5 Replies Latest reply: Nov 8, 2011 2:12 AM by VincensoXFIN
VincensoXFIN Level 1 (40 points)

Hello !


Lately I have been experiencing some strange spam on my SMB logs. Here is an example



  check_ntlm_password:  Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER



I'ts repeative and it seems to be coming from Windows clients I dont even have on my system, here is a longer part.


[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/smbd/reply.c:reply_special(332)

  netbios connect: name1=SIBELIUSOPISTO  name2=MCRVERKA      

[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/smbd/reply.c:reply_special(339)

  netbios connect: local=sibeliusopisto remote=mcrverka, name type = 0

[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/smbd/sesssetup.c:setup_new_vc_sessi on(1273)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.

[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/lib/module.c:do_smb_load_module(64)

  Module '/usr/lib/samba/auth/odsam.dylib' loaded

[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/smbd/sesssetup.c:setup_new_vc_sessi on(1273)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.

[2011/11/07 16:19:19, 2, pid=10825] /SourceCache/samba/samba-235.7/samba/source/auth/auth.c:check_ntlm_password(319 )

  check_ntlm_password:  Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER


I happen to know that MCRVERKA is a windows server (I think) run by another company in the same building, and in samme network. My server is running in two network subnets, 172.17.6 and 172.17.144 and these are coming from the 144 network, witch is common network for all companies in the building. There are many other computers too doing the same spam to my computer, some are even Macs from my own network and other macs from other companies.


Any idea what is causing this, and how could I resolve this and end the endless spam?

Mac Pro, Mac OS X (10.6.7), Server
  • Esther Mofet Level 1 (130 points)

    "...another company in the same building, and in same network..."


    Well, there's your problem: people who don't have any business looking at your file server are, naturally, looking at it because they can see it.


    Why in the world are you running a single network shared between different companies?

  • MrHoffman Level 6 (14,827 points)

    Not the answer to your question...  But that log would scare me. 


    Not because of the netbios chatter, but because your file system is apparently accessible to remote servers.


    Is there a particular reason why your file system is accessible to remote systems? 


    Exposing your server's file system to untrusted networks is generally considered a Bad Idea, as (and ignoring this Windows netbios log-file chatter) there are and will be attacks, and there have been file system vulnerabilities in the past.  


    A more typical installation uses a gateway-firewall box, and uses server-based or (less desirably) pass-through VPN access to connect to resources on your local network including CIFS/SMB.

  • VincensoXFIN Level 1 (40 points)

    Ok, lets get into detail and clear out few things. First, I am not running the whole network in this building.


    My server is working in two subnets because :


    172.17.6 - This is our Institutes main network for all our computers, only we use this network.

    172.17.144 - This is closed network, but is shared within all companies and other institutes in this building. We use this because of the location of our management department. We can not operate in 172.17.6 network here, because we share a common printer&copier with another institute. We own it, but I can not set it to 6 network, or I would deny them for using it, and they are paying rent for it. We have about 7 computers in this network, 2 pc and 5 macs.


    I am trying to get rid of the pcs, and we only have 3 pc total in the institute, but we are using Windows based payroll management programs, and cant change to Mac based yet. Still, I wouldnt want to even use SMB, but I have to, to get pc's access to our shared files. I have disabled all guest access.


    So, any comments? How could I resolve this? I understood that the machines are trying to look into my server, but why they are even doing that? Is it automatic? I am only using SMB to share files to few windows clients.


    I might add, server is not accessible remotely from anywhere else than in these two networks

  • MrHoffman Level 6 (14,827 points)

    Are those seven computers on the "open" network, or on the "private" network?


    Is the chatter from the "open" network?


    Locate a server-grade firewall-router at 172.17.144.whatever (in place of your Mac), and make that the sole connection into network.  Move the Mac entirely onto the "private" network.  (Better: work with whomever is managing the existing router that's probably between these networks.)


    If your seven computers are on the network, now configure those seven systems with VPN access or firewall rules, and permit access through the firewall.  (Or work with whomever is managing the connection between and

  • VincensoXFIN Level 1 (40 points)

    The seven clients are in the 172.17.144 network. Rest are in the 172.17.6 network, with the server. The chatter seems to come from both networks, some connectiong to and some, both are my servers addresses.


    I dont still understand this, because this problem has just appeared, I look thru the logs in weekly basis and the server has been running for over an year now, and this has not happened. But now, suddenly it seems like all the computers from the "company" that is managing this building/facility is bombing my server with requests to access my smb shares. Its frustrating because I dont have management access to any routers, I can physicaly plug in connections and I think I know what comes and goes from/to where, but I have no authority to access them. I think I need to find someone who does.


    I dont see why even Macs are bombing my SMB?