Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've got a linux box that does all my web related stuff, ie, file sharing, internet dialup (broadband), mail server , samba, etc etc.
I've had a couple of weird experiences over the last couple of days, where my server just ditches the internet, and requires a reboot. I checked the /var/log folder and found literally hundreds of name.log files, where name can be anythign from jack to xxx283838 and a lot of ipnumber.log files. Upon looking inside them, i've found this :
[2004/03/21 05:19:08, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer
[2004/03/21 05:20:06, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer
[2004/03/21 05:22:33, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer
[2004/03/21 05:23:36, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer
[2004/03/21 05:24:01, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer
[2004/03/21 05:29:32, 0] lib/util_sock.c:read_socket_data(342)
read_socket_data: recv failure for 4. Error = Connection reset by peer
And :
[2004/03/18 22:14:20, 1] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(576)
Unknown packet in reply_sesssetup_and_X_spnego
And finally. a huge one consisting of mainly @@@@@@@@@@@ etc etc.
Please help, does anyone know what's going on??
My system :
Linux Slackware using 2.6.3, Samba 3 (Latest) Apache 2 (Latest)
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
I could be wrong, but I think those log files are created by Samba every time a new client tries to connect (then it keeps track of their subsequent activities). It seems like you have Samba enabled on your external IP!
What's the output of this command?
$ netstat -lanF inet
?
Note: I think it's -F inet on Linux, I can't remember... just -l should get what I'm looking for, then don't paste all the stuff that's UNIX sockets.
The easy way would be to block samba on a firewall level on the external Iface.
iptables -A INPUT -i [external interface] -p tcp --destination-port 135 -j DROP
iptables -A INPUT -i [external interface] -p tcp --destination-port 137 -j DROP
*thats just off the top of my head.. someone might wanna double check the syntax*
Thanks for that, the interfaces= line did the job. No more log files bar my own now. Will let it run for a few hours and if i've still got problems, i'll post.
Well, back to drawing board... Still getting those hits to samba externaly.
I've added your suggestion about the interfaces = and still no joy. I then modified my firewall script with the previous suggestions. Here is my firewall script :
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A INPUT -i ppp0 -p udp --destination-port 137 -j DROP
iptables -A INPUT -i ppp0 -p udp --destination-port 138 -j DROP
iptables -A INPUT -i ppp0 -p tcp --destination-port 139 -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
Still getting those log files building up. Any more idea's??
Thanks in advance.
Ade
Edit:
In answer to previous question, 1 nic card, local lan (eth0), 1 USB Broadband modem (ppp0). Two other machines (Wireless laptop, and my main windows xp box), share the internet connection and the samba shared files, as above.
OK, i nailed it..... the samba 3 smb.conf uses a few different parameters from the version 2 smb.conf... Here's the code that finally stopped me broadcasting all over the internet and beyond
#[global]
netbios name = merlin
workgroup = home
bind interfaces only = true
interfaces = eth0 192.168.7.1
The bind interfaces only and the interfaces line tells samba 3 to ony use the specified device and what ip to broadcast on.
Hope this helps someone else in the future, took a good deal of time to find.
Cheer's for the help and idea's,
Ade
Edit :
I should really add, in response to the "you sure your win box is'nt compromised" question. Yes i'm sure , it's a brand new installation on my newly put togeather P4 3Ghz box. And it's running the latest norton antivirus, corporate edition.. The problem was deffinately samba related, by default, it searches for all available connections and broadcasts on them ALL by default.
I should really add, in response to the "you sure your win box is'nt compromised" question. Yes i'm sure , it's a brand new installation on my newly put togeather P4 3Ghz box. And it's running the latest norton antivirus, corporate edition.. The problem was deffinately samba related, by default, it searches for all available connections and broadcasts on them ALL by default.
The problem lies with Norton you should be using Norman Virus Control with personal firewall on your win box, then only will you be sure that you have not been hacked!
Also most of the latest viruses cut through Norton with ease as well as Black Ice Defender, if you have any doubts go to www.norman.com site and download a trial version for your win box.
Do a scan on your machine, once you have Norman installed and norton taken off and tell use what you find ?
Norman runs on Linux as well
Edit :
I have been and still am running a smoothwall box as a firewall on an old P1 Cyrix 166, with 96 meg ram, to take care of my firewall and other requirements.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
catman_za, I might restrict your enthusiasm a little bit there. Perhaps in your opinion Norman is better than Norton, but not product is perfect so your statement
Quote:
then only will you be sure that you have not been hacked!
isn't really factual.
Please avoid the appearance of advertising any products. You're welcome to give your experience, but in the world of software there's never a perfect product that fits everyone's needs or is 100% effective at what it's supposed to do.
One might speculate why products like Norton, McAfee, Trend, and Sophos do so well in the commercial market if Norman is so thoroughly superior as you suggest...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.