5 Replies Latest reply: Nov 8, 2011 2:12 AM by VincensoXFIN
VincensoXFIN Level 1 Level 1 (40 points)

Hello !

 

Lately I have been experiencing some strange spam on my SMB logs. Here is an example

 

/SourceCache/samba/samba-235.7/samba/source/auth/auth.c:check_ntlm_password(319)

  check_ntlm_password:  Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER

 

 

I'ts repeative and it seems to be coming from Windows clients I dont even have on my system, here is a longer part.

 

[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/smbd/reply.c:reply_special(332)

  netbios connect: name1=SIBELIUSOPISTO  name2=MCRVERKA      

[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/smbd/reply.c:reply_special(339)

  netbios connect: local=sibeliusopisto remote=mcrverka, name type = 0

[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/smbd/sesssetup.c:setup_new_vc_sessi on(1273)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.

[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/lib/module.c:do_smb_load_module(64)

  Module '/usr/lib/samba/auth/odsam.dylib' loaded

[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/smbd/sesssetup.c:setup_new_vc_sessi on(1273)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.

[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/auth/auth.c:check_ntlm_password(319 )

  check_ntlm_password:  Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER

 

I happen to know that MCRVERKA is a windows server (I think) run by another company in the same building, and in samme network. My server is running in two network subnets, 172.17.6 and 172.17.144 and these are coming from the 144 network, witch is common network for all companies in the building. There are many other computers too doing the same spam to my computer, some are even Macs from my own network and other macs from other companies.

 

Any idea what is causing this, and how could I resolve this and end the endless spam?


Mac Pro, Mac OS X (10.6.7), Server
  • 1. Re: Strange spam on SMB Access the logs
    Esther Mofet Level 1 Level 1 (130 points)

    "...another company in the same building, and in same network..."

     

    Well, there's your problem: people who don't have any business looking at your file server are, naturally, looking at it because they can see it.

     

    Why in the world are you running a single network shared between different companies?

  • 2. Re: Strange spam on SMB Access the logs
    MrHoffman Level 6 Level 6 (12,455 points)

    Not the answer to your question...  But that log would scare me. 

     

    Not because of the netbios chatter, but because your file system is apparently accessible to remote servers.

     

    Is there a particular reason why your file system is accessible to remote systems? 

     

    Exposing your server's file system to untrusted networks is generally considered a Bad Idea, as (and ignoring this Windows netbios log-file chatter) there are and will be attacks, and there have been file system vulnerabilities in the past.  

     

    A more typical installation uses a gateway-firewall box, and uses server-based or (less desirably) pass-through VPN access to connect to resources on your local network including CIFS/SMB.

  • 3. Re: Strange spam on SMB Access the logs
    VincensoXFIN Level 1 Level 1 (40 points)

    Ok, lets get into detail and clear out few things. First, I am not running the whole network in this building.

     

    My server is working in two subnets because :

     

    172.17.6 - This is our Institutes main network for all our computers, only we use this network.

    172.17.144 - This is closed network, but is shared within all companies and other institutes in this building. We use this because of the location of our management department. We can not operate in 172.17.6 network here, because we share a common printer&copier with another institute. We own it, but I can not set it to 6 network, or I would deny them for using it, and they are paying rent for it. We have about 7 computers in this network, 2 pc and 5 macs.

     

    I am trying to get rid of the pcs, and we only have 3 pc total in the institute, but we are using Windows based payroll management programs, and cant change to Mac based yet. Still, I wouldnt want to even use SMB, but I have to, to get pc's access to our shared files. I have disabled all guest access.

     

    So, any comments? How could I resolve this? I understood that the machines are trying to look into my server, but why they are even doing that? Is it automatic? I am only using SMB to share files to few windows clients.

     

    I might add, server is not accessible remotely from anywhere else than in these two networks

  • 4. Re: Strange spam on SMB Access the logs
    MrHoffman Level 6 Level 6 (12,455 points)

    Are those seven computers on the 172.17.144.0/24 "open" network, or on the 172.17.6.0/24 "private" network?

     

    Is the chatter from the 172.17.6.0/24 "open" network?

     

    Locate a server-grade firewall-router at 172.17.144.whatever (in place of your Mac), and make that the sole connection into 172.17.6.0/24 network.  Move the Mac entirely onto the 172.17.6.0/24 "private" network.  (Better: work with whomever is managing the existing router that's probably between these networks.)

     

    If your seven computers are on the 172.17.144.0/24 network, now configure those seven systems with VPN access or firewall rules, and permit access through the firewall.  (Or work with whomever is managing the connection between 172.17.144.0/24 and 172.17.6.0/24.)

  • 5. Re: Strange spam on SMB Access the logs
    VincensoXFIN Level 1 Level 1 (40 points)

    The seven clients are in the 172.17.144 network. Rest are in the 172.17.6 network, with the server. The chatter seems to come from both networks, some connectiong to 172.17.6.90 and some 172.17.144.160, both are my servers addresses.

     

    I dont still understand this, because this problem has just appeared, I look thru the logs in weekly basis and the server has been running for over an year now, and this has not happened. But now, suddenly it seems like all the computers from the "company" that is managing this building/facility is bombing my server with requests to access my smb shares. Its frustrating because I dont have management access to any routers, I can physicaly plug in connections and I think I know what comes and goes from/to where, but I have no authority to access them. I think I need to find someone who does.

     

    I dont see why even Macs are bombing my SMB?