Hi, I have also a SUSE 8.1 with a samba server on the net, and I haven't configure a firewall, what should I activate on the firewall with YAST. I am very new in this stuff so I better prevent now before someone damages all my work. Thanks Jose Anders Johansson wrote:
On Wednesday 23 April 2003 16:11, Matt Stamm wrote:
- No, this server was not behind a firewall. I'm still learning Linux (that's why I've kept most users off this system). I will definetly be learning firewall next. The system has no firewall and sits on a DSL line with a fixed IP address. I've since learned that that makes it a sitting duck for hacking ?!?!?!
To say the least :) It's never a good idea to put a live system on the internet until you have at least the basics down. And that goes triple for a system running samba, or any other type of file sharing.
- I don't beleive its a coworker because the two users are myself and one other coworked. The coworked uses Samba only from his Windows system. I've already talked to him, its not him.
ok, it