attempts to get into via samba ?
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 8 of 8
  1. #1
    Join Date
    Jun 2007
    Location
    Pasadena CA
    Age
    64
    Posts
    138
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    attempts to get into via samba ?

    since my new server has been up and running I've noticed a lot of message logs in /var/logs/samba which seem to be attempts to get into my system via samba. There are a couple of dozen logs each day, most are blank, but some contain stuff like this

    -----------------------------------------------
    read_data: read failure for 4 bytes to client 0.0.0.0. Error = Connection reset by peer
    getpeername failed. Error was Transport endpoint is not connected
    [2007/09/22 09:00:06, 0] lib/util_sock.c:read_data(534)
    [2007/09/22 09:00:06, 0] lib/util_sock.c:write_data(562)
    read_data: read failure for 4 bytes to client 82.60.179.119. Error = Connection reset by peer
    write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer
    [2007/09/22 09:00:06, 0] lib/util_sock.c:send_smb(769)
    Error writing 97 bytes to client. -1. (Connection reset by peer)
    [2007/09/22 09:00:06, 0] lib/util_sock.c:get_peer_addr(1232)
    getpeername failed. Error was Transport endpoint is not connected
    [2007/09/22 09:00:06, 0] lib/util_sock.c:write_data(562)
    write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer
    [2007/09/22 09:00:06, 0] lib/util_sock.c:send_smb(769)
    [2007/09/22 09:00:06, 0] lib/util_sock.c:get_peer_addr(1232)
    ----------------------------------------------------------------------------------

    Looking at many of these logs it appears noone has succeeded in getting past samba, but I am no expert.
    Typically when I traceroute the client ip's (such as 82.60.179.119 above) the jumps are long and all over the world map. I don't really understand the traceroute info, but I presume it indicates the kind of twists and turns these F__kheads use to sneak around the net and try break ins.

    Am I interpreting this correctly ? Are scumbags from around the world trying to break into my system. Currently I have nothing on my filesystem set to share to the outside world, and the samba server is set to the default that F7 came with, which I presume is pretty secure. Is there a good Samba security white paper out there somewhere so I can make samba useful and not have these parasites screw up my system.

    Frankly I think death is too good for them.

    Anyone got any great security info to share with me, particularly on samba ?

    pailott
    Old F7 & F11 machines gone.
    1st new machine (1155) w SSD 256 main drive (fast !!)
    Asus Intel Q77 MB - mATX, Intel Core i5-3570K.
    2nd Machine, reused Old F11 guts, new SSD 128. Both running Fed20, one primarily KDE the other Gnome

  2. #2
    Join Date
    May 2006
    Location
    Caracas, Venezuela
    Posts
    1,886
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, appear someone is trying to do something with your samba installation. The best toot for protection is to use a firewall. If you are using KDE (i don't know about GNOME), you can go to K Menu > Administration > Firewall and SELinux and in Firewall Options tab Trusted services, uncheck samba.

    This will block any external access to samba by now. When you are ready to use, you can set the rules using iptables
    Pietro Pesci Feltri

    PowerBook 15" G4 and
    MacBook Pro 17" Intel Core 2 Duo
    Intel I5 Desktop

  3. #3
    Join Date
    Jun 2007
    Location
    Pasadena CA
    Age
    64
    Posts
    138
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I found some info on this.
    http://www.linuxhomenetworking.com/w...roubleshooting
    Using this in /etc/samba/smb.conf

    [global]
    ...
    bind interfaces only = Yes
    hosts deny = ALL
    hosts allow = 192.168.1.0/24 127.
    interfaces = eth0 lo
    ...
    and I restarted samba
    service smb restart

    Will see how this works.
    Old F7 & F11 machines gone.
    1st new machine (1155) w SSD 256 main drive (fast !!)
    Asus Intel Q77 MB - mATX, Intel Core i5-3570K.
    2nd Machine, reused Old F11 guts, new SSD 128. Both running Fed20, one primarily KDE the other Gnome

  4. #4
    Join Date
    May 2006
    Location
    Caracas, Venezuela
    Posts
    1,886
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That will work fine too. Only local machines will have access..
    Pietro Pesci Feltri

    PowerBook 15" G4 and
    MacBook Pro 17" Intel Core 2 Duo
    Intel I5 Desktop

  5. #5
    Join Date
    Jun 2007
    Location
    Pasadena CA
    Age
    64
    Posts
    138
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks ppesci.

