Sorry Soumya and list admin - i just forgot to sign my last message to the list
on this thread -- Pinaki.
From: Soumyadip Modak <[EMAIL PROTECTED]> Reply-To: [email protected] To: [email protected] Subject: Re: [ilug-cal] /var/log/messages Date: Sun, 10 Apr 2005 08:42:21 +0530
On Sat, 2005-04-09 at 06:47 -0600, [EMAIL PROTECTED] wrote:
> i am having a linux box configured with (dhcp-ed)DIAS, and
> squid,sendmail,samba etc,etc. and as usual get an ip in 61.3.118.0 subnet |
> network
>
> what i interpreted is that a group of host is trying to access my samba
> service, where as my samba service is only catered to local
> network(192.168.0.0/24) so it an attack?
>
> plz help....
>
>
> contents of /var/log/messages:
> ============================================================
> Apr 9 17:02:51 server1 smbd[6128]: [2005/04/09 17:02:51, 0]
> lib/access.c:check_access(328)
> Apr 9 17:02:51 server1 smbd[6128]: Denied connection from (61.36.69.230)
> Apr 9 17:02:52 server1 smbd[6131]: [2005/04/09 17:02:52, 0]
> lib/access.c:check_access(328)
> Apr 9 17:02:52 server1 smbd[6131]: Denied connection from (61.36.69.230)
> Apr 9 17:02:54 server1 smbd[6132]: [2005/04/09 17:02:54, 0]
> lib/access.c:check_access(328)
> Apr 9 17:02:54 server1 smbd[6132]: Denied connection from (61.36.69.230)
> Apr 9 17:05:22 server1 smbd[6138]: [2005/04/09 17:05:22, 0]
> lib/access.c:check_access(328)
> Apr 9 17:05:22 server1 smbd[6138]: Denied connection from (61.3.111.41)
> Apr 9 17:07:03 server1 smbd[6166]: [2005/04/09 17:07:03, 0]
> lib/access.c:check_access(328)
> Apr 9 17:07:03 server1 smbd[6166]: Denied connection from (61.3.118.224)
> Apr 9 17:07:51 server1 smbd[6169]: [2005/04/09 17:07:51, 0]
> lib/access.c:check_access(328)
> Apr 9 17:07:51 server1 smbd[6169]: Denied connection from (61.3.111.41)
> Apr 9 17:08:07 server1 smbd[6170]: [2005/04/09 17:08:07, 0]
> lib/access.c:check_access(328)
> Apr 9 17:08:07 server1 smbd[6170]: Denied connection from (61.3.118.224)
> Apr 9 17:08:43 server1 smbd[6173]: [2005/04/09 17:08:43, 0]
> lib/access.c:check_access(328)
> Apr 9 17:08:43 server1 smbd[6173]: Denied connection from (61.3.137.105)
> Apr 9 17:08:57 server1 smbd[6176]: [2005/04/09 17:08:57, 0]
> lib/access.c:check_access(328)
> Apr 9 17:08:57 server1 smbd[6176]: Denied connection from (61.3.123.10)
> Apr 9 17:09:31 server1 smbd[6179]: [2005/04/09 17:09:31, 0]
> lib/access.c:check_access(328)
> Apr 9 17:09:31 server1 smbd[6179]: Denied connection from (61.3.121.146)
> Apr 9 17:10:53 server1 login(pam_unix)[4855]: session opened for user root
> by LOGIN(uid=0) Apr 9 17:10:53 server1 -- root[4855]: ROOT LOGIN ON tty2
> Apr 9 17:15:01 server1 smbd[6248]: [2005/04/09 17:15:01, 0]
> lib/access.c:check_access(328)
> Apr 9 17:15:01 server1 smbd[6248]: Denied connection from (61.3.118.224)
> Apr 9 17:16:28 server1 smb: smbd shutdown succeeded
> Apr 9 17:16:28 server1 nmbd[4831]: [2005/04/09 17:16:28, 0]
> nmbd/nmbd.c:terminate(54)
> Apr 9 17:16:28 server1 nmbd[4831]: Got SIGTERM: going down...
> Apr 9 17:16:28 server1 smb: nmbd shutdown succeeded
It certainly looks like some one is trying to break in. However I don't think there is adequate security on the box. IPtables should be blocking these accesses, not Samba. Is the server shutdown, logged near the bottom, a planed shutdown ?
I suggest you configure IPtables properly to stop services from being exposed to the outside world. Locking down ppp0 should do the trick. -- Soumyadip Modak Mobile : 94330 65971 [EMAIL PROTECTED] [EMAIL PROTECTED] http://soumyadip.blogspot.com
-- To unsubscribe, send mail to [EMAIL PROTECTED] with the body "unsubscribe ilug-cal" and an empty subject line. FAQ: http://www.ilug-cal.org/node.php?id=3
_________________________________________________________________
NRIs, operate Rupee Checking Account. http://creative.mediaturf.net/creatives/citibankrca/rca_msntagofline.htm Without minimum balance for 20 yrs!
-- To unsubscribe, send mail to [EMAIL PROTECTED] with the body "unsubscribe ilug-cal" and an empty subject line. FAQ: http://www.ilug-cal.org/node.php?id=3
