[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: is it rational to close the 139 port

On Sun, Jul 22, 2012 at 4:35 PM, Joe <joe@jretrading.com> wrote:
> On Sun, 22 Jul 2012 15:59:29 +0800
> lina <lina.lastname@gmail.com> wrote:
>
>> On Sun, Jul 22, 2012 at 3:49 PM, Andrei POPESCU
>> <andreimpopescu@gmail.com> wrote:
>> > On Du, 22 iul 12, 15:41:16, lina wrote:
>> >>
>> >> Thanks, I don't have some basic understanding about samba,
>> >> will read something about it.
>> >> just a short quick question, is it necessary to keep it?
>> >
>> > Only you can tell since we don't know what you use/need.
>> I felt a bit silly to ask, and a bit annoyed about myself for knowing
>> so little.
>> seems no need to share files with outside.
>> have rejected all inbound towards the port 139 and 445.
>>
>
> These ports should never be open to the Net, or any potentially hostile
> computers, as there is a great deal of activity by bots looking for open
> Windows shares.
>
> If this machine is part of a network which shares files using the
> Windows SMB protocol, and this machine hosts shares, then the ports
> need to be open to the other network machines. If it's a standalone
> computer, or doesn't host any shares, you don't need samba running at
> all, or even installed. If you need to access SMB shares on other
> machines, the client programs to do this do not need the main samba
> program to be installed.
>
> You should probably be working towards rejecting all incoming packets,
> and only explicitly permitting what you need. That way, you don't need
> to worry about samba ports or what the portmapper does, etc.
>
> If you can, run nmap from another network computer to see what ports are
> actually available, since netstat doesn't take iptables filtering into

Checked, now only 22 80 open with 443 closed.
another thing is that the nmap can scan my MAC address correctly.
is it bad? (I guess I will feel comfortable if the MAC address is hidden)

> account, and can worry you needlessly. If you have a standalone
> computer, Shields Up!! on the site http://grc.com will show ports open
> to the Internet, but it can do only very limited tests compared with
> nmap, and you must ignore all the dire warnings on the site, intended
> to panic Windows users into doing something to protect themselves.
>
> If for reasons above, you do need to run samba and allow access, the
> samba configuration allows you to specify IP addresses which have
> access. The configuration file is a bit of a beast, but the samba web
> administration tool (SWAT) takes away some of the pain. Iptables will
> also do this, of course, but as always, belt *and* braces... it is
> always embarrassing to discover that last time you were debugging a
> networking problem, you temporarily turned off iptables and forgot to
> re-enable it.
samba has been purged. there are really HUGE things to learn.

Thanks again,

Best regards,
>
> --
> Joe
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 20120722093526.269af5fe@jretrading.com">http://lists.debian.org/[🔎] 20120722093526.269af5fe@jretrading.com
>
Reply to: