Don''t know if this belongs on this list or not... Those of you who have to manage Samba servers remotely and have therefore set rules to allow port 901 from the internet may want to re-considder this as there appears to be a _Significant_ increase in port 901 hits of late. Internet storm center shows a significant rise as well: http://www.dshield.org/port_report.php?port=901 I''ve seen dozens per hour on the few sites I have set up this way, and I have therefore started blocking swat everywhere. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 .
"John S. Andersen" <JAndersen@screenio.com> wrote ..> Don''t know if this belongs on this list or not... > > Those of you who have to manage Samba servers > remotely and have therefore set rules to allow port > 901 from the internet may want to re-considder this > as there appears to be a _Significant_ increase in > port 901 hits of late. > > Internet storm center shows a significant rise > as well: > http://www.dshield.org/port_report.php?port=901 > > I''ve seen dozens per hour on the few sites I have > set up this way, and I have therefore started > blocking swat everywhere. > > -- > ______________________________________ > John Andersen > NORCOM / Juneau, Alaska > http://www.screenio.com/ > (907) 790-3386 > > . > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htmHello John, I can concur that the /etc/services/swat or port 901 is definitely seeing more hits than normal. I would like to use SAMBA but attacks like these render SAMBA a non-option. Thanks for the warning and the link, David.
> "John S. Andersen" <JAndersen@screenio.com> wrote .. > > Don''t know if this belongs on this list or not... > > > > Those of you who have to manage Samba servers > > remotely and have therefore set rules to allow port > > 901 from the internet may want to re-considder this > > as there appears to be a _Significant_ increase in > > port 901 hits of late. > > > > Internet storm center shows a significant rise > > as well: > > http://www.dshield.org/port_report.php?port=901 > > > > I''ve seen dozens per hour on the few sites I have > > set up this way, and I have therefore started > > blocking swat everywhere. > >You could limit the allowed access from the internet, to a couple of ip addresses, by stating the source address in shorewall... The last example in the current rules file shows the syntax required. I configure mine like that out of habit. Jerry Vonau
On Sat, 2004-01-10 at 01:24, David W. Brown wrote:> "John S. Andersen" <JAndersen@screenio.com> wrote .. > > Don''t know if this belongs on this list or not... > > > > Those of you who have to manage Samba servers > > remotely and have therefore set rules to allow port > > 901 from the internet may want to re-considder this > > as there appears to be a _Significant_ increase in > > port 901 hits of late. > > > > Internet storm center shows a significant rise > > as well: > > http://www.dshield.org/port_report.php?port=901 > > > > I''ve seen dozens per hour on the few sites I have > > set up this way, and I have therefore started > > blocking swat everywhere. > > > > -- > > ______________________________________ > > John Andersen > > NORCOM / Juneau, Alaska > > http://www.screenio.com/ > > (907) 790-3386 > > > > . > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > Hello John, I can concur that the /etc/services/swat or port 901 is definitely seeing more hits than normal. I would like to use SAMBA but attacks like these render SAMBA a non-option. Thanks for the warning and the link, David. > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htmIMHO, admin access such as SWAT, or other things (phpmyadmin, webmin, etc) should never be carte blance open to the Internet. If they are being run over SSL AND require authentication, there can be some allowance, but not in any other case. Additionally, if you don''t need to use SWAT but can just edit the configs by hand, you don''t have this problem. -- David T Hollis <dhollis@davehollis.com>
> On Sat, 2004-01-10 at 01:24, David W. Brown wrote: >> "John S. Andersen" <JAndersen@screenio.com> wrote .. >> > Don''t know if this belongs on this list or not... >> > >> > Those of you who have to manage Samba servers >> > remotely and have therefore set rules to allow port >> > 901 from the internet may want to re-considder this >> > as there appears to be a _Significant_ increase in >> > port 901 hits of late. >> > >> > Internet storm center shows a significant rise >> > as well: >> > http://www.dshield.org/port_report.php?port=901 >> > >> > I''ve seen dozens per hour on the few sites I have >> > set up this way, and I have therefore started >> > blocking swat everywhere. >> > >> > -- >> > ______________________________________ >> > John Andersen >> > NORCOM / Juneau, Alaska >> > http://www.screenio.com/ >> > (907) 790-3386 >> > >> > . >> > _______________________________________________ >> > Shorewall-users mailing list >> > Post: Shorewall-users@lists.shorewall.net >> > Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> > Support: http://www.shorewall.net/support.htm >> > FAQ: http://www.shorewall.net/FAQ.htm >> Hello John, I can concur that the /etc/services/swat or port 901 is >> definitely seeing more hits than normal. I would like to use SAMBA but >> attacks like these render SAMBA a non-option. Thanks for the warning and >> the link, David. >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm > IMHO, admin access such as SWAT, or other things (phpmyadmin, webmin, > etc) should never be carte blance open to the Internet. If they are > being run over SSL AND require authentication, there can be some > allowance, but not in any other case. Additionally, if you don''t need > to use SWAT but can just edit the configs by hand, you don''t have this > problem.I suggest using webmin in ssl mode to access swat remotely if you really need to. That way webmin will act as a proxy between you and swat. Of course webmin can break too :) Simon> > -- > David T Hollis <dhollis@davehollis.com> > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >