Re: [CentOS] Security help desperately needed - more info
On Thursday 07 February 2008 10:29, Anne Wilson wrote: I need to have the following services from my server: imap - mostly by lan, but occasionally external file and print serve samba access - read and write to some directories snip I feel to be thrashing helplessly. I need help to find a sensible strategy for sorting this, then setting correct security measures. Logwatch for yesterday shows the following: - Automount Begin **Unmatched Entries** create_udp_client: hostname lookup failed: No such process: 17 Time(s) lookup_mount: exports lookup failed for .directory: 17 Time(s) create_tcp_client: hostname lookup failed: No such process: 17 Time(s) -- Automount End - - Mountd Begin Exit after catching signal: Signal 15: 1 Time(s) -- Mountd End - - samba Begin WARNING!! Errors when creating subnets: No subnets to listen to. Shutting down. : 1 Time(s) **Unmatched Entries** libsmb/nmblib.c:send_udp(791) Packet send failed to 192.168.0.255(138) ERRNO=Invalid argument : 1 Time(s) libsmb/smb_signing.c:srv_check_incoming_message(737) srv_check_incoming_message: BAD SIG: seq 2 wanted SMB signature of : 6 Time(s) libsmb/smb_signing.c:srv_check_incoming_message(741) srv_check_incoming_message: BAD SIG: seq 2 got SMB signature of : 6 Time(s) -- samba End - I asked the samba mailing list recently about reports similar to the last section, but have had no reply. Anne ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Security help desperately needed - more info
Anne Wilson wrote: - samba Begin WARNING!! Errors when creating subnets: No subnets to listen to. Shutting down. : 1 Time(s) Hmmm... let's see your smb.conf. -- Milton Calnek BSc, A/Slt(Ret.) [EMAIL PROTECTED] 306-717-8737 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Security help desperately needed - more info
Michael Simpson wrote: Hi there, Should the IP address supplied be the actual address for eth0 rather than the network address? ie 192.168.0.1/24 rather than 192.168.0.0/24 I dunno... what does 192.168.0.1/24 mean? what does 192.168.0.0/24 mean? The way I see it, they both mean 192.168.0.0 - 192.168.0.255. -- Milton Calnek BSc, A/Slt(Ret.) [EMAIL PROTECTED] 306-717-8737 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Security help desperately needed - more info
Anne Wilson wrote: On Thursday 07 February 2008 13:53, Milton Calnek wrote: Anne Wilson wrote: - samba Begin WARNING!! Errors when creating subnets: No subnets to listen to. Shutting down. : 1 Time(s) Hmmm... let's see your smb.conf. [global] workgroup = LYDGATE.LAN server string = Samba Server Version %v interfaces = lo, eth0, 192.168.0.0/24 map to guest = Bad User passdb backend = tdbsam # See comment below username map = /etc/samba/smbusers I normally keep a minimal smb.conf, hand-edited. My LAN is a simple home one, no domain. This looks as though it was created through a gui - I believe I did examine it in kcontrol, so that's probably the reason. I don't recognise the passdb-backend line. I use smb-passwd and have never had a line like that before. Is it correct? I think the passdb is fine. It means that the samba server keeps it's own password file. I didn't see anything obvious. Does testparm tell you anything? What happens when you try to use smbclient? smbclient //localhost/ANNE -U anne -- Milton Calnek BSc, A/Slt(Ret.) [EMAIL PROTECTED] 306-717-8737 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Security help desperately needed - more info
On 2/7/08, Anne Wilson [EMAIL PROTECTED] wrote: On Thursday 07 February 2008 13:53, Milton Calnek wrote: Anne Wilson wrote: - samba Begin WARNING!! Errors when creating subnets: No subnets to listen to. Shutting down. : 1 Time(s) Hmmm... let's see your smb.conf. [global] workgroup = LYDGATE.LAN server string = Samba Server Version %v interfaces = lo, eth0, 192.168.0.0/24 Hi there, Should the IP address supplied be the actual address for eth0 rather than the network address? ie 192.168.0.1/24 rather than 192.168.0.0/24 mike ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Security help desperately needed - more info
