[newbie] Netbios-ssn connections?
Yo; Once again, another question to be applied on my Mandrake 9.2 server box, which you're probably starting to become friends with. I leave KDE System Guard open at times on my SuSE box monitoring the Mandrake server remotely. I've noticed that a TCP connection opens occasionally, connected to from hosts all around the world (China, UK, u-name-it) to a netbios-ssn socket. What's happening here? What's netbios-ssn? All I'm running is a website for a local buisness at the moment... I can't imagine why peeps from China and the UK would want to access this server... are these crackers? Do I have a clue what I'm talking about? Thanx, ES -- Registered Linux user #366862 This message was sent from a Microsoft-Free 750MHz Athlon system running SuSE Linux 9.1 (Kernel 2.6.5), multi-booted with RedHat 8.0 (Kernel 2.4.18; can't get Fedora to work!) and Debian 3.0 (Kernel 2.2.20). Failure is not an option with Microsoft; it's bundled with the software! A Linux Only area Happy bug hunting M$ clan, The time is here to FORGET that M$ Corp ever existed the world does not NEED M$ Corp the world has NO USE for M$ Corp it is time to END M$ Corp -snipped from the signature of Peter Nikolic Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Netbios-ssn connections?
On Thursday 11 November 2004 17:59, Eric Scott wrote: Yo; Once again, another question to be applied on my Mandrake 9.2 server box, which you're probably starting to become friends with. I leave KDE System Guard open at times on my SuSE box monitoring the Mandrake server remotely. I've noticed that a TCP connection opens occasionally, connected to from hosts all around the world (China, UK, u-name-it) to a netbios-ssn socket. What's happening here? What's netbios-ssn? All I'm running is a website for a local buisness at the moment... I can't imagine why peeps from China and the UK would want to access this server... are these crackers? Do I have a clue what I'm talking about? Thanx, ES It means that you are running Samba, and are either not running a firewall, or have opened the firewall to Samba (By default it will be closed). netbios-ssn is port 139 It means that people all over the world can see your Samba shares, and if they can guess your password they can look at them too. The good news is that most of these people will be innocent Windows users who have no idea they are scanning the Internet with 'Network Neighborhood'. But some of them may not be very nice... If you go to http://scan.sygatetech.com/ you can check which other ports are open. derek -- www.jennings.homelinux.net http://twiki.mdklinuxfaq.org Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Netbios-ssn connections?
On Thursday 11 November 2004 23:10, Derek Jennings wrote: large snip If you go to http://scan.sygatetech.com/ you can check which other ports are open. /large snip Derek, on a related note : when doing so from my box - which isn't a server - the scan invariably warns me that my ports 80 (http) and port 113 (ident) are closed, but not blocked. In shorewall I've disabled all services. The same result shows when trying http://www.grc.com Question : how to block ports in shorewall and what is the downside of blocking those ports ? TIA Kaj Haulrich. -- *sent from a 100% Microsoft-free workstation* * http://haulrich.net * *Running Linux (Mandrake 10.1) - kernel 2.6.8* Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Netbios-ssn connections?
Yo; Once again, another question to be applied on my Mandrake 9.2 server box, which you're probably starting to become friends with. I leave KDE System Guard open at times on my SuSE box monitoring the Mandrake server remotely. I've noticed that a TCP connection opens occasionally, connected to from hosts all around the world (China, UK, u-name-it) to a netbios-ssn socket. What's happening here? What's netbios-ssn? All I'm running is a website for a local buisness at the moment... I can't imagine why peeps from China and the UK would want to access this server... are these crackers? Do I have a clue what I'm talking about? Thanx, ES First thing - it doesn't sound like you are running a firewall on that box. You should be running one on ANY machine connected to the Internet. You can open a hole in the firewall for the web server, and still block everything else. Now, as for what you are seeing, it is someone looking to see what windows file sharing shares your box has. They are looking for windows machines that have file/print sharing enabled, and no firewall. If this were a Windows machine, they could then access those files, and possible write new files to the system. It depends on how file sharing is set up. The same thing can also be done to a Linux box running Samba. (You can set other protections in Samba, that you can not in Windows file sharing, but that is besides the point...) Windows boxes that can be accessed this way are a tempting target because chances are they don't have the latest security updates, and because the owner of the box doesn't know security. A Linux box with these ports open is also a targer, because the ports should not be open on a properly secured box. Do us all a favof, and check out Shorewall, or another firewall setup program. Shorewall is included with 9.2, and is not that hard to set up... Mikkel Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Netbios-ssn connections?
On Thursday 11 November 2004 22:37, Kaj Haulrich wrote: On Thursday 11 November 2004 23:10, Derek Jennings wrote: large snip If you go to http://scan.sygatetech.com/ you can check which other ports are open. /large snip Derek, on a related note : when doing so from my box - which isn't a server - the scan invariably warns me that my ports 80 (http) and port 113 (ident) are closed, but not blocked. In shorewall I've disabled all services. The same result shows when trying http://www.grc.com Question : how to block ports in shorewall and what is the downside of blocking those ports ? TIA Kaj Haulrich. It is likely that your ISP is blocking those ports and giving the 'closed' response before the packet gets as far as your computer. ISPs do that when they do not want their clients running web servers. It is also possible for these online test sites to get totally confused about which IP address you originate from and test the wrong device. So do not get too alarmed. As for how to block ports in shorewall: Shorewalls default behaviour is to drop all packets from the internet. You have to make a conscious decision to allow packets through. The Mandrake Control Centre GUI is pretty useless at configuring shorewall. There is a webmin module which is very good, but personally I edit the files by hand. The main file is /etc/shorewall/rules . The text files are full of example configurations and are real easy to understand. BTW: The big mistake people often make with shorewall is to forget that shorewall assumes it could be attacked by someone on the local network as well as from the internet. Shorewalls default behaviour is to block packets from the local network to the firewall server (while letting packets through from the local network to the internet) So if you want to run a service such as Samba or CUPS on the same computer which is running the firewall, then you must open up Samba or CUPS to the local network, and NOT to the internet as the original poster seems to have done. This is where the Mandrake GUI falls down badly. It is unable to select to which interface a service is opened to. derek -- www.jennings.homelinux.net http://twiki.mdklinuxfaq.org Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
