I have been getting the following in the samba section of the log watch report for the past few days. But don't know what it means.
[Code]....
and more. What does it mean? Does it mean any attempt to hack or is it some kind of status update? If this is not a threat and can be suppressed, how can I do this?
I have a (headless) Debian (Linux debian 2.6.26-2-486) system running on an old Pentium machine in our home network. I use it as a Samba share, among other things. I recently noticed some Samba log files that I cannot explain the origin of. In /var/log/samba there are a couple of files like this one:/var/log/samba/log.istvan (Note: there is no machine named 'istvan' in my local network)
Code:
[2011/01/04 21:15:34, 1] smbd/service.c:make_connection_snum(1198)
istvan (::ffff:78.92.155.185) connect to service boeken initially as user nobody
[code]...
I want to use samba for file sharing like on a Windows home network. Actually they are all Linux machines but nfs is too complicated. On my host machine I installed samba and system-config-samba. I created a new share for /home, check marked writable and visible and put access to everybody. For preferences-->server settings--> security the "authentication mode" is set to user, encrypt passwords is no, and guest account is no guest account. Under preferences-->samba users I added myself as a user with the same windows user name as my Linux user name and the same password.
My client is a virtualbox fedora (used for testing purposes but actual clients will be real computers on my home network). I entered the address smb://192.168.1.184. When asked for the user name and password I put my regular user name and password since that was what I set in samba users. However, the password dialog keeps coming up and won't let met into my own computer. If I quit it says something like access is denied. How can I get my home network back? I liked this feature when my home computers ran XP but I switched them to Fedora 12.
I got some entries in my auth log that I am puzzled by. What could be the cause? I was not using my machine at the time of the logging.
Code:
Like many (most?) home users, until now I've had my regular userid in sudoers as "ALL = (ALL) ALL". It occurs to me that, even though my machine has no open ports, this is probably not a good idea - just in case my firewall suddenly burns down. So, if my thinking is right on this, I'm wondering if there is a generally approved list of Cmnd_Alias entries? At this point, I've decided to only add entries as I use them, and to try to honestly appraise my need to do the entry as sudo, vs opening a virtual console as root. My root password is non-trivial.
View 3 Replies View RelatedCentOS 5.6 Server patched to latest, multiple name-based apache virtual hosts. SELinux OFF Everything was working fine until the other day. I've been making quite a lot of changes so it may well be something I've done, but I can't find out what! Last night I got the following in my logwatch : -
Requests with error response codes
404 Not Found
/admin/phpmyadmin/scripts/setup.php: 1 Time(s)
/admin/pma/scripts/setup.php: 1 Time(s)
/admin/scripts/setup.php: 1 Time(s)
/db/scripts/setup.php: 1 Time(s)
/dbadmin/scripts/setup.php: 1 Time(s)
[Code]...
The problem is that NONE of my logs, secure, httpd, messages, NONE of them, show any trace of these hacking attempts. They used to show up in secure and apache error logs, but no longer.
I was just looking around and did a tail on my syslog and some strange entries came up:
[Code].....
I'm a Verizon customer in Maryland, USA running Linux at my home and I don't understand why named is looking at servers in France and Saudi Arabia. Am I just being paranoid?
I am running RedHat 9.0 on a VMware on Window XP, I have bridged the network card eth0 such that
I can ping the host machine 192.168.45.67 and the Windows XP machines on my LAN.
I managed to set up the samba server on this Redhat 9.0, And I can see the netbios name on my WindowXP: Rhl machines. Now I want to reach the Windows machines vi sambaclient but I get an Ip address that is not on my network -192.168.24.1.I did not set this IP address.
This is the message I get when I run smbclient so that I can reach windows machine when I am on Redhat:
# smbclient //machine name/name of user on windows machine
added interface ip=192.168.45.90 bcast=192.168.45.255 nmask=255.255.255.0
Got a positive name query response from 192.168.45.21 (192.168.24.1 192.168.249.1 192.168.45.21
error connecting to 192.168.24.1:139 (Network unreachable)
Error connecting to 192.168.24.1 (Network is unreachable)
Connection to machine name failed
#
My question is Where does 192.168.24.1 IP address come from. Where must I look in order to remove it ( in Linux or Windowx Xp.
I run lastb every now and again to see who is trying to p0wn my box and it dates back to november 08. how do i clear these entries to i can get a more update view? or if you know a way i can do a 'more' or something so the IP's are not flying by that would be cool too!
View 2 Replies View RelatedI've noticed on a couple of occasions that e-mail address auto-complete drop down lists have e-mail addresses in that I have never entered (!!) They all seem to be for people with the surname fenton at either gmail or hotmail. Is it likely that I have been hacked?
View 3 Replies View RelatedAnyone, I would like to ask if it was possible to change the entries of a file's inode table ?
For example
Code...
I was wondering if I can change the entries in this inode table's entries.
For example I want to change the "Modify" entry ? I want it to reflect to day 2009-05-19 for example.
