HPE Community
Operating System - HP-UX
1837970 Members
2649 Online
110124 Solutions
New Discussion

Samba Denial of Service Attack

 
SOLVED
Go to solution
Steven E. Protter
Exalted Contributor

‎05-14-2004 04:52 AM

‎05-14-2004 04:52 AM

Samba Denial of Service Attack

I just encountered a most inventive DOS attack on an HP-9000 and two linux servers.

Basically it went like this:

There were samba authentication attempts, which all failed, but generated little log files.

ipaddress.log in the directory on /var where samba stores its logs.

Honestly, I wasn't aware that samba kept logs like this, but I never bothered to look before.

There were hundreds of thousands of attempts, each creating log files. Several of the attempts managed to create rather huge log files.

So /var filled up and the systems stop accepting mail, which is how it came to my attention.

Actions taken thus far:
1) Blocked Port 137,138,139(netbios) and 901(swat) on the firewall, public Internet NIC card.

2)Analyzed the log files.

Questions:

1) Has anyone seen this before?
2) What additional security measures do I need to take? I have no need to provide samba services outside my private network.
3) General suggestions.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
10 REPLIES 10
Lee Hundley
Valued Contributor

‎05-14-2004 05:16 AM

‎05-14-2004 05:16 AM

Solution

Re: Samba Denial of Service Attack

This is usually caused by windows worms attempting to infect open SMB shares. Best things you can do are:

1) Add 'hosts deny' and 'hosts allow' declerations to smb.conf like so

hosts deny = ALL
hosts allow = 127.0.0.1 192.168.0. 172.16.

That would deny all requests UNLESS they came from the loopback the Class C 192.168.0.xxx subnet, or the Class B 172.16.xxx.xxx subnet.

2) Use 'listen on' decleration to bind samba to a specific ip:

listen on = 192.168.0.42

3) Keep your new firewall rules in place...just in case :)

HTH
It is my firm belief that it is a mistake to hold any firm beliefs
Reply
Geoff Wild
Honored Contributor

‎05-14-2004 05:25 AM

‎05-14-2004 05:25 AM

Re: Samba Denial of Service Attack

Havn't seen it, but add this to smb.conf to help stop var filling up:

log file = /var/opt/samba/log.%m
max log size = 10000

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎05-14-2004 05:34 AM

‎05-14-2004 05:34 AM

Re: Samba Denial of Service Attack

Lee, it did work.

Now I'm getting connection denied logs.

I guess the only alternative is to write a cron job to sweep the log directory on a regular basis.

The worm managed to eat 2.4 Gigabytes of disk space VERY,VERY fast.

I'm giving You a bunny because you earned it.

But this thread is OPEN!

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎05-14-2004 05:59 AM

‎05-14-2004 05:59 AM

Re: Samba Denial of Service Attack

The logs all say connection denied(328) or connection denied(883)

lib/access.c:check_access(328)
or
smdb/process.c:process_smb(883)

I'm assuming these numbers are not ports I can block.

Is there a firewall port I can block to stop this activity?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Lee Hundley
Valued Contributor

‎05-14-2004 06:15 AM

‎05-14-2004 06:15 AM

Re: Samba Denial of Service Attack

I believe you're right, those are probably error codes, not port numbers. It seems you've already got the appropriate ports blocked at your firewall per your earlier post.

If you're still getting those errors, look towards infected machines on your network that still have access to the samba server. Maybe cron a job every hour that greps for the error phrase, pipes it through 'wc -l', and then emails you the results. Maybe it will trail off with the new access rules?
It is my firm belief that it is a mistake to hold any firm beliefs
0 Kudos
Reply
G. Vrijhoeven
Honored Contributor

‎05-14-2004 06:16 AM

‎05-14-2004 06:16 AM

Re: Samba Denial of Service Attack

SEP,

I found a link to a site that can provide you with more info on the subject.

http://security.wayne.edu/default/modules.php?name=News&file=article&sid=84

Have a nice weekend,

Gideon
Reply
Steven E. Protter
Exalted Contributor

‎05-14-2004 08:12 AM

‎05-14-2004 08:12 AM

Re: Samba Denial of Service Attack

Good stuff.

I think the worm is shut off by closing the samba port, port 445

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Darren Prior
Honored Contributor

‎05-16-2004 10:49 PM

‎05-16-2004 10:49 PM

Re: Samba Denial of Service Attack

Hi SEP,

If the attack comes from multiple clients and you have Samba configured for one log file per client, you could end up with many log files - and the log file size limits become less important. You could consider changing the log file dir to something less important, perhaps a separate filesystem...

regards,

Darren.
Calm down. It's only ones and zeros...
Reply
Steven E. Protter
Exalted Contributor

‎05-17-2004 02:47 AM

‎05-17-2004 02:47 AM

Re: Samba Denial of Service Attack

The attack was coming from multiple clients.

It was all coming from port 445. I opened that port in hopes of doing samba mounts from outside my systems with my laptop as I travelled.

Very, bad idea. I'm working on VPN instead.

Once I shut port 445 i was okay.

ipfilters on hpux works nicely when you say block all traffic except what I authorize.

When I did that setting on the Linux boxes, iptables performance went down the tubes.

Apparently its more efficient to manually bloc the ports and leave the input setting set to ACCEPT.

That makes no sense.

This issue is resolved. Unless someone has come comments on my iptables problem which is better suited for a Linux thread.

Thanks.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎05-17-2004 02:48 AM

‎05-17-2004 02:48 AM

Re: Samba Denial of Service Attack

Right on point Darren. I had 100,000 log files, new of which were bigger than 10kb

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.