Do I have a security problem => external IP's in samba logs?

fileserver
samba
v7

(Ralf Jeckel) #1

NethServer Version: 7.5.1804 final with subscription
Module: Samba file server

Hi friends,

while I was claening up some directorys, I found some log-files in /var/log/samba with external IP’s.

I’m using this server as a gateway/proxy/firewall with some shared folders. No service is exposed to red interface. Only openvpn has permission to red.

I’m using an external mailserver of my ISP.
So, why are there samba-logs with external IPs??
To investigate I encreased log level to log level all in smb.conf temporarely.

For any suggestion I’d be very happy.

TIA Ralf


(Rob Bosch) #2

Did you open any of the logfiles? Looks like they all are empty (0 bytes)


(Ralf Jeckel) #3

Yes they are all empty.


(Marc) #4

Why those logs are created:

# log files split per-machine:
log file = /var/log/samba/log.%m

%m the NetBIOS name of the client machine

Why they are empty:

I’ve checked some of the IPs and they were blacklisted for abuse (port scan, unauthorized connection attempt on Port 445(SMB)…)
It’s weird and wouldn’t expect this to work, but can you check if a log file is created on a failed connection attempt?
Do file creation dates match a firewall stop/restart?


(Ralf Jeckel) #5

Thank you for helping me.

No. File creation was random, but no firewall restart as far as I can say.

I’ll install samba audit. Maybe this modul will give us some information.

I had a problem with a grandstream analogue adapter. It took the IP of the red interface with in the green zone. Had some troubles to identify this. Maybe this leaded to some inconsistency with shorewall.


(Ralf Jeckel) #6

I think I found the reason for this issue. It was caused by 2 factors with in a powerfault.

  1. the grandstream took the IP of the red interface and was connected to a switch
  2. the switch lost it’s vlan-config with the powerloss and on that swith the ISP router is conected.

The result was, that the grandstream exposed it’s interface to the internet directly. It’s an analogue fax adaptor which can’t handle smb, only SIP.
Although I’ve no clue, how it got the external IP. Since I restored correct config on the devices no more external IPs are present in log files. I’ll close this as solved.
Thanks again @dnutan for your inputs.


(Rob Bosch) #8

Closed at TS request