On Wed, 2003-12-17 at 06:57, Jonas Carlsson wrote: > I run samba 2.2.8a on my openbsd 3.4 box, installed from a package. > All i need is the ability to mount disks form winxp boxes so i only run > smbd, at 139/tcp. > I tried scanning the box with nessus, and it came up with some results > that got me curious. > Since i dont know very much about the smb protocol I thought i should > ask here.
The nessus text is a little alarming - given that none of the information disclosed to your internal LAN is really that interesting... > Have searched the archives but found only old posts, concering older > versions. > > Whats a NULL session? what are domain and host SID? > Nessus also suggests i'd limit the access to the $IPC share. The 'securing samba' section of the howto collection includes information on the IPC$ share. > How can i limit this info disclosure? You should only be running samba onto trusted networks that often need this information, but you can restrict it a little, in some situations. > 127.0.0.1|netbios-ssn (139/tcp)|10397|INFO|Here is the browse list of > the remote host : > HOSTNAME - > This is potentially dangerous as this may help the attack of a potential > hacker by giving him extra targets to check for > Solution : filter incoming traffic to this port > Risk factor : Low > > 127.0.0.1|netbios-ssn (139/tcp)|10395|INFO|Here is the list of the SMB > shares of this host : > myshare - > IPC$ - > ADMIN$ - > This is potentially dangerous as this may help the attack of a potential > hacker. Solution : filter incoming traffic to this port > Risk factor : Medium > > 127.0.0.1|netbios-ssn (139/tcp)|10400|INFO| > The remote registry can be accessed remotely using the login / password > combination used > for the SMB tests. Having the registry accessible to the world is not a > good thing as it gives > extra knowledge to a hacker. > Solution : Apply service pack 3 if not done already, > and set the key > HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg > to restrict what can be browsed by non administrators. > In addition to this, you should consider filtering incoming packets to > this port. > Risk factor : Low We don't actually expose a remote registry - we expose something that looks like it for the purpose of running various services. If you were to follow the advise on an MS box, you would probably break things. > 127.0.0.1|netbios-ssn (139/tcp)|10859|INFO|The host SID can be obtained > remotely. Its value is : > HOSTNAME : 4-55-654367899-87557843444-56789446 > An attacker can use it to obtain the list of the local users of this host > Solution : filter the ports 137 to 139 and 445 > Risk factor : Low > > 127.0.0.1|netbios-ssn (139/tcp)|10398|INFO|The domain SID can be > obtained remotely. Its value is : > WORKGROUP : 45-0-0-0-0 > An attacker can use it to obtain the list of the local users of this host > Solution : filter the ports 137 to 139 and 445 > Risk factor : Low > > 127.0.0.1|netbios-ssn (139/tcp)|10394|REPORT| > . It was possible to log into the remote host using a NULL session. > The concept of a NULL session is to provide a null username and > a null password, which grants the user the 'guest' access > To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and > Q246261 (Windows 2000). > Note that this won't completely disable null sessions, but will prevent > them from > connecting to IPC$. This is matched by 'restrict anonymous' parameter in Samba 3.0. > Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html. > All the smb tests will be done as ''/'whatever' in domain Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
