Samba Shares

HazyDaze · August 9, 2007, 10:46am

I may be alone in this, but I operate a Samba share on a linux box on a different network. When I try to access the share Comodo informs me that there is a TCP port scan and blocks access. I can get round this by increasing the port scan rate to 500/sec, but ideally I would like to make the Samba share IP address an exception to the port scan rule.

Rules which govern this are:

IP allow IN XX.XX.XX.XX ANY ANY
TCP/UDP allow IN XX.XX.XX.XX ANY ANY

I realise that this is relatively insecure and will tighten up these rules, but I wanted to make sure that I was not blocking Samba

The log entry is

Date/Time :2007-08-09 10:42:49
Severity :High
Reporter :Network Monitor
Description: TCP Port Scan
Attacker: XX.XX.XX.XX
Ports: 30724, 21508, 22020, 22276, 22788, 23044, 23556, 23812, 24324, 24580, 25092, 25348, 25860, 26116, 26628, 26884, 27396, 27652, 28164, 28420, 28932, 29188, 29700, 29956, 30468, 43605, 43605, 21994, 21930, 43605, 43605, 21930, 21930, 43605, 44637, 21930, 21930, 43601, 43605, 21930, 21930, 43605, 43605, 21930, 21674, 21930, 21915, 43605, 35413, 21930
The attacker has been temporarily blocked

Any suggestions other than what I have done?

panic · August 9, 2007, 11:46am

G’day hazy daze and welcome to the forums.

Unfortunately the post scan rate is a global setting and cannot be fine tuned for an individual service or device. The port scans you’re seeing are almost identical to the scans done by the Netgear (and several other makes) NAS devices. Why they need to do a UDP scan is anybody’s guess, but it seems to be fairly typical of this type of device. The propsed scan rate of 500 works for Netgear devices, so I’d start there and see how tight you can make it without it registering as a flood.

Your rules are definitely too loose - waaay too loose. The samba - to - xp share should only require ports 137 TCP, 138 TCP, 139 TCP and possibly 445 TCP, depending upon the config of your server.

I’d recommend that you tighten the rules immediately, as the IP ANY IN and the TCP/UDP IN ANY rules expose your PC to the rest of the world.

Hope this helps,
Ewen

HazyDaze · August 11, 2007, 4:00pm

Thanks for your help, panic. I thought it might be that way. I didn’t think the rules were that bad as they do restrict the input so that it comes from only the one IP address and that particular address is behind a shorewall firewall.

Once again, thanks.

panic · August 12, 2007, 12:19am

Mea culpa. The XX.XX.XX.XX just didn’t register - all my tired old eyes recognised was the ANY ANY and immediately went into brainfart mode.

Ewen