My Samba log files are in /var/log/samba, most Linux system will put them there also but that can be changed.
On Fri, 2004-06-11 at 11:15, Reno L wrote:
Agree almost most of the points here, somehow, I have some tiny tiny verification if I am right on this:for Port, it is the concept based on the transport layer, say, only TCP , UDP have Port. IP, as network layer, it doesn't have Port.
For Firewall, whatever software or hardware, in on word, it is something always allow whatever outcoming and deny whatever incoming by default. As long as you don't open the Port on the firewall, no Port "hole" will show up to the public. That's mean, if you have a stuff called Firewall, it should closed any port by default unless you open some of them by accident.
Of course, it is possible for some hacker work really hard to break through some high enterprise firewall, but for home user, nobody will pay them to do so. I never use old mode of Firewall, but I think if vendor call something Firewall, it should close any port by default, hence, you don't worry about it. Or, just go ahead buy a new one like Dlink 604.
BTW, I want to know how and where do you read the Samba log file in your Linux box?
Reno
Shawn Grover <[EMAIL PROTECTED]> wrote:
Most of the low end firewalls only do packet filtering based on the IP Port. If you're firewall allows traffic on port 139, then you will likely see attempts to connect to your network. (Port 139 being for NetBIOS names, which MS uses for file/print sharing). These firewalls do not attempt to detect/block virus traffic - if the virus attempts access to your network on a port that the firewall allows through, then you need to rely on a second line of defense (i.e. antivirus software).
The quickest and easiest solution is to ensure your firewall isn't allowing undesired ports in. If you have a typical home network (something like INTERNET ---- Firewall ---- Workstation(s) ), then you can turn off port 139 on your firewall completly. If your network is a little more advanced, and you use multiple firewalls to segment workstations from each other (think of different departments in a larger business), then you might NEED port 139 open. However, there is no reason to ever allow traffic on port 139 connect to your router from the external interface, if it isn't initiated internally (Basically, block 139 on incoming traffic from the Internet).
All that said, there is a chance your situation isn't this simple. I personally use an old P-166 as my firewall running IPCop. IPCop is smart enough to recognize incoming attacks and block them (if you turn on Intrusion Detection). With regards to DSL, you can plug the DSL line directly into a network card, so do not need a specific "DSL firewall". Since I've started using IPCop, I have yet to see a single virus get through to my network (knock on wood), and that includes the Blaster storm, the MS SQL Propogation attacks, and the more recent Sasser wave. But part of this might be due to the fact that I'm aware of how viruses can infect a system, and don't do those things (i.e. opening executable email attachements).
HTH
Shawn
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Roy Souther
Sent: Friday, June 11, 2004 10:02 AM
To: CLUG General
Subject: [clug-talk] Samba logging virus getting through firewall
I have a cheap NetGear DSL firewall NAT switch at home. It is no very good but I don't have any thing fancy going so it does what I need. I have looked for newer firmware for my model of NetGear but I already have the newest firmware for my system.
While trying to tweak my NFS shares I found that there are hundreds of samba log files from IP's outside of my firewall. These look like a virus is trying to see if I have Win32 systems on my LAN to infect.
I don't follow the Win32 viruses. What virus could this be? Is there any danger to Samba system? I shut my home Samba down, don't need it there.
Is anyone else having problems with Win32 viruses that just walk right through their firewalls?
Are there DSL firewall boxes that are better then this NetGear junk?
My smoothwall at work seems to be blocking the virus.
I have a copy of the Knoppix STD, I am thinking I should try it and see what is happening.
_______________________________________________
clug-talk mailing list
[EMAIL PROTECTED]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
clug-talk mailing list
[EMAIL PROTECTED]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
signature.asc
Description: This is a digitally signed message part
_______________________________________________
clug-talk mailing list
[EMAIL PROTECTED]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
