Just backing up what David said...
for example in/etc/samba/smb.conf
interfaces = 127.0.0.0/255.0.0.0 192.168.0.0/255.255.255.0
Also, block ports 137,138,139,445 udp & tcp with the firewall. EG
iptables -A INPUT -i ppp0 -p udp --dport 137:139 -j DROP
iptables -A INPUT -i ppp0 -p udp --dport 445 -j DROP
iptables -A INPUT -i ppp0 -p tcp --dport 137:139 -j DROP
iptables -A INPUT -i ppp0 -p tcp --dport 445 -j DROP
assuming your public interface is ppp0
You could also -j LOG but as you've already discovered there's thousands
of attempts on these ports so you'd just be migrating from /var/log/samba
to /var/log/messages or something like that. IE not worth logging.
Also as David said there's worms but there's also stray broadcast traffic
if you're on something like cable internet. I did an arp listing on one
client's firewall and got about 60 hosts that weren't theirs!
Oh and if by chance you really need to use SMB/CIFS over the internet,
tunnel it instead. That's a whole other topic. The other way is to allow
specific hosts through your firewall but since there's broadcast traffic
(possibly from the other end) people can snoop stuff quite easily.
On Mon, 15 Dec 2003, Nick
Croft wrote:
> Evening list,
>
> I've been extra preoccupied for the last couple of months.
>
> Today I took the time to look around and noticed a huge number of /var/log/samba
> messages, all of the form:
>
> [2003/12/15 21:51:00, 1] smbd/service.c:make_connection(766)
> make_connections: refusing to connect with no session setup
>
> Among the thousands of logs - each for a separate source address, some have
> made over a thousand attempts to connect.
>
> First of all, my password on the gateway wasn't good enough, I've fixed that
> (I think), and the attempts have stopped. I'll admit I have been a bit slack
> wrt the root password.
>
> I don't want to insert an iptable INPUT rule for each of these addresses.
> Since these attempts are log as /var/log/samba, is there a way of blocking
> attempted samba connections.
>
> I would have thought that the stateful rules would have knocked this
> category out with even getting as far as a samba log.
>
> Any help on a rule here would be much appreciated.
>
> Nick
>
--
---<GRiP>---
Electronic Hobbyist, Former Arcadia BBS nut, Occasional nudist,
Linux Guru, SLUG/AUUG/Linux Australia member, Sydney Flashmobber,
BMX rider, Walker, Raver & rave music lover, Big kid that refuses
to grow up. I'd make a good family pet, take me home today!
Do people actually read these things?
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