On Thursday 07 February 2008 16:10:24 Michael Simpson wrote: On 2/7/08, Anne Wilson [EMAIL PROTECTED] wrote: On Thursday 07 February 2008 15:13, Michael Simpson wrote: I could be wrong (often am) but it might be worth trying it out to see if it gets rid of the error pertaining to subnet creation. I took the notation as I set it from a book when I first started using samba - 2001/2? 'Using Samba', I believe. It has worked without a problem up to now. I don't think that smb.conf as such is the problem. Anne i agree Life is just one big learning experience. After sitting various cisco certs i get a bit hung up about ip addressing. Didn't use 0 subnets for years for instance, guess i need to loosen up sigh so after taking an hour out to eat, I come back to the laptop only to find that samba is once more unavailable. Back out to the office, and service smb status smbd (pid 2871 2859) is running... nmbd dead but pid file exists I've never known samba to be flaky before - it always either worked, or didn't. Anne signature.asc Description: This is a digitally signed message part. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Security help desperately needed - more info
On Thursday 07 February 2008 15:13, Michael Simpson wrote: I could be wrong (often am) but it might be worth trying it out to see if it gets rid of the error pertaining to subnet creation. I took the notation as I set it from a book when I first started using samba - 2001/2? 'Using Samba', I believe. It has worked without a problem up to now. I don't think that smb.conf as such is the problem. Anne ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Security help desperately needed - more info
On Thursday 07 February 2008 14:34, Milton Calnek wrote: Anne Wilson wrote: On Thursday 07 February 2008 13:53, Milton Calnek wrote: Anne Wilson wrote: - samba Begin WARNING!! Errors when creating subnets: No subnets to listen to. Shutting down. : 1 Time(s) Hmmm... let's see your smb.conf. [global] workgroup = LYDGATE.LAN server string = Samba Server Version %v interfaces = lo, eth0, 192.168.0.0/24 map to guest = Bad User passdb backend = tdbsam # See comment below username map = /etc/samba/smbusers I normally keep a minimal smb.conf, hand-edited. My LAN is a simple home one, no domain. This looks as though it was created through a gui - I believe I did examine it in kcontrol, so that's probably the reason. I don't recognise the passdb-backend line. I use smb-passwd and have never had a line like that before. Is it correct? I think the passdb is fine. It means that the samba server keeps it's own password file. I didn't see anything obvious. Does testparm tell you anything? Nothing at all. The above was taken from a testparm output. What happens when you try to use smbclient? smbclient //localhost/ANNE -U anne Password: Domain=[BORG2] OS=[Unix] Server=[Samba 3.0.25b-1.el5_1.4] smb: \ Part way through the morning I rebooted the server and samba has performed since then. I suspect SELinux problems. I had tried to implement it yesterday, then switched it out while troubleshooting. I forgot that SELinux is one thing that really needs a reboot. I'm going to try to get the firewall working satisfactorily first, before tackline SELinux again. Anne ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Security help desperately needed - more info
Michael Simpson wrote: On 2/7/08, Anne Wilson [EMAIL PROTECTED] wrote: On Thursday 07 February 2008 13:53, Milton Calnek wrote: Anne Wilson wrote: - samba Begin WARNING!! Errors when creating subnets: No subnets to listen to. Shutting down. : 1 Time(s) Hmmm... let's see your smb.conf. [global] workgroup = LYDGATE.LAN server string = Samba Server Version %v interfaces = lo, eth0, 192.168.0.0/24 Hi there, Should the IP address supplied be the actual address for eth0 rather than the network address? ie 192.168.0.1/24 rather than 192.168.0.0/24 If if doubt RTFM: interfaces (G) This option allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic. By default Samba will query the kernel for the list of all active interfaces and use any interfaces except 127.0.0.1 that are broadcast capable. More in the man page Per the man page the interfaces directive seems to only control which interfaces smb will listen for and respond to name requests. If you wanted smb to bind to only those interfaces you will need to combine it with: bind interfaces only (G) This global parameter allows the Samba admin to limit what inter- faces on a machine will serve SMB requests. It affects file service smbd(8) and name service nmbd(8) in a slightly different ways. For name service it causes nmbd to bind to ports 137 and 138 on the interfaces listed in the interfaces parameter. nmbd also binds to the all addresses interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast messages. If this option is not set then nmbd will service name requests on all of these sockets. If bind interfaces only is set then nmbd will check the source address of any packets coming in on the broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the interfaces parameter list. As unicast packets are received on the other sockets it allows nmbd to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the interfaces list. IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a secu- rity feature for nmbd. For file service it causes smbd(8) to bind only to the interface list given in the interfaces parameter. This restricts the networks that smbd will serve to packets coming in those interfaces. Note that you should not use this parameter for machines that are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with non-permanent interfaces. If bind interfaces only is set then unless the network address 127.0.0.1 is added to the interfaces parameter list smbpasswd(8) and swat(8) may not work as expected due to the reasons covered below. To change a users SMB password, the smbpasswd by default connects to the localhost - 127.0.0.1 address as an SMB client to issue the password change request. If bind interfaces only is set then unless the network address 127.0.0.1 is added to the interfaces parameter list then smbpasswd will fail to connect in it's default mode. smb- passwd can be forced to use the primary IP interface of the local host by using its smbpasswd(8) -r remote machine parameter, with remote machine set to the IP name of the primary interface of the local host. The swat status page tries to connect with smbd and nmbd at the address 127.0.0.1 to determine if they are running. Not adding 127.0.0.1 will cause smbd and nmbd to always show not running even if they really are. This can prevent swat from starting/stop- ping/restarting smbd and nmbd. Default: bind interfaces only = no I would look at the DNS setup to make sure all host names are resolvable, maybe the /etc/hosts file isn't setup properly. Make sure smb ports are open inbound and outbound in iptables and the latest selinux profile is installed. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. ___ CentOS mailing list CentOS@centos.org
Re: [CentOS] Security help desperately needed - more info
On Thursday 07 February 2008 13:53, Milton Calnek wrote: Anne Wilson wrote: - samba Begin WARNING!! Errors when creating subnets: No subnets to listen to. Shutting down. : 1 Time(s) Hmmm... let's see your smb.conf. [global] workgroup = LYDGATE.LAN server string = Samba Server Version %v interfaces = lo, eth0, 192.168.0.0/24 map to guest = Bad User passdb backend = tdbsam # See comment below username map = /etc/samba/smbusers log file = /var/log/samba/%m.log max log size = 50 acl compatibility = winnt server signing = auto os level = 66 preferred master = No # needs changing to yes domain master = No ldap ssl = no guest ok = Yes hosts allow = 127., 192.168.0. cups options = raw [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [DATA1] path = /Data1/ read only = No [DATA2] path = /Data2 read only = No [DATA3] path = /Data3/ valid users = anne, gillian, david read only = No [DOWNLOADS] path = /home/anne/Downloads read only = No [LYDGATE DESIGN] path = /Data1/LydgateDesign/ read only = No [ANNE] path = /home/anne/ read only = No guest ok = No case sensitive = No strict locking = No msdfs proxy = yes I normally keep a minimal smb.conf, hand-edited. My LAN is a simple home one, no domain. This looks as though it was created through a gui - I believe I did examine it in kcontrol, so that's probably the reason. I don't recognise the passdb-backend line. I use smb-passwd and have never had a line like that before. Is it correct? Anne ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Security help desperately needed - more info
