |
|
|
I get attacks lie that on my exchange server web logs all the time, alot of them coming from as far away as tiawan and india, I have taken a few down by deleting thier boot.ini.
viri like blast and nimda will be around for at least 15 more years. I would concentrate more on iptables rules and less on SMB.conf as it really doesnt matter what is in smb.conf if your iptables rules are correctly set up.
Even microsoft is going this way, in XP SP2 they are implementing a stateful firewall that will only allow computers on the local subnet to connect with the computer. |
|
| Back to top |
|
|
Mnemia
Guru
Joined: 17 May 2002
Posts: 476
|
| Posted: Mon Dec 22, 2003 2:42 am Post subject: |
|
|
BTW,
You mentioned something about 3D support not working at the same time as iptables. I would recommend you stop using the Gentoo kernels if you are using them, and see what happens. The vanilla kernel seems a lot less likely to break in ways like that in my experience. I stopped using the gentoo-sources kernel because of repeated iptables breakage.
And iptables is VERY important if you want to have a secure setup... |
|
| Back to top |
|
|
mlsfit138
Guru
Joined: 20 Sep 2003
Posts: 406
Location: Washington
|
| Posted: Wed Jan 07, 2004 10:21 am Post subject: Re: I agree most likely viri |
|
|
| Suicidal wrote: | I get attacks lie that on my exchange server web logs all the time, alot of them coming from as far away as tiawan and india, I have taken a few down by deleting thier boot.ini.
viri like blast and nimda will be around for at least 15 more years. I would concentrate more on iptables rules and less on SMB.conf as it really doesnt matter what is in smb.conf if your iptables rules are correctly set up.
Even microsoft is going this way, in XP SP2 they are implementing a stateful firewall that will only allow computers on the local subnet to connect with the computer. |
what makes you say 15 years?
Mnenia: I'll look into that. I wonder if ck sources have similar problems... also, I've been messing around with 2.6. can't get everything working correctly, but that may solve that problem eventually.
_________________
"Everytime you justify
another good in you dies"
-Converge, The Saddest Day, Petitioning the Empty Sky |
|
| Back to top |
|
|
Suicidal
l33t
Joined: 30 Jul 2003
Posts: 959
Location: /dev/null
|
| Posted: Thu Jan 08, 2004 1:18 am Post subject: |
|
|
| Quote: | | what makes you say 15 years? |
Because I will give windows XP at least that long until almost no one on this planet uses it, since by default it sets up the computer with blank passwords and that is just begging nimda and/or msblast to ow3n your box. Most users are totally ignorant of simple issues such as password protection and I doubt it will get much better with time.
The average user will get smarter but there will always be some n00b without a clue allowing theese viri to stay alive.
| Quote: | | I would concentrate more on iptables rules and less on SMB.conf as it really doesnt matter what is in smb.conf if your iptables rules are correctly set up. |
I must have been tired when I wrote that. What i meant was layer the security. First concentrate on your firewall in your gateway/router then concentrate on iptables then the ACL in smb.conf
The more layers of security you have the more likely they will give up and look elsewhere. |
|
| Back to top |
|
|
i3839
n00b
Joined: 16 Mar 2003
Posts: 10
|
| Posted: Tue Jan 13, 2004 11:41 pm Post subject: Interface versus address |
|
|
To prevent any confusion: What sschlueter said is a bit wrong.
Binding to a specific interface means that the application only listens for data on that interface. An interface is something totally different than an address, although each interface has an address. eth0, ppp0 and lo are interfaces. Binding to a specific interface makes only sense if the host is also the router (there are more exotic configurations possible of course), because then one interface can be considered trusted (e.g. eth0, the networkcard connected to LAN for instance), and one as untrusted (e.g. ppp0, an internet modem).
If the host is just a pc on LAN, then every connection will come through the same interface anyway. Binding restricts the listening interface/address, but doesn't restrict the source address of the connections. That's what firewalls are for. Or the "hosts allow" setting. But mlsfit138's host isn't also the router, and letting samba bind to all the interfaces the host has doesn't make anything more secure. So doing it ekoontz's way is much smarter.
| sschlueter wrote: |
Mmh, do you know the concept of binding to a specific address?
A listening port can be set up in such a way that it listens on "all addresses" or can be set up that it listens only on specific addresses.
The difference becomes apparent if the host has multiple ip addresses. If the service is listening on "all addresses", you can connect to the service using any ip address the system has. But if the service is listening only to specific addresses, you can only talk to the service if you connect to an ip address the service is listening on.
And if the service is only listening on private ip addresses, it cannot be connected from the internet.
The interface binding thing is more secure than the hosts allow thing because with the latter solution an attacker can still talk to the service.
You can use "netstat -tulpn" to check the listening ports.
This is a service that listens on "all addresses".
| Code: |
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2041/sshd
|
This is a service that listens on specific address only:
| Code: |
tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 30572/smbd
tcp 0 0 192.168.1.1:139 0.0.0.0:* LISTEN 30572/smbd
|
|
|
|
| Back to top |
|
|
ekoontz
n00b
Joined: 18 Apr 2002
Posts: 67
Location: San Francisco, California
|
| Posted: Tue Jan 27, 2004 8:06 am Post subject: |
|
|
| Quote: | | If the host is just a pc on LAN, then every connection will come through the same interface anyway. |
I quite agree; in my case, I have a single ethernet interface. Binding only one interface does nothing to restrict who connects. I think perhaps sschlueter was thinking of hosts with two network interfaces; one connected to the Internet and one to a LAN, in which case it would make sense to bind to only one interface.
_________________
In Soviet Gentoo, portage emerges -u! |
|
| Back to top |
|
|
|
Networking & Security
