[Samba] Security scan causing load on PDC to skyrocket

Robert M. Martel bob at urban.csuohio.edu
Mon Jan 10 17:32:50 GMT 2005 

Greetings,

This is not a problem with Samba as I see it but I am hoping that others 
on the list have some ideas for working around the issue.

Our central computer services group scans all the campus networks using 
Nessus and some custom rules to look for security problems.

What I am seeing within my college is my Samba PDC getting beat-up when 
the scans go though.  They scan a block of PCs at the same time looking 
for accounts w/o passwords.  I see the load average skyrocket for a 
nice, normal 1.x to 49 and above.  The smblogs show many lines like the 
following:

...
2005/01/10 12:19:10, 2] auth/auth.c:check_ntlm_password(312)
   check_ntlm_password:  Authentication for user [Guest] -> [Guest] 
FAILED with error NT_STATUS_NO_SUCH_USER
[2005/01/10 12:19:11, 2] auth/auth.c:check_ntlm_password(312)
   check_ntlm_password:  Authentication for user [Guest] -> [Guest] 
FAILED with error NT_STATUS_NO_SUCH_USER
[2005/01/10 12:19:13, 2] auth/auth.c:check_ntlm_password(312)
   check_ntlm_password:  Authentication for user [Guest] -> [Guest] 
FAILED with error NT_STATUS_NO_SUCH_USER
...


I have Samba 3.10 on a Sun 420R running solaris 9 as my PDC.  At this 
time the password back end on the PDC is plain old text smbpasswd file 
as we've not had a chance to move it to something more sophisticated - 
and we should because that has grown huge - which I am sure doesn't help 
this situation.

Short of getting the central people to back off of their testings  - 
which they don't want to do for obvious reasons - does anyone have 
thoughts on what I can do on my samba server to prevent this scanning 
from turning into a denial of service attack?

Thanks
Bob Martel
-- 
***********************************************************************
Bob Martel,System Administrator  I met someone who looks a lot like you
Levin College of Urban Affairs   She does the things you do
Cleveland State University       But she is an IBM
(216) 687-2214
bob at urban.csuohio.edu                                -Jeff Lynne
***********************************************************************

More information about the samba mailing list