> On 20/04/10 19:14, Daniel Case wrote:
>
> > Never, ever leave Samba open without due care and attention, all too
> > often i see people telling others to install Samba without warning them
> > of the possible implications, many people
> > are quite lazy, and instead of settings everything up, will just check
> > the "Allow guest access" button.
> > What i wasnt aware of, is the fact that it broadcasts on Port 139, went
> > straight through my routers firewall and allowed everyone on the
> > internet to access my entire home folder.
I'd add to this that correct firewall configuration is rarely applied in the
majority of cases. Many domestic routers tout the ability to "firewall" traffic
but in actual fact are just glorified routers with NAT. A full firewall allows
the securing of outbound traffic as well and a default deny policy should
always be used. That way if anything on the internal network breaches these
rules then it can be noticed and investigated accordingly. In some cases it is
possible and acceptable to log accepted traffic as well.
windows boxes will also broadcast on 137 and 445.
in your case i'm not sure how this broadcast traffic has actually hit the
internet and exposed a vulnerability. The purpose of subnetting means that
broadcast traffic only goes to machines within the same subnet. For example, a
broadcast packet (sent to 192.168.1.255) on the network 192.168.1.0/24 could
not technically hit 192.168.2.1 even i it was connected to the same physical
switch.
id suggest that the problem is probably that the machine was within a dmz or
connected directly (bridged or via a modem) to allow a compromise to take place.
P
--
Sent from my Nokia N900
--
ubuntu-uk@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk
https://wiki.ubuntu.com/UKTeam/
