[Samba] Re: [Netatalk-admins] Netatalk connection on Samba machine
account - security breach?
Thomas Kaiser
Thomas.Kaiser at phg-online.de
Tue Jun 4 09:16:03 GMT 2002
am 04.06.2002 11:59 Uhr schrieb Andreas K. Huettel:
> Now strangely I find in the logfiles logins on the appletalk service using one
> of these machine accounts (curlywurly$)! (see syslog below)
There were 3 attempts to fetch the volume list from the netatalk server
(PIDs 15109, 15110 and 15111) that used the login name "curlywurly$" but
didn't supplied a correct password.
The connection attempts has been established over AppleTalk (do you allow
AFP over TCP connections, too? -- compare with your afpd.conf settings) and
the AFP client was capable of the newest User Authentication Method DHX.
> First thing I did was manually exclude the group "machines" (80) from any
> atalk connection.
I believe, you mean afp connection? AppleTalk itself isn't that easy to
filter ;-)
> Now, should I worry about what happened?
I don't think so. Maybe on one of the PCs one of the students installed
PCMacLAN (an AppleTalk-capable AFP-client and -server) and played a bit
around in your LAN, trying to connect to different AFP servers)
> How can I find out more?
Run a 'nbplkup' on your linux box and search for occurences of the given
net.node combination (2000.x in your examples). The net range of the client
let me believe, that you have AppleTalk routing activated. In this case, you
must first find out, in which zone you should search for, or you just walk
thru all the zones available ;-)
#!/bin/sh
for zone in `getzones`
do
echo "Search for devices in zone \"$zone\":"
nbplkup "@$zone"
echo
done
exit 0
If you find the machine, then run either 'ServerInfo' on a Macintosh or
asip-status.pl to examine whether it is also an AFP server and will give you
it's TCP/IP address as an answer to your FPGetSrvrInfo request:
<http://www.macula.se/serverinfo/index.htm>
<http://users.phg-online.de/tk/asip-status.pl.tgz>
Regards,
Thomas, who recommends upgrading to netatalk 1.5.3.1 --> 'semi-official'
SuSE-RPMs available at <ftp://ftp.suse.com/pub/people/olh/netatalk/1.5.0/>
More information about the samba
mailing list