Re: Samba "Leak"

[Antony Stone <Antony@Soft-Solutions.co.uk>]

On Wednesday 07 July 2004 8:23 pm, David Cary Hart wrote:

> I cannot figure this out. Our server - running IPTables - has very few
> ports open to input and the default is Drop. While a substantial number
> of 139 and 445 packets show up in the log as rejected, I am seeing a few
> attempts to connect to Samba in the log. These are identified by WAN IPs
> so they are not spoofing localhost or a LAN IP.
>
> I also have INVALID and fragmented packets rejected so that path is
> closed.
>
> So far, nobody has actually gained access, yet it is disconcerting. Any
> ideas how these are getting past the firewall?

So, you have a firewall (routing packets between LAN & Internet), and you also 
have netfilter running on Samba server?

You have netfilter LOGging turned on on the server for these packets - do you 
also have the same LOGging rules on the firewall (so that you would see if 
that's where they were coming from)?

Here are my comments / thoughts:

1. Just because you're seeing WAN addresses doesn't mean they aren't spoofed 
(they could be packets from the LAN, but with external source addresses?)

2. Do you have any wireless involved anywhere, as a means for unknown clients 
to access the network?

3. A packet sniffer / IDS on the external firewall link + the Samba subnet 
(DMZ?) should tell you what is really going on.   Maybe a chance to play with 
Snort :)

Regards,

Antony.

-- 
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

                                                     Please reply to the list;
                                                           please don't CC me.