In this moments Samba is using 100% cpu… what can I do to solve it? reboot the server?
I do this, and the “issue” looks mitigated. systemctl -M nsdc restart samba
What can I check to see what happens?
Some info, this proxmox/NS vm was running for a lot of days, the past Tuesday I need to shutdown because we have an hurricane alert, next day was started and I see an update today that I apply.
Package Arch Version Repository Size
Updating:
nethserver-dc x86_64 1.5.7-1.ns7 nethserver-updates 14 M
nethserver-mail-smarthost noarch 2.3.1-1.ns7 nethserver-updates 42 k
nethserver-mysql noarch 1.1.4-1.ns7 nethserver-updates 28 k
Transaction Summary
Upgrade 3 Packages
Total size: 14 M
Is this ok [y/d/N]: y
Running transaction
Updating : nethserver-mysql-1.1.4-1.ns7.noarch 1/6
Updating : nethserver-mail-smarthost-2.3.1-1.ns7.noarch 2/6
Updating : nethserver-dc-1.5.7-1.ns7.x86_64 3/6
Cleanup : nethserver-mysql-1.1.3-1.ns7.noarch 4/6
Cleanup : nethserver-mail-smarthost-2.3.0-1.ns7.noarch 5/6
Cleanup : nethserver-dc-1.5.6-1.ns7.x86_64 6/6
Verifying : nethserver-dc-1.5.7-1.ns7.x86_64 1/6
Verifying : nethserver-mail-smarthost-2.3.1-1.ns7.noarch 2/6
Verifying : nethserver-mysql-1.1.4-1.ns7.noarch 3/6
Verifying : nethserver-mysql-1.1.3-1.ns7.noarch 4/6
Verifying : nethserver-dc-1.5.6-1.ns7.x86_64 5/6
Verifying : nethserver-mail-smarthost-2.3.0-1.ns7.noarch 6/6
The “sad” thing is that in this moment they are just a few users/computers joined. I need to take time to migrate a lot more +25 and move some files there.
I wonder if I need to be aware of something before trying our mass migration.
Thank you for the advice.
The logs looks good (on NethServer), need to check the proxmox logs.
The firewall.log got lots of events. So I decide to enable the firewall on this VM (it was disabled) for the interface of the public IP. This NS got a lot of logs from the outside but Shorewall:net2fw stops all (hopefully)
The other service/add-on that have lots of events is “smbaudit”, but no every day, maybe when I was testing/checking the access/audit.
I haven’t read the logs in the proxmox server, but checking the firewall logs I see and Old (maybe XP) system (not joined yet) that is hammering the NS server:
The net use command, browsing network shares, or any other SMB-related command will make use of these services.
What are the security risks of having this service running, if any?
It’s often a necessary service to have running as it provides the backbone of a great deal of Windows network sharing services. I wouldn’t be concerned so much on it running as I would be concerned if it were exposed outside your network. I believe service enumeration and possible undocumented exploits are the two current risks. Because this is a remote procedure call service, it does have some of the same excitement as any application service – think of requests passed there in terms of a web query. They ask for a service (page) and pass certain relevant parameters (GET or POST options). Something on the service’s back-end runs and returns a result.
I don’t understand completely, so I will go on that PC just to be sure there is not something weird running on it. In the second link some comments scares me.
Some update:
After adding some machines and users, the past Monday I upgrade my Proxmox version, then yesterday I increase some resources to my Nethserver vm: 10Gb RAM, 4 CPUs, the load is now pretty decent:
The log/firewall stills shows that XP (is Vista) ringing bells on our Nethserver
For some reason or other the old XP/vista PC is there; lucky me today arrive 4 new PCs… time to get rid of that bugger
I reboot the server and the %cpu goes down but still the logs shows it:
It was a Windows Vista, someone use and save an user account “reserved only for us” with the password saved!, that account is restricted but can open lot of doors.
I change the password, to detect if exists some other users using it.
The W.Vista was replaced for a New Windows 7 (not a joke)