Anne Wilson wrote: /etc/hosts is fine. All possible connections on the lan are correctly defined. dns resolution is via my isp, and again the IP addresses are correctly set. That leaves the security settings, where I believe the problem is. So, let's start with iptables. I've never worked directly with iptables before. I use shorewall when I set up the older server, a long time ago. /usr/share/doc/iptables... doesn't help. Does that mean that the man pages are the only help? Googling, I suppose. Any particular documents recommended? do an # iptables-save somefile edit somefile and put the following 4 lines somewhere (before the lines that reject everything) -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 138 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 445 -j ACCEPT adjust the IP sources (the -s 192.168.0.0/24) as you need. I am assuming that you have a rule like this: -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT then # iptables-restore somefile if you're happy with that, then # iptables-save /etc/sysconfig/iptables so that this survives a reboot. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Security help desperately needed - more info
Milton Calnek wrote: Michael Simpson wrote: Hi there, Should the IP address supplied be the actual address for eth0 rather than the network address? ie 192.168.0.1/24 rather than 192.168.0.0/24 I dunno... what does 192.168.0.1/24 mean? this one is not always accepted. what does 192.168.0.0/24 mean? this is the correct one. The way I see it, they both mean 192.168.0.0 - 192.168.0.255. yes, but the first version is not accepted by all software. because no IP will satisfy bin(ip) 0xff00 = bin(192.168.0.1) anyway, I have a samba setup with interfaces = 192.168.10.0/24 and it works. so this is not the source of the problem. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Security help desperately needed - more info
On 2/7/08, Milton Calnek [EMAIL PROTECTED] wrote: Michael Simpson wrote: Hi there, Should the IP address supplied be the actual address for eth0 rather than the network address? ie 192.168.0.1/24 rather than 192.168.0.0/24 I dunno... what does 192.168.0.1/24 mean? what does 192.168.0.0/24 mean? The way I see it, they both mean 192.168.0.0 - 192.168.0.255. from rfc 919 If the use of all ones in a field of an IP address means broadcast, using all zeros could be viewed as meaning unspecified. There is probably no reason for such addresses to appear anywhere but as the source address of an ICMP Information Request datagram. However, as a notational convention, we refer to networks (as opposed to hosts) by using addresses with zero fields. For example, 36.0.0.0 means network number 36 while 36.255.255.255 means all hosts on network number 36. iirc smb.con is expecting the actual ip address of the interface in the interfaces= field rather than the network address The /24 is just the CIDR way of expressing the netmask therefore 192.168.0.0/24 to me means 192.168.0.0-255 because the network address is being used whereas 192.168.0.1/24 means the more specific host address 192.168.0.1.255.255.255.0 I could be wrong (often am) but it might be worth trying it out to see if it gets rid of the error pertaining to subnet creation. mike ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Security help desperately needed - more info
On Thursday 07 February 2008 15:14, Ross S. W. Walker wrote: I would look at the DNS setup to make sure all host names are resolvable, maybe the /etc/hosts file isn't setup properly. Make sure smb ports are open inbound and outbound in iptables and the latest selinux profile is installed. /etc/hosts is fine. All possible connections on the lan are correctly defined. dns resolution is via my isp, and again the IP addresses are correctly set. That leaves the security settings, where I believe the problem is. So, let's start with iptables. I've never worked directly with iptables before. I use shorewall when I set up the older server, a long time ago. /usr/share/doc/iptables... doesn't help. Does that mean that the man pages are the only help? Googling, I suppose. Any particular documents recommended? SELinux can wait until this is sorted. Anne ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Security help desperately needed - more info
On 2/7/08, Anne Wilson [EMAIL PROTECTED] wrote: On Thursday 07 February 2008 15:13, Michael Simpson wrote: I could be wrong (often am) but it might be worth trying it out to see if it gets rid of the error pertaining to subnet creation. I took the notation as I set it from a book when I first started using samba - 2001/2? 'Using Samba', I believe. It has worked without a problem up to now. I don't think that smb.conf as such is the problem. Anne i agree Life is just one big learning experience. After sitting various cisco certs i get a bit hung up about ip addressing. Didn't use 0 subnets for years for instance, guess i need to loosen up :-) mike ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