Can i do it ?
My Linux server which is running my company website have been hacked. Today I saw a number of clients (customers) with some fun characters entries on my database. Access denial on really clients. Please assist, am running Linux Ubuntu 9 and I dont know where to start troubleshooting this. let me confession that I am still on the learning curve on Linux
View 8 Replies View RelatedI'm on Debian Lenny. I've shared a folder on gnome GUI, then went to win 7. I see my machine, SERVDEB01. When I click on it, I get the login popup. The workgroup set in samba is FILE-SHARING, so I login with the following: FILE-SHARINGmyuser password and that's when I get the unknown username or bad password thing.
I had a look to /etc/samba/smb/conf security = user is uncommented the shared folder appears at the end of the config file In despair, I've also created an identical user on win 7 and the linux box. I've been into the security Local Policies of windows 7 set NTLM to LM and NTLM (instead of NTLMv2) Here's my smb.conf in case it's needed.
[Code]....
How can I track IPsec module's operations? Can I find such a log file or entries in Linux?
View 1 Replies View RelatedI've got a samba share on a linux server, connecting to it with a windows 2k3 server via tools > map network drive. The goal is to be able to use windows to change the security of the samba share. The good news is it works! The bad news is it's not QUITE perfect:
The share is called /company. I started with the following to give everyone access to everything, set the owner of the share to administrator (my domain admin on the Windows domain), and set the group owner to domain users (group that everyone on the domain is part of):
Code:
chmod -R 777 /company
chown -R administrator /company
chgrp -R domain users /company
I then mapped the drive as a regular user, and of course, can access/modify/delete/rename/create anything I want. Then I picked a folder to lock down. Let's call it /company/myFolder. I did this on the Windows server by mapping the drive as administrator (the owner), right click > properties > security tab > advanced > highlight "domain users" and "everyone" and click edit > clear all (i.e. remove all access). Go back to Linux and
[Code]..
The only issue that remains is that I am able to rename/delete "myFolder" as a regular user. I thought this was coming from the "acl map full control = true" parameter in smb.conf, but I changed it to false and verified the change and it still happens. If I remove group and world write access to /company, I am no longer allowed to rename/delete myFolder, but then I can't create a new folder. If I add group write access back in I can create files but can also rename/delete folders within /company that have --- specified for group access. Any ideas what I need to tweak to make this right?
I started up my computer and suddenly, I saw that there was a new user account. I didn't create it and no one else uses my computer (let alone has access to user account creations). It was called dtc. It didn't seem to have any privileges and the only file in its home folder was called Examples. Should I worry that I might have some kind of malware? I deleted the user and the folder (and it came back after a while). It's main group is dtcgrp. The User ID is 1004.
View 2 Replies View RelatedI wouldn't call myself paranoid, but I do try to keep reasonably secure on my home network (WPA encryption, router firewall, etc.). I also occasionally use nmap to make sure I don't see any unknown computers logged into my network. The problem is I have five computers that all use DHCP on the network and they are not all up all of the time. At most, there are two to three online at any one time.
So, my question is: Do any of the IP addresses remain in the router's database for a computer that has gone offline (shutdown)?
The reason for my question is that today I ran nmap on my home network and noted an IP address that was not currently up on the network. It is, however, an address that is frequently assigned to one of the computers when it is online, but that address was not up at the time I ran nmap. Just trying to make sure my network is not being used by some nearby computer.
I just discovered that my server is sending huge amount of data out at about 1Mbps. My immediate thought was the deluge bittorrent client, however it is supposedly not running (and a check confirmed its total active torrents was set to 0). I turned off the network and went in to Firestarter to set the outbound traffic to restrictive, turned on network again and no more data was sent. A look in Firestarter / Events showed a long list of random ports being used (see further down). How can I identify what program is sending all the data?
In Firestarter it doesn't really say much more than the port. Not sure if it is some misconfigured program or a malware/virus. I just got my ADSL connected a few days ago, and before that I used a mobile broadband (3G) as I just relocated. During the period I used the 3G the server might have been without firewall for a few days and it was also at this time I discovered an increase in network traffic (but I didn't really pay much attention at that time). I am running Fedora 10.
List of events from firestarter, my server is 192.168.1.100:
Time:Jun 1 16:48:12 Direction: Outbound In: Out:eth1 Port:39435 Source:192.168.1.100 Destination:58.208.xxx.56 Length:129 TOS:0x00 Protocol:UDP Service:Unknown
Time:Jun 1 16:48:12 Direction: Outbound In: Out:eth1 Port:6990 Source:192.168.1.100 Destination:112.94.xxx.212 Length:129 TOS:0x00 Protocol:UDP Service:Unknown
Time:Jun 1 16:48:12 Direction: Outbound In: Out:eth1 Port:2973 Source:192.168.1.100 Destination:118.93.42.xxx Length:129 TOS:0x00 Protocol:UDP Service:Svnetworks .....
