Hello,
in the last days I found some entries in nmb.log on one of my servers:
process_node_status_request: status request for name *<00> from IP
195.232.44.19
0 on subnet REMOTE_BROADCAST_SUBNET - name not found.
(repeated many times)
The host on this ip is not exactly in my domain :-)
# nslookup
Default Name Server: localhost
Address: 127.0.0.1
> set type=PTR
> 195.232.44.190
Name Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
190.44.232.195.in-addr.arpa name = md24-190.mun.compuserve.com
Authoritative answers can be found from:
44.232.195.IN-ADDR.ARPA nameserver = ns1.compuserve.co.uk
44.232.195.IN-ADDR.ARPA nameserver = ns1.compuserve.de
ns1.compuserve.co.uk internet address = 195.232.1.4
ns1.compuserve.de internet address = 195.232.32.4>exit
#
And now my question:
- Can I consider this an attack? I found that exactly the same host accessing
pages from our http server (which is also the samba server) at the same time.
- I mask the access to our samba servers with our subnet data. This should
protect the data in my nmbd against such queries, doesn't it? I have tried
with smbclient from some other subnet and couldn't receive any answer.
Best regards,
Lutz Jaenicke
--
Lutz Jaenicke Lutz.Jaenicke@iee.TU-Berlin.DE
TU Berlin iee.TU-Berlin.DE/personen/jaenicke
Institut fuer Elektrische Energietechnik Tel. +49 30 314-24552
Einsteinufer 11, D-10587 Berlin Fax. +49 30 314-21133