(cc'd to some other non-list guys as a critical topic that is not often discussed and often forgotten about) > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, 28 September 2000 11:39 AM > To: Firewalls Mailinglist > Subject: Counter Measures for a SMB logon. > > > Does anyone have some good counter measures for an SMB attack? > > The IP was listed as 195.128.157.67 with a domian name of VINT. > > And how could they get the login ID's with this approach? > > What program would they be using? > (This was sytematic with a 4 second interval.) > > Alex Snarfing a domain user/sid list is a piece of cake if you don't have restrictanonymous=1 in the lanmanserver parameters key. Even a simple shell or perl script in combination with smbclient would be able to brute their way into your LAN. The main question is, how come you're letting SMB into your network???? Crazy stuff I reckon. Unbind the whole netbios swag from your external interfaces (what? You're using NAT for internal addresses? heheh :)) including the WINS client and DHCP services. And a firewall won't guarantee security if you leave this stuff gapingly exposed to an external network, DMZ or no DMZ. For an example of how vulnerable SMB is when externally published, get RedButton. A nice, non-intrusive tool designed to show you what the hAx0rz can see. regards - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
