Samba "Leak"

Samba "Leak"

[David Cary Hart]

I cannot figure this out. Our server - running IPTables - has very few
ports open to input and the default is Drop. While a substantial number
of 139 and 445 packets show up in the log as rejected, I am seeing a few
attempts to connect to Samba in the log. These are identified by WAN IPs
so they are not spoofing localhost or a LAN IP.

I also have INVALID and fragmented packets rejected so that path is
closed.

So far, nobody has actually gained access, yet it is disconcerting. Any
ideas how these are getting past the firewall?

-- 
                            David Cary Hart
Hart's PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x58A60BB1

Re: Samba "Leak"

[Antony Stone]

On Wednesday 07 July 2004 8:23 pm, David Cary Hart wrote:

> I cannot figure this out. Our server - running IPTables - has very few
> ports open to input and the default is Drop. While a substantial number
> of 139 and 445 packets show up in the log as rejected, I am seeing a few
> attempts to connect to Samba in the log. These are identified by WAN IPs
> so they are not spoofing localhost or a LAN IP.
>
> I also have INVALID and fragmented packets rejected so that path is
> closed.
>
> So far, nobody has actually gained access, yet it is disconcerting. Any
> ideas how these are getting past the firewall?

So, you have a firewall (routing packets between LAN & Internet), and you also 
have netfilter running on Samba server?

You have netfilter LOGging turned on on the server for these packets - do you 
also have the same LOGging rules on the firewall (so that you would see if 
that's where they were coming from)?

Here are my comments / thoughts:

1. Just because you're seeing WAN addresses doesn't mean they aren't spoofed 
(they could be packets from the LAN, but with external source addresses?)

2. Do you have any wireless involved anywhere, as a means for unknown clients 
to access the network?

3. A packet sniffer / IDS on the external firewall link + the Samba subnet 
(DMZ?) should tell you what is really going on.   Maybe a chance to play with 
Snort :)

Regards,

Antony.

-- 
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Samba "Leak"

[David Cary Hart]

On Wed, 2004-07-07 at 15:35, Antony Stone wrote:
> On Wednesday 07 July 2004 8:23 pm, David Cary Hart wrote:
> 

> Here are my comments / thoughts:
> 
> 1. Just because you're seeing WAN addresses doesn't mean they aren't spoofed 
> (they could be packets from the LAN, but with external source addresses?)
> 

??

> 2. Do you have any wireless involved anywhere, as a means for unknown clients 
> to access the network?
> 
Yes. Security is through the MAC of the client card. It's hard coded for
our two cards. Encryption is still a challenge for MadWifi. I assumed
that only the MAC of the router is sent out with packets.

> 3. A packet sniffer / IDS on the external firewall link + the Samba subnet 
> (DMZ?) should tell you what is really going on.   Maybe a chance to play with 
> Snort :)

That's the simplest solution. I never could quite get the hang of The
Pig but I suppose that Ethereal should get it done.
> 
> Regards,
> 
> Antony.

Thanks.
-- 
                            David Cary Hart
Hart's PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x58A60BB1

Re: Samba "Leak"

[Antony Stone]

On Wednesday 07 July 2004 10:52 pm, David Cary Hart wrote:

> On Wed, 2004-07-07 at 15:35, Antony Stone wrote:
> >
> > Here are my comments / thoughts:
> >
> > 1. Just because you're seeing WAN addresses doesn't mean they aren't
> > spoofed (they could be packets from the LAN, but with external source
> > addresses?)
>
> ??

I can't think of a good reason why, but it seems quite possible to me that 
some Trojan / malware on an internal machine might generate packets with 
false source IPs?

I was just trying to think up an explanation for you seeing packets on your 
LAN with public IPs which didn't come through your firewall...

> > 2. Do you have any wireless involved anywhere, as a means for unknown
> > clients to access the network?
>
> Yes. Security is through the MAC of the client card. It's hard coded for
> our two cards. Encryption is still a challenge for MadWifi. I assumed
> that only the MAC of the router is sent out with packets.

Most Access Points are operated as bridges; therefore the MAC addresses will 
be the real MAC addresses of the communicating devices - you will never see 
the MAC address of the AP on packets unless someone is communicating with it 
directly (eg: SNMP?).

> > 3. A packet sniffer / IDS on the external firewall link + the Samba
> > subnet (DMZ?) should tell you what is really going on.   Maybe a chance
> > to play with Snort :)
>
> That's the simplest solution. I never could quite get the hang of The
> Pig but I suppose that Ethereal should get it done.

Yup - ethereal listening on both an external and an internal interface should 
do a perfectly good job.

Regards,

Antony.

-- 
Perfection in design is achieved not when there is nothing left to add, but 
rather when there is nothing left to take away.

 - Antoine de Saint-Exupery

                                                     Please reply to the list;
                                                           please don't CC me.