    These people trawling the net for vulnerable systems are scumbags.
    They should track them down and put them in prison !!!

    After my hosts.deny stuff above here is the log messages now.

    [2007/10/03 14:11:30, 0] lib/access.c:check_access(327)
    Denied connection from (72.85.14.7)

    Every log is the same, so these jerks are shut out !!!

    7 different ip sources trying to get in since I posted the above !

    201.212.167.96
    205.161.15.70
    209.184.221.30
    24.123.210.110
    68.156.20.236
    72.85.14.7
    83.11.127.185

    who knows might all be the same guy hiding.
    I tracerouted the 72 one and it ended with
    pool-72-85-14-7.bltmmd.east.verizon.net (72.85.14.7)

    Is there any use trying to email verizon.net to see if they can turn this guy off ?
    He tried many hundreds of times to get in. (Probably a bot !!)

    Is there a denyhosts (the ssh utility) for samba or other services ?

    Fortunately I do not want to run samba on the open network, just the internal one, but ya never know when some Ahole might break into my internal one.

    pailott
    Old F7 & F11 machines gone.
    1st new machine (1155) w SSD 256 main drive (fast !!)
    Asus Intel Q77 MB - mATX, Intel Core i5-3570K.
    2nd Machine, reused Old F11 guts, new SSD 128. Both running Fed20, one primarily KDE the other Gnome

  6. #6
    Join Date
    May 2006
    Location
    Caracas, Venezuela
    Posts
    1,886
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Nobody can enter if you use 192.168.1.x address because any internet router will discard packets from private addresses. I think Verizon can't do anything, because that address are dinamicaly asigned. For a general protection, use iptables.

    Imagine how much windoze users are cracked everyday
    Pietro Pesci Feltri

    PowerBook 15" G4 and
    MacBook Pro 17" Intel Core 2 Duo
    Intel I5 Desktop

  7. #7
    pete_1967 Guest
    Quote Originally Posted by pailott

    Is there any use trying to email verizon.net to see if they can turn this guy off ?
    He tried many hundreds of times to get in. (Probably a bot !!)
    Yes you can by contacting them (check their website for abuse email address) and attach the logs. Whether they are from dynamic or static IP# doesn't matter that much because they have logs showing who was assigned which IP# at certain times.

    Before I got HW firewall I regularly used to report these script kiddies to their ISPs with around 90% success rate.

    Most ISPs take the breach of their acceptable usage policy and terms and conditions very seriously and act promptly against those who breach them.

  8. #8
    Join Date
    Jun 2007
    Location
    Pasadena CA
    Age
    64
    Posts
    138
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I just installed and started denyhosts for my ssh server.
    Lots of break in attempts in the logs.
    denyhosts has already added several ips to the /etc/hosts.deny.

    I'm on a security binge today.
    S___w these crooks !!
    Let the full power of Linux be unleased !!!

    Windoz is so sad.....

    Thanks ppesci & pete
    Old F7 & F11 machines gone.
    1st new machine (1155) w SSD 256 main drive (fast !!)
    Asus Intel Q77 MB - mATX, Intel Core i5-3570K.
    2nd Machine, reused Old F11 guts, new SSD 128. Both running Fed20, one primarily KDE the other Gnome

Similar Threads

  1. Limiting log-in attempts
    By spitball in forum Security and Privacy
    Replies: 4
    Last Post: 6th March 2008, 03:45 PM
  2. SSH exploit attempts
    By CountryGirl in forum Security and Privacy
    Replies: 10
    Last Post: 6th September 2006, 09:16 PM
  3. Unknown ssh attempts during boot
    By senthilpr_in in forum Using Fedora
    Replies: 2
    Last Post: 5th April 2006, 06:06 PM
  4. Hacking Attempts on Linux Box
    By socceroos in forum Linux Chat
    Replies: 0
    Last Post: 21st July 2005, 03:36 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •