Security question about suspect logfile entries
Lutz Jaenicke
jaenicke at iee.TU-Berlin.DE
Wed Jun 3 15:50:05 GMT 1998
Hello,
in the last days I found some entries in nmb.log on one of my servers:
process_node_status_request: status request for name *<00> from IP 195.232.44.19
0 on subnet REMOTE_BROADCAST_SUBNET - name not found.
(repeated many times)
The host on this ip is not exactly in my domain :-)
# nslookup
Default Name Server: localhost
Address: 127.0.0.1
> set type=PTR
> 195.232.44.190
Name Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
190.44.232.195.in-addr.arpa name = md24-190.mun.compuserve.com
Authoritative answers can be found from:
44.232.195.IN-ADDR.ARPA nameserver = ns1.compuserve.co.uk
44.232.195.IN-ADDR.ARPA nameserver = ns1.compuserve.de
ns1.compuserve.co.uk internet address = 195.232.1.4
ns1.compuserve.de internet address = 195.232.32.4
>exit
#
And now my question:
- Can I consider this an attack? I found that exactly the same host accessing
pages from our http server (which is also the samba server) at the same time.
- I mask the access to our samba servers with our subnet data. This should
protect the data in my nmbd against such queries, doesn't it? I have tried
with smbclient from some other subnet and couldn't receive any answer.
Best regards,
Lutz Jaenicke
--
Lutz Jaenicke Lutz.Jaenicke at iee.TU-Berlin.DE
TU Berlin http://www.iee.TU-Berlin.DE/personen/jaenicke/
Institut fuer Elektrische Energietechnik Tel. +49 30 314-24552
Einsteinufer 11, D-10587 Berlin Fax. +49 30 314-21133
More information about the samba
mailing list