[ubuntu-uk] Warning to all users of Samba
paul morgan-roach
roachy at roachy.net
Tue Apr 20 20:22:02 BST 2010
> On 20/04/10 19:14, Daniel Case wrote:
>
> > Never, ever leave Samba open without due care and attention, all too
> > often i see people telling others to install Samba without warning them
> > of the possible implications, many people
> > are quite lazy, and instead of settings everything up, will just check
> > the "Allow guest access" button.
> > What i wasnt aware of, is the fact that it broadcasts on Port 139, went
> > straight through my routers firewall and allowed everyone on the
> > internet to access my entire home folder.
I'd add to this that correct firewall configuration is rarely applied in the majority of cases. Many domestic routers tout the ability to "firewall" traffic but in actual fact are just glorified routers with NAT. A full firewall allows the securing of outbound traffic as well and a default deny policy should always be used. That way if anything on the internal network breaches these rules then it can be noticed and investigated accordingly. In some cases it is possible and acceptable to log accepted traffic as well.
windows boxes will also broadcast on 137 and 445.
in your case i'm not sure how this broadcast traffic has actually hit the internet and exposed a vulnerability. The purpose of subnetting means that broadcast traffic only goes to machines within the same subnet. For example, a broadcast packet (sent to 192.168.1.255) on the network 192.168.1.0/24 could not technically hit 192.168.2.1 even i it was connected to the same physical switch.
id suggest that the problem is probably that the machine was within a dmz or connected directly (bridged or via a modem) to allow a compromise to take place.
P
--
Sent from my Nokia N900
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-uk/attachments/20100420/1be1956f/attachment.htm
More information about the ubuntu-uk
mailing list