Failed login attempts are logged to syslog with the user id or login id set to UNKNOWN_USER or UNSET.Anybody know if this is configurable. I would rather it just pass the actual id that the user used. Doesn't matter if it exist or not, just want to know if someone is guessing at user names and what those user names are
View 1 Replies View RelatedI am working on Red Hat Linux since last six months and learning it steps by steps. like configurating ftp server,NSF ,DNS and then email server. I want to learn squid server but technically before going into it what you suggest me that may I first learn to configure Linux as a router,Firewall machine or do IP masquerading on a server. Because all these things are directly or indirectly involve in squid.So guide me because going to start squid i may understand Linux IP table ,how to add entries in it,how to delete entries ,I think you understand my point which i want to ask for guidence.
View 4 Replies View RelatedThis is a transcript I get emailed at least once every day, usually about 3 to 10 a day recently.
Transcript of session follows.
SMTP server: errors from unknown[ip address]
<boring stuff snipped>
In: RCPT TO: <server@my domain>
Out: 550 5.1.1 <server@my domain>: Recipient address rejected: User unknown in local recipient table
Session aborted, reason: lost connection Now I cannot seem to find anything via Google, as when I put "server@" anywhere in the string, I just get web hosting or other kroomst. The emails usually come from legit places, usually hotels. Does this mean they are sending bad emails, i.e. they have a Trojan/worm, or is this a live hack attempt?. I believe the later, as I might get upto 3 domains from the one ip address, which is always, NOT associated with the listed domain. Not causing me any issues, except I have been getting a lot recently.
I tried posting this before and I'm not sure what happened but I don't think it worked, so if it did please forgive the double post.am very very new to centOS and linux in general. I just want to setup a test web server that more closely mirrors our actual web server that is hosted by rackspace. I've installed centOS and tried to setup Apache, PHP and MySQL from a guide on the web using Yum. When I go to localhost in the web browser I'm able to see the default apache page. However when I create a php page it's just blank.When I look at the apache error logs I get this: PHP Warning: Unknown: failed to open stream: Permission denied in Unknown on line 0
I've been searching alot on the internet and I know the issue is permission related, but I don't know how to fix it. I've seen some forum posts that say you need to use the chmod 775 command on the /var/www/html folder.Currently when I do ls -l /var/www/html it returns
-rw------- 1 root root 19 May 5 13:16 index.php
-rw------- 1 root root 19 May 5 13:15 index.php~
I'm sure that this isn't correct but like I said I don't know much about how to set permissions or who the owner needs to be. I've done alot of searching and seen similar posts, but no one seems to explain it clearly.
I downloaded truecrypt Linux version, giving me a file named truecrypt-6.3a-ubuntu-x86.tar.gz. I assume that's the archive. Double clicking on that produced file truecrypt-6.3a-setup-ubuntu-x86. I assume that's the executable. When I try to run that, I get a "could not display ... unknown filetype" error. Could someone tell me what I'm doing wrong? I plan to run truecrypt under the easycrypt GUI.
View 9 Replies View RelatedI have in my hands a bunch of samba logs, about 24 different files and I was wondering if there was a tool that would go through them and organize them into something readable.I had a gander at Sawmill
View 2 Replies View Relatedwhy the following doesn't work with ext3 or 4?
dd if=/dev/urandom of=/tmp/container.bin bs=1024 count=20000
sudo losetup /dev/loop2 /tmp/container.bin
sudo cryptsetup -c aes -s 256 --verify-passphrase luksFormat /dev/loop2[code].........
I have a question regarding Samba Permissions. As the subject described, is it possible to let users read the file but can not copy the file physically? It's fine if they open and copy paste the contents but no physical copy paste and also I need to log the activity of the users. If samba will not be able to comply my needs, could you suggest some programs to meet my requirements?
View 3 Replies View RelatedIs it possible to secure samba server with kerberos? I want to know whether we can use kerberos authentication to secure samba user name and password so that mo one can sniff that information. configuration or any URL link from I can get the exact configuration.
View 1 Replies View RelatedI have a removable USB drive formated with NTFS. I enabled all the samba boolians in the SElinux GUI but it still doesn't seem to work. If i put it on permissive it will work. What more is there that i need to do to get my directories to show up on samba with selinux enabled?
View 2 Replies View RelatedI have been trying to get my Samba 3.x NAS to connect to my Windows XP laptop. I can see the server though I cannot open it and see the shares. I have run various tests on the network and Samba (ping, smbclient) though still cannot find why I can't connect.
I can access the NAS via webmin, so I am thinking I need the security or the services settings on the XP machine. Is there a list somewhere of the Windows XP services and security settings required to share files?
it's driving me nuts. Done a few things now, including this last: [URL]that didn't work. All the other comps in the house are windows 7, and I want this box to be my file server, with two 1 TB HDD plugged into it via USB, but I can't get the damn samba to allow access to everyone. Here's the path in the config file:
[data]
comment = Test sharing
path = /media/Shared
[code]....