Hi all, I finally got my suse 8 box on my windows network, mapped drives etc.

I netstat and saw that port 139 was open and decided to run a securtiy scan at grc.com and this made a connection to port 139 which as I'm sure you'll agree is not a good situation to be in.

My question is how to keep this port closed to everything other than my local network?

My smb.conf has some stuff in there that I don't know what it is or for. I first only specified my internal network in Allow Hosts but this didn't make any difference so removed it...
Here is is:-

# Samba config file created using SWAT
# from 0.0.0.0 (0.0.0.0)
# Date: 2003/03/08 18:52:57

# Global parameters
[global]
printing = lprng
map to guest = Bad User
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
encrypt passwords = Yes
workgroup = Dreadzone
character set = ISO8859-15
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
netbios name = Pluto
os level = 2
public = yes
default = global

[homes]
comment = Home Directories
read only = No
create mask = 0640
directory mask = 0750
browseable = No

[printers]
comment = All Printers
path = /var/tmp
create mask = 0600
printable = Yes
browseable = No

[downloads]
path = /usr/downloads
comment = This is the root directory for downloads
create mode = 777
writeable = yes
directory mode = 777
public = yes

Could you advise what in this config do I need to do in order to restrict the access to my local network?

In your global, try adding a hosts allow line. Mine says...

hosts allow = 192.168.1. 127.

It should only allow any computers with an IP of 192.168.1.* or 127.*.*.* to connect then. Change the first one to your network IP range, of course.

And check the man smb.conf to see hosts allow and hosts deny options.

Yes see man smb.conf and specifically see the use of these:

interfaces = 10.0.23.1
bind interfaces only = yes

Thats an excerpt from my firewalls smb.conf

Thanks for the advise ranger, I thought it was this to start with and it does restrict access (I believe) but it still leaves the port open to external connections which is a security risk.

m0rl0ck thanks for your help again I was hoping that I could restrict it to one nic but wasn't sure if I could do it in the smb.conf or through iptables. Will read up on it...cheers

that's got it working I added the following to the end of [global]

bind interfaces only = yes
interfaces = 127.0.0.1, 192.168.1.100

man smb.conf says about including the 127.0.0.1 for swat and password validation.

Tezdread
With every solution comes a new problem (mupheys law)


I found this by mistake (you may already know) and thought it could be useful. When you type in a command and move the cursor somewhere over the command, you can use the PgUp & PgDn keys to scroll trough previous command options that you have previously used. It works in the same way as the up & down arrow keys but just for the current command.