On Sat, 2005-04-09 at 06:47 -0600, [EMAIL PROTECTED] wrote: > i am having a linux box configured with (dhcp-ed)DIAS, and > squid,sendmail,samba etc,etc. and as usual get an ip in 61.3.118.0 subnet | > network > > what i interpreted is that a group of host is trying to access my samba > service, where as my samba service is only catered to local > network(192.168.0.0/24) so it an attack? > > plz help.... > > > contents of /var/log/messages: > ============================================================ > Apr 9 17:02:51 server1 smbd[6128]: [2005/04/09 17:02:51, 0] > lib/access.c:check_access(328) > Apr 9 17:02:51 server1 smbd[6128]: Denied connection from (61.36.69.230) > Apr 9 17:02:52 server1 smbd[6131]: [2005/04/09 17:02:52, 0] > lib/access.c:check_access(328) > Apr 9 17:02:52 server1 smbd[6131]: Denied connection from (61.36.69.230) > Apr 9 17:02:54 server1 smbd[6132]: [2005/04/09 17:02:54, 0] > lib/access.c:check_access(328) > Apr 9 17:02:54 server1 smbd[6132]: Denied connection from (61.36.69.230) > Apr 9 17:05:22 server1 smbd[6138]: [2005/04/09 17:05:22, 0] > lib/access.c:check_access(328) > Apr 9 17:05:22 server1 smbd[6138]: Denied connection from (61.3.111.41) > Apr 9 17:07:03 server1 smbd[6166]: [2005/04/09 17:07:03, 0] > lib/access.c:check_access(328) > Apr 9 17:07:03 server1 smbd[6166]: Denied connection from (61.3.118.224) > Apr 9 17:07:51 server1 smbd[6169]: [2005/04/09 17:07:51, 0] > lib/access.c:check_access(328) > Apr 9 17:07:51 server1 smbd[6169]: Denied connection from (61.3.111.41) > Apr 9 17:08:07 server1 smbd[6170]: [2005/04/09 17:08:07, 0] > lib/access.c:check_access(328) > Apr 9 17:08:07 server1 smbd[6170]: Denied connection from (61.3.118.224) > Apr 9 17:08:43 server1 smbd[6173]: [2005/04/09 17:08:43, 0] > lib/access.c:check_access(328) > Apr 9 17:08:43 server1 smbd[6173]: Denied connection from (61.3.137.105) > Apr 9 17:08:57 server1 smbd[6176]: [2005/04/09 17:08:57, 0] > lib/access.c:check_access(328) > Apr 9 17:08:57 server1 smbd[6176]: Denied connection from (61.3.123.10) > Apr 9 17:09:31 server1 smbd[6179]: [2005/04/09 17:09:31, 0] > lib/access.c:check_access(328) > Apr 9 17:09:31 server1 smbd[6179]: Denied connection from (61.3.121.146) > Apr 9 17:10:53 server1 login(pam_unix)[4855]: session opened for user root > by LOGIN(uid=0) Apr 9 17:10:53 server1 -- root[4855]: ROOT LOGIN ON tty2 > Apr 9 17:15:01 server1 smbd[6248]: [2005/04/09 17:15:01, 0] > lib/access.c:check_access(328) > Apr 9 17:15:01 server1 smbd[6248]: Denied connection from (61.3.118.224) > Apr 9 17:16:28 server1 smb: smbd shutdown succeeded > Apr 9 17:16:28 server1 nmbd[4831]: [2005/04/09 17:16:28, 0] > nmbd/nmbd.c:terminate(54) > Apr 9 17:16:28 server1 nmbd[4831]: Got SIGTERM: going down... > Apr 9 17:16:28 server1 smb: nmbd shutdown succeeded
It certainly looks like some one is trying to break in. However I don't think there is adequate security on the box. IPtables should be blocking these accesses, not Samba. Is the server shutdown, logged near the bottom, a planed shutdown ? I suggest you configure IPtables properly to stop services from being exposed to the outside world. Locking down ppp0 should do the trick. -- Soumyadip Modak Mobile : 94330 65971 [EMAIL PROTECTED] [EMAIL PROTECTED] http://soumyadip.blogspot.com -- To unsubscribe, send mail to [EMAIL PROTECTED] with the body "unsubscribe ilug-cal" and an empty subject line. FAQ: http://www.ilug-cal.org/node.php?id=3
