| View previous topic :: View next topic |
| Author |
Message |
trickypicky75
n00b
Joined: 02 Apr 2004
Posts: 69
Location: Downingtown, PA
|
 Posted: Fri Jul 08, 2005 1:42 pm Post subject: Finding the attack source |
 |
|
All. I'm running a gentoo server, running samba, setup to authenticate via Active Directory (to allow SSO), for the last few weeks I've been seeing "Dictonary" style attempts at logging in in /var/log/samba3/log.winbindd Here's an example:
| Quote: | [2005/07/04 12:32:35, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
user 'bernard' does not exist
[2005/07/04 12:32:35, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
user 'kent' does not exist
[2005/07/04 12:32:35, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
user 'bobby' does not exist
[2005/07/04 12:32:36, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
user 'laurence' does not exist
[2005/07/04 12:32:36, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
user 'bobby' does not exist
[2005/07/04 12:32:36, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
user 'laurence' does not exist |
I've looked in all of my other logs, I can't find the source of these attacks, I've looked on other machines on my network, and haven't been able to find any proof that they have been compromised, or that this is happening to any other machines on my network. I have no clue if this attack is coming from inside of my network, from our other office (Connected via VPN) or if it's coming from outside.
The only new thing I saw was early this morning, was about 30 attempts to log in via ssh and I do have the IP that it came from, and it's outside of my network, so I can block that IP if I want.
So far I've been lucky, none of the "Guesses" have been right, but in the last 2 days I'm seeing some more clever behavior, like trying old NetBIOS Style logins (such as IPC$) and now I'm seeing attempted logins as legitimate computer names (MYDC$)
I'm running metalog for logging. I'm not sure what I can adjust to try to at least get an IP of where these attacks are coming from so that I can block it.
Any help is appreciated.
Thanks in advance... |
|
| Back to top |
|
 |
techjedi
n00b
Joined: 07 Jul 2005
Posts: 6
Location: Connecticut
|
| Posted: Fri Jul 08, 2005 6:00 pm Post subject: |
|
|
Unless access is actually required, block access into your network from the outside world to the SSH and SMB ports... well anything really. If your network is connected up to the Internet without some kind of a firewall, then there would be the first step you should be taking. If there already is a firewall, make sure all the ports are closed off, or perhaps set up some allow from (list valid IPs) and deny all type rules.. But in all honesty I can't think of any reason that you would need 100% wide open access to SSH and SMB from outside your own network - so cut them off before they get in.
Hope this helps!
_________________
Want an iPod? Get one free at http://www.freeipods.com/?r=20012025 |
|
| Back to top |
|
|
Praxxus
Apprentice
Joined: 26 Nov 2002
Posts: 193
Location: Indiana, US
|
| Posted: Fri Jul 08, 2005 6:15 pm Post subject: Re: Finding the attack source |
|
|
| trickypicky75 wrote: | All. I'm running a gentoo server, running samba, setup to authenticate via Active Directory (to allow SSO), for the last few weeks I've been seeing "Dictonary" style attempts at logging in in /var/log/samba3/log.winbindd Here's an example:
I've looked in all of my other logs, I can't find the source of these attacks, I've looked on other machines on my network, and haven't been able to find any proof that they have been compromised, or that this is happening to any other machines on my network. I have no clue if this attack is coming from inside of my network, from our other office (Connected via VPN) or if it's coming from outside. |
Aren't you blocking unnecessary connections using Samba's "hosts allow" config option? Or maybe an iptables firewall? Is it necessary for this machine to have Samba accessible on the public internet? I mean, really necessary?
| trickypicky75 wrote: | | So far I've been lucky, none of the "Guesses" have been right, but in the last 2 days I'm seeing some more clever behavior, like trying old NetBIOS Style logins (such as IPC$) and now I'm seeing attempted logins as legitimate computer names (MYDC$) |
Please lock down your Samba server.
If you up the debug output of Samba, will it log the IP addresses making the request? I don't know, I'm just asking to raise that as a possibility.
If nothing else, you could put up a simple iptables ruleset that would log all traffic on the SMB/NETBIOS ports. That would for sure tell you where the traffic is coming from.
BUT FIRST AND FOREMOST you need to restrict access to this server so that the only people that can reach it are the ones that need to use its services. That will likely make these breakin attempts go away.
Oh, and you DO want to block the IP those SSH attempts came from. They were up to no good, and shouldn't be allowed back.
_________________
My glaucoma just got worse! |
|
| Back to top |
|
|
trickypicky75
n00b
Joined: 02 Apr 2004
Posts: 69
Location: Downingtown, PA
|
| Posted: Fri Jul 08, 2005 6:58 pm Post subject: |
|
|
I'm sorry, I should have given a little more information. It made me sound like a bit of a "dummyhead"
I am using the "hosts allow" and have it restricted to 127. my local subnet and the subnets of my remote office.
Both offices are firewalled by cisco routers w/ reflexive access lists, with only a few specific openings on each.
I am intending to block that specific IP alltogether.
However I can't limit port 22 to only a few IP's. Myself and a few others use ssh to get into our network from remote locations that do not have static IP addressess (often we tunnel termial services thru ssh to manage our Win. Servers)
Basically is what I would like to do is beef up logging so that I can get more information about where these attacks are coming from, I'm not exactly sure how to do that. Or come up with some other way that I can Identify where this is coming from... Even if I could just shut off samba forever I would still feel uneasy knowing that someone has gotten through my perimiter and has the ability to attack one of my other machines. Heck one of my machines could possibly be compromised right now, and I wouldn't be able to figure out which one (especially if it's in our remote office)
I will do a little reading on iptables, unless someone can direct me to some documentation and/or a quick how-to.
Thanks again.... |
|
| Back to top |
|
|
techjedi
n00b
Joined: 07 Jul 2005
Posts: 6
Location: Connecticut
|
| Posted: Fri Jul 08, 2005 7:48 pm Post subject: |
|
|
I googled iptables guide and came up with the following:
http://www.iptablesrocks.org/
Looked promising... enjoy
PS - i would agree, crank up debugging on samba, get the IP (or list of IPs) and block them entirely.
And as another tricky little monkey, you could always try setting up some port forwarding, random port numbers to the outside world -> ssh and whatnot on the inside. Won't keep everyone out, but will fool most of the riff-raff.
_________________
Want an iPod? Get one free at http://www.freeipods.com/?r=20012025 |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
