Re: [Samba] Results of nessus scan
On Wed, 2003-12-17 at 06:57, Jonas Carlsson wrote: > I run samba 2.2.8a on my openbsd 3.4 box, installed from a package. > All i need is the ability to mount disks form winxp boxes so i only run > smbd, at 139/tcp. > I tried scanning the box with nessus, and it came up with some results > that got me curious. > Since i dont know very much about the smb protocol I thought i should > ask here. The nessus text is a little alarming - given that none of the information disclosed to your internal LAN is really that interesting... > Have searched the archives but found only old posts, concering older > versions. > > Whats a NULL session? what are domain and host SID? > Nessus also suggests i'd limit the access to the $IPC share. The 'securing samba' section of the howto collection includes information on the IPC$ share. > How can i limit this info disclosure? You should only be running samba onto trusted networks that often need this information, but you can restrict it a little, in some situations. > 127.0.0.1|netbios-ssn (139/tcp)|10397|INFO|Here is the browse list of > the remote host : > HOSTNAME - > This is potentially dangerous as this may help the attack of a potential > hacker by giving him extra targets to check for > Solution : filter incoming traffic to this port > Risk factor : Low > > 127.0.0.1|netbios-ssn (139/tcp)|10395|INFO|Here is the list of the SMB > shares of this host : > myshare - > IPC$ - > ADMIN$ - > This is potentially dangerous as this may help the attack of a potential > hacker. Solution : filter incoming traffic to this port > Risk factor : Medium > > 127.0.0.1|netbios-ssn (139/tcp)|10400|INFO| > The remote registry can be accessed remotely using the login / password > combination used > for the SMB tests. Having the registry accessible to the world is not a > good thing as it gives > extra knowledge to a hacker. > Solution : Apply service pack 3 if not done already, > and set the key > HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg > to restrict what can be browsed by non administrators. > In addition to this, you should consider filtering incoming packets to > this port. > Risk factor : Low We don't actually expose a remote registry - we expose something that looks like it for the purpose of running various services. If you were to follow the advise on an MS box, you would probably break things. > 127.0.0.1|netbios-ssn (139/tcp)|10859|INFO|The host SID can be obtained > remotely. Its value is : > HOSTNAME : 4-55-654367899-87557843444-56789446 > An attacker can use it to obtain the list of the local users of this host > Solution : filter the ports 137 to 139 and 445 > Risk factor : Low > > 127.0.0.1|netbios-ssn (139/tcp)|10398|INFO|The domain SID can be > obtained remotely. Its value is : > WORKGROUP : 45-0-0-0-0 > An attacker can use it to obtain the list of the local users of this host > Solution : filter the ports 137 to 139 and 445 > Risk factor : Low > > 127.0.0.1|netbios-ssn (139/tcp)|10394|REPORT| > . It was possible to log into the remote host using a NULL session. > The concept of a NULL session is to provide a null username and > a null password, which grants the user the 'guest' access > To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and > Q246261 (Windows 2000). > Note that this won't completely disable null sessions, but will prevent > them from > connecting to IPC$. This is matched by 'restrict anonymous' parameter in Samba 3.0. > Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html. > All the smb tests will be done as ''/'whatever' in domain Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Results of nessus scan
On Wed, 2003-12-17 at 13:40, Jonas Carlsson wrote: >James R. Trater wrote: > > Try setting: > > guestaccount = NULL > > and > > restrict anonymous = yes > > in you smb.conf > > I had the same problem, and this solved it for me. > > Just for the records; it really did the trick. > Nessus reports nothing now! Also for the record, we strongly recommend against this. Instead, run Samba 3.0 and set 'guest account = nobody', if nobody is a valid user, and set 'restrict anonymous = 2' if you are not running a PDC, and not performing any browsing services. 'restrict anonymous' had no security benifit in Samba 2.2, but may have fooled the scanner. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Results of nessus scan
On Wed, 2003-12-17 at 08:31, James R. Trater wrote: > Try setting: > > > > guestaccount = NULL DO NOT do this. We need the guest account anyway. This simply states that the guest account (and you need the space in that) is 'NULL', ie that literal string. Set it to a real, unprivileged user. > and > restrict anonymous = yes If you want a non-PDC, non-browsing machine, you can set 'restrict anonymous = 2' in Samba 3.0. In Samba 2.2, this did an unrelated (useless) thing. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Results of nessus scan
James R. Trater wrote: > Try setting: > guestaccount = NULL > and > restrict anonymous = yes > in you smb.conf > I had the same problem, and this solved it for me. Just for the records; it really did the trick. Nessus reports nothing now! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Results of nessus scan
Try setting: guestaccount = NULL and restrict anonymous = yes in you smb.conf I had the same problem, and this solved it for me. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Results of nessus scan
I run samba 2.2.8a on my openbsd 3.4 box, installed from a package. All i need is the ability to mount disks form winxp boxes so i only run smbd, at 139/tcp. I tried scanning the box with nessus, and it came up with some results that got me curious. Since i dont know very much about the smb protocol I thought i should ask here. Have searched the archives but found only old posts, concering older versions. Whats a NULL session? what are domain and host SID? Nessus also suggests i'd limit the access to the $IPC share. How can i limit this info disclosure? 127.0.0.1|netbios-ssn (139/tcp)|10397|INFO|Here is the browse list of the remote host : HOSTNAME - This is potentially dangerous as this may help the attack of a potential hacker by giving him extra targets to check for Solution : filter incoming traffic to this port Risk factor : Low 127.0.0.1|netbios-ssn (139/tcp)|10395|INFO|Here is the list of the SMB shares of this host : myshare - IPC$ - ADMIN$ - This is potentially dangerous as this may help the attack of a potential hacker. Solution : filter incoming traffic to this port Risk factor : Medium 127.0.0.1|netbios-ssn (139/tcp)|10400|INFO| The remote registry can be accessed remotely using the login / password combination used for the SMB tests. Having the registry accessible to the world is not a good thing as it gives extra knowledge to a hacker. Solution : Apply service pack 3 if not done already, and set the key HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg to restrict what can be browsed by non administrators. In addition to this, you should consider filtering incoming packets to this port. Risk factor : Low 127.0.0.1|netbios-ssn (139/tcp)|10859|INFO|The host SID can be obtained remotely. Its value is : HOSTNAME : 4-55-654367899-87557843444-56789446 An attacker can use it to obtain the list of the local users of this host Solution : filter the ports 137 to 139 and 445 Risk factor : Low 127.0.0.1|netbios-ssn (139/tcp)|10398|INFO|The domain SID can be obtained remotely. Its value is : WORKGROUP : 45-0-0-0-0 An attacker can use it to obtain the list of the local users of this host Solution : filter the ports 137 to 139 and 445 Risk factor : Low 127.0.0.1|netbios-ssn (139/tcp)|10394|REPORT| . It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the 'guest' access To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and Q246261 (Windows 2000). Note that this won't completely disable null sessions, but will prevent them from connecting to IPC$. Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html. All the smb tests will be done as ''/'whatever' in domain -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba