samba - Feb 2000 - Netbios port 139

On http://grc.com/default.htm
I've found some bad news on the above service.
It's true that if your windows network expose shared resources AND it is
connect to Internet it can be bombed
by hacker's attacks ?
If yes, how to prevent it thru Linux-Samba ?

On Thu, Feb 10, 2000 at 03:09:24AM +1100, Diego Cimarosa
wrote:
> On http://grc.com/default.htm
> I've found some bad news on the above service.
> It's true that if your windows network expose shared resources AND it
is
> connect to Internet it can be bombed
> by hacker's attacks ?
> If yes, how to prevent it thru Linux-Samba ?
	Very simply...  Put a Linux firewall between you and the big bad
internet and block all inbound and outbound traffic UDP and TCP for
ports from 135-139 and thrown 445 in for good measure.  You can run
Samba on that box if you like and let the firewall protect it or configure
it to only bind to the inside interface.  You can configure the box to be
a NAT (Masquerading) box if you are short on IP addresses and want to
map a bunch of system out to the outside.

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

On Thu, 10 Feb 2000 03:09:48 +1100, hai scritto:
>On http://grc.com/default.htm
>I've found some bad news on the above service.
>It's true that if your windows network expose shared resources AND it is
>connect to Internet it can be bombed
>by hacker's attacks ?
>If yes, how to prevent it thru Linux-Samba ?
If your samba box is on the same server which connects to the internet
then these are examples to block inbound SYN netbios packets.

kernel 2.0.x
# NetBIOS
$ipfwadm -I -a reject -S $any -D $masq_ip/32 137:139 -W $masq_dev -y -P
tcp -o
$ipfwadm -I -a reject -S $any -D $masq_ip/32 137:139 -W $masq_dev -y -P
udp -o

kernel 2.2.x
# NetBIOS
$ipchains -A input -s $any -d $any 137:139 -i $masq_dev -p TCP -l -j
REJECT
$ipchains -A input -s $any -d $any 137:139 -i $masq_dev -p UDP -l -j
REJECT

grc.com will report your netbios ports as  "stealth".

-- 
giulioo@pobox.com