Robert M. Martel
2005-Jan-10 17:33 UTC
[Samba] Security scan causing load on PDC to skyrocket
Greetings, This is not a problem with Samba as I see it but I am hoping that others on the list have some ideas for working around the issue. Our central computer services group scans all the campus networks using Nessus and some custom rules to look for security problems. What I am seeing within my college is my Samba PDC getting beat-up when the scans go though. They scan a block of PCs at the same time looking for accounts w/o passwords. I see the load average skyrocket for a nice, normal 1.x to 49 and above. The smblogs show many lines like the following: ... 2005/01/10 12:19:10, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [Guest] -> [Guest] FAILED with error NT_STATUS_NO_SUCH_USER [2005/01/10 12:19:11, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [Guest] -> [Guest] FAILED with error NT_STATUS_NO_SUCH_USER [2005/01/10 12:19:13, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [Guest] -> [Guest] FAILED with error NT_STATUS_NO_SUCH_USER ... I have Samba 3.10 on a Sun 420R running solaris 9 as my PDC. At this time the password back end on the PDC is plain old text smbpasswd file as we've not had a chance to move it to something more sophisticated - and we should because that has grown huge - which I am sure doesn't help this situation. Short of getting the central people to back off of their testings - which they don't want to do for obvious reasons - does anyone have thoughts on what I can do on my samba server to prevent this scanning from turning into a denial of service attack? Thanks Bob Martel -- *********************************************************************** Bob Martel,System Administrator I met someone who looks a lot like you Levin College of Urban Affairs She does the things you do Cleveland State University But she is an IBM (216) 687-2214 bob@urban.csuohio.edu -Jeff Lynne ***********************************************************************