[Samba] Security scan causing load on PDC to skyrocket
Robert M. Martel
bob at urban.csuohio.edu
Mon Jan 10 17:32:50 GMT 2005
Greetings,
This is not a problem with Samba as I see it but I am hoping that others
on the list have some ideas for working around the issue.
Our central computer services group scans all the campus networks using
Nessus and some custom rules to look for security problems.
What I am seeing within my college is my Samba PDC getting beat-up when
the scans go though. They scan a block of PCs at the same time looking
for accounts w/o passwords. I see the load average skyrocket for a
nice, normal 1.x to 49 and above. The smblogs show many lines like the
following:
...
2005/01/10 12:19:10, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [Guest] -> [Guest]
FAILED with error NT_STATUS_NO_SUCH_USER
[2005/01/10 12:19:11, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [Guest] -> [Guest]
FAILED with error NT_STATUS_NO_SUCH_USER
[2005/01/10 12:19:13, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [Guest] -> [Guest]
FAILED with error NT_STATUS_NO_SUCH_USER
...
I have Samba 3.10 on a Sun 420R running solaris 9 as my PDC. At this
time the password back end on the PDC is plain old text smbpasswd file
as we've not had a chance to move it to something more sophisticated -
and we should because that has grown huge - which I am sure doesn't help
this situation.
Short of getting the central people to back off of their testings -
which they don't want to do for obvious reasons - does anyone have
thoughts on what I can do on my samba server to prevent this scanning
from turning into a denial of service attack?
Thanks
Bob Martel
--
***********************************************************************
Bob Martel,System Administrator I met someone who looks a lot like you
Levin College of Urban Affairs She does the things you do
Cleveland State University But she is an IBM
(216) 687-2214
bob at urban.csuohio.edu -Jeff Lynne
***********************************************************************
More information about the samba
mailing list