hi,
how could i open port 137:139 in my firewall. am using fedora core 2.

thanks!

Go to System Settings -> Security Level. At the bottom of the window is a place for entering other ports.

Trying to run Samba?

Do the following as root from a command prompt
/sbin/iptables -p tcp --sport 137:139 -j ACCEPT

If you're using multiple NIC's, it's advisable to enable them on your internal network only, by specifying the -i <interface> option.

And you can add it to a local start-up script like /etc/rc.local so that it's enabled at every boot.

I sure as hell hope this computer isn't connected to the Internet... Ports 137:139 are those nasty Netbios ports used by Microsoft networking. Those particular ports get hit real hard all the time, so it may render your connection worthless if it's to the world at large, instead of just locally.

an easier way is to use a decent firewall frontend like firestarter (http://firestarter.sourceforge.net) to install it use yum (http://www.fedorafaq.org/#installsoftware) [code]yum install firestarter[/url] its very intuitive.

I sure as hell hope this computer isn't connected to the Internet... Ports 137:139 are those nasty Netbios ports used by Microsoft networking. Those particular ports get hit real hard all the time, so it may render your connection worthless if it's to the world at large, instead of just locally.

Absolutely. You must also add a filter for checking the source is ONLY from your internal IP address range and preferably use mac filtering to prevent IP spoofing. For example:


iptables -A INPUT -p tcp -s 192.168.0.1 --sport 137:139 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

Otherwise you might as well just leave the door wide open and hang a big sign outside welcoming people in :D

Ned

I sure as hell hope this computer isn't connected to the Internet... Ports 137:139 are those nasty Netbios ports used by Microsoft networking. Those particular ports get hit real hard all the time, so it may render your connection worthless if it's to the world at large, instead of just locally.
Yep he's right, you never open any of the ports lower than 1000 unless you want a new and state of the art trojan controlling your system.

Yep he's right, you never open any of the ports lower than 1000 unless you want a new and state of the art trojan controlling your system.
That's not entirely correct, otherwise web servers wouldn't work at all. The "trick" to opening a port below 1024 is that those are controlled by the "root" user (priviledged). Typical behavior for using these ports is to be opened by an application, acting as the "root" user, then the application (servers) will change to an un-priviledged user (e.g. "nobody") that has logins disabled. This prevents someone from tunneling in through the port and immediately acquiring "root" access. And this is why buffer over-runs are dangerous - they make it possible to execute inserted code as the unpriviledged user and possibly gain a login onto the box, sometimes (depening on how poorly the server's written/setup/run) even as "root."

This, incidentally, is one of the reasons why older Windows OSs were/are so dangerous - the "normal" user always had administrative control of the system. NT and XP have addressed this, somewhat, but there's simply too many holes and shortcuts from those legacy days to be found and eliminated - Windows wasn't built with ANY kind of actual security in mind.

This, incidentally, is one of the reasons why older Windows OSs were/are so dangerous - the "normal" user always had administrative control of the system. NT and XP have addressed this, somewhat,

True, but how many windows users do you know that don't automatically give their user accounts administrative privileges - only the ones who've used *nix before :D

MS should drum it into users to only use the admin account for admin, but it's funny that I've never ever seen this mentioned even once in all my time using NT4, Win2K and XP.

Ned

There is a large misconception about attackers on the intenet

http://images.dshield.org/images/attack_map1.png

Check that out
https://secure.dshield.org/index.php

Brian
AwPhuch

Lies, damn lies, and statistics. I presume you're talking about "others?" Let's see:

There are 6 specific ports listed in the legend. That means "others" covers 65530 ports. Using eyeballs on the US-chart, that means for each "other" port, it (statisitically) accounts for about 0.07% of the chart, whereas port 135 (again by eyeball) alone accounts for over 30%.

Isn't it amazing how you can spin numbers to mean pretty much what you want? :D

Crackers,

I wonder if you have any opinion on the merits of their FightBack scheme and whether you consider it worth participating in?

Link again:
https://secure.dshield.org/index.php

Ned

Participating in things like this never hurt, as long as you believe it's a valid organization and not someone on a phishing trip.

Me, I'm overly paranoid - I keep my head down, try to stay invisible, and don't share my logs with nobody! ;)

Thanks Crackers - always interesting to get opinions one wouldn't think of :)

Oh - just wondering where all my hard earned reputation points went. I guess they expire after a while as I've been a bit less active lately or maybe I got a load of negative feedback and they cancelled out :confused:

Ned

Crakers, since you a :cool: linux expert, how do you configure samba to not use netbios. I know MS is trying to move away from netbios. It would be nice if we had just one samba howto that showed us how to set it up properly and easily.

SAMBA can only use NetBIOS - anything else M$ uses under the covers is probably covered by all sorts of proprietary copyrights and trademarks and, thanks to the DMCA, probably can't be reverse-engineered.

Your sorda right. There is a way, however, when using samaba in a domain. Use of raw SMB over TCP/IP (No NetBIOS layer) can be done only with Active Directory domains. Samba is not an Active Directory Domain Controller: ergo, it is not possible run Samba as a domain controller and at the same time NOT use NetBIOS. Where Samba is used as an Active Directory Domain Member Server (DMS) it is possible to configure Samba to not use NetBIOS over TCP/IP. A Samba DMS can integrate fully into an Active Directory domain. Here is The Official Samba-3 Howto and Reference Guide (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/).

Well, to be honest, I haven't had a single Windows machine in operation 'round here in two years, much less AD and I don't run a SAMBA server at work (where we do have AD, which I don't authenticate with anyway), so I wasn't entirely motivated to go looking... ;)