[cobalt-users] Re: IPchains - Firewall - block samba - was Mailscanner for RAQ3/4 pkg available

["Steve Bassi" <steve@xxxxxxxxx>]

As an after thought, if you are not familiar with firewall scripts then I
suggest
http://www.pointman.org/PMFirewall/

They have a neat script that asks you simple questions and creates a
reasonable firewall.

Part of the script asks if you want to block Samba (ports 137 and 138)

Worth having a look at.


Rgds


Bassi

----- Original Message -----
From: "Steve Bassi" <steve@xxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Thursday, July 18, 2002 3:17 PM
Subject: Re: [cobalt-users] Mailscanner for RAQ3/4 pkg available


>
> > It seems someone's box at our host may be compromised as we are getting
> 10-20 rejections (input) written in the log every second
> > (with ipchains on) from 1 IP. Unless there is a another explanation for
> accessing port 137/138?
> >
>
> This is samba and is quite normal.
>
> If you add the following to your firewall script, it should stop it.
>
> $IPC -A input -p tcp -s 0/0 -d 0/0 137:139 -j DENY
> $IPC -A input -p udp -s 0/0 -d 0/0 137:139 -j DENY
>
> to block the IP, if you want to (although it is doing nothing wrong.
>
> /sbin/ipchains -I input -s [IP here] -j DENY -l
> Then add the following to the bottom of /etc/rc.d/rc.local , so you dont
> loose it on reboot
> /sbin/ipchains -I input -s [IP here] -j DENY -l
>
>
> I am assuming you have a firewall script, if not I can let you have a copy
> of mine to amend.
>
> Rgds
>
> Bassi
>
>
>
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>