Permissions or what!?! <: \

Joel Hammer Joel at HammersHome.com
Sat Nov 10 11:38:01 GMT 2001 

The line below SHOULD keep out everyone, since 192.168.1. refers to hobby or
private networks, and they are not allowed out on the internet.
I am on the @HOME network. I suspect that @HOME is really one big
private network, however, and I do get requests from 192.169 ip's to
attach to my ports. I think those are scans by @HOME, but, I really can't
be sure.
You can configure your firewall device, whatever it is, to block requests to
ports 137, 138 and 139. In fact, you can tell the firewall device to block
everything < 1021 and that shouldn't affect you, unless you run mail servers, dns or
webservers.  You can also configure your firewall to exclude all requests
from ip's 192.168.1., since no legitmate requests should arrive with that ip
number to your firewall.
The nimba bug is a danger if one of your windows clients downloads it.
It can propagate quite nicely through a linux server to other windows
machines.
To let your linux server see the windows clients easily, I mount all the
windows clients in /mnt/NetWork with smbclient.
You can do this simple or be fancy. I have a convoluted script, which
depends in part on a linux  box finding a wins server. It is attached as a
plain text file.
Basically, it looks for the wins server, and then asks for the hosts known to
the wins server. The rest is scripting.
MASTER=`nmblookup WORKGROUP#1b`
smbclient -NL $MASTER  and you are off to the races.

The basic command to mount is:
smbmount //Computer/"Share Name" /mnt/NetWork/Computer/"Share Name" -o uid=jlh,gid=users,guest,rw,fmask=777 
Just make sure you have sharing enbabled on your windows clients.
Joel





> Two questions though:
> 
> I assume that having this line allows everyone behind my firewall
> at home in to the system (along with your other lines) and that
> even though these ip addresses exist behind everybody's firewall
> that nobody can come into my samba server masquerated as such -
> in other words -- only people in my house can come in with an
> ip address of below, correct?
> 
> hosts allow = 192.168.1. 127. 
> 
> also, when you talk about nimda, you're talking about protection
> from someone in my house who inadvertently caught the nimda bug,
> correct?  (I take this advice seriously, I opened up my port 80
> for 20 minutes once and got flooded with code red, so I shut it
> down to the internet at that point although my apache server was
> not vulnerable to it, it was quickly filling up my error log
> files.)
> 
> p.s.  what's an easy way like you've shown already to allow my
> linux samba host to see the directories on my samba win98 clients?
> 
> thanks again
> 
> Roleigh Martin
-------------- next part --------------
#!/bin/bash
MASTER=$(nmblookup WORKGROUP#1b | grep -i \<1b\> | cut -d" " -f1 )
# MASTER=$(nmblookup -M '-' | grep  \<01\>  | cut -d" " -f1 )
# echo This is the master $MASTER
# for i in `/usr/local/bin/smbwho | tr -s " "  | egrep ^[0-9] | cut -d " " -f2` 
for i in $(smbclient -NL $MASTER | tr -d "\011" | tr -s " " | \
sed -n "{
/^Server/{
n
:loop
n
/^$/q
p
bloop
}
}" | cut -d" " -f1)     
do
	echo "Checking out /mnt/NetWork/$i"
      [  -d "/mnt/NetWork/$i" ] || {
			mkdir /mnt/NetWork/$i
      			chown jlh.users /mnt/NetWork/$i 
      			chmod 755 /mnt/NetWork/$i 
			echo Have created /mnt/Network/$i
 				}
      [ $i = "HAMMER2" ] && chmod 700 /mnt/NetWork/$i
done
# for i in `/usr/local/bin/smbwho | tr -s " "  | egrep ^[0-9] | cut -d " " -f2`
for i in $(smbclient -NL $MASTER | tr -d "\011" | tr -s " " | \
sed -n "{
/^Server/{
n
:loop
n
/^$/q
p
bloop
}
}" | cut -d" " -f1)     
do
        
 for j in `smbclient -L $i -N | grep Disk  \
        | sed 's/Disk.*//' |  tr -d '\011' |  sed 's/ *$//' \
        | sed 's/.*/"&"/'`
  do
    l=""
    echo this is m $m
    echo This is k $k
    k="$m $j"
    l=`echo $k | sed  's/\(.*\)\([^"]\)$//'`
    if  [ -z "$l" ];
        then
         m=$k
     else m=""
     n=`echo $k | sed 's/^ *//' | sed 's/"//g' `
     echo Checking out /mnt/Network/$i/$n 
     [ -d "/mnt/NetWork/$i/$n" ] ||   mkdir "/mnt/NetWork/$i/$n" 

      t=`mount  | sed -n "/\/mnt\/NetWork\/$i\/$n/p"`  
      echo $t
      [ -z "$t" ] &&  {
     [ "$n" != printer$ ] && smbmount //$i/"$n" /mnt/NetWork/$i/"$n" -o uid=jlh,gid=users,guest,rw,fmask=777
     echo  smbmount //$i/"$n" /mnt/NetWork/$i/"$n"
     chown jlh.users "/mnt/NetWork/$i/$n" 
     chmod 755 "/mnt/NetWork/$i/$n"
                      }
   fi
   done   
done

More information about the samba mailing list