Re: OT: port scan
Lo, on Wednesday, November 29, brian moore did write:
> On Tue, Nov 28, 2000 at 05:38:12PM -0600, Richard Cobbe wrote:
> >
> > Well, they can be. Connections to TCP ports 137, 138, and 139 are part of
> > Windows file- and printer-sharing. I don't know all that much about how
> > SMB works, but I'm fairly sure there are broadcasts to these ports
> > involved, primarily in setting up the Network Neighborhood.
>
> Yes, and here are even worms for Windows that go probing looking for
> open SMB shares to write themselves into.
>
> > So, if you happen to be on a network (like, say, a cable modem local loop)
> > with some Windows PCs that have file/print sharing turned on, these may not
> > represent a security problem. (Well, for *you*, anyway.)
>
> Or if you happen to be on a network 'near' (typically within a dozen
> /24's or so) of someone with one of the above worms running....
This doesn't surprise me in the least. However:
1) I don't think there's really any way to distinguish one of these worms
from a legit SMB broadcast, at least not with the level of detail that
ipchains logging gives you. (I'm not even sure that a packet
sniffer/protocol analyzer like ethereal would allow you to distinguish
between the two, but then I don't know anything about the details of the
SMB protocol.)
2) This could only affect a Linux user if they've got samba installed and
running on their machine. Since they would have to have some sort of
ipchains firewalling stuff to get the logs in the first place, then
blocking SMB traffic to/from the outside world is trivial. (This is why
I claimed that such probes were not necessarily a security problem for a
Linux machine---Windows machines are another story altogether.)
I can't think of any legitimate reason to allow SMB traffic to/from the
outside world. VPNs are fine, but that's different.
Richard
Reply to: