[Lancaster] interesting security discovery

[Andy Baxter]

Just to let you all know that if you're running samba (windows file sharing 
server) on your linux machines, make sure it's properly configured to refuse 
connections from the wider internet.

Out of curiosity, I downloaded a packet sniffer called ethereal the other 
night to see what was going in and out of my ppp connection, and discovered 
that about every five or ten minutes, various different machines across the 
internet are trying to connect to mine and get a list of samba shares 
available on my machine, using the netbios nameserver protocol at first, then 
when they get the name, trying to open a samba connection. I looked up the 
host ips, and they are all of the sort:
pc4-cbly1-3-cust75.glfd.cable.ntl.com
host62-197.discord.birch.net
(these are two real examples from the other night)

i.e. most likely people on dial-up connections to big service providers. So 
either there are a lot of amateur hackers out there, or else a lot of people 
have already had their machines infected by internet worm type viruses which 
are trying to replicate themselves. I had quite a few connections from a host 
called alevrius_ (various ips) which when I looked it up seemed to be 
associated with a worm. Also 'gustavo', for which the first google result 
turned up a cracker page in Brazil...

For me, the point is I'd never thought that a home user like me had to worry 
too much about security - I thought you had to be a big organisation of some 
sort to get targeted in this way. Also it's kind of interesting to know that 
under the clean surface you normally see when using the internet - web 
browsers, ftp clients etc, there is all this hidden traffic going on.

Don't want to make people paranoid though - if it is a windows worm program 
that's being spread, it won't run in linux anyhow. For the time being, I've 
just stopped running samba on boot-up, and installed some firewall software, 
which I now have to work out how to configure...

The thing that still puzzles me is how anybody actually knew my ip to connect 
to in the first place - there is an option in the 'host' command to get all 
the host names in a particular domain, but when I tried this on the freeserve 
modem server, it refused the connection.

If you want to try this out yourself, install ethereal, run it as root, 
capture about 30mins to an hour of ppp traffic, then type 'nbns' in the 
filter window at the bottom of the screen and press 'Apply' and see what 
comes up.

If I get to the point that I'm confident about how to set up security and I'm 
feeling brave, maybe I'll try opening the samba port and faking a windows C 
drive and see what they're trying to do...

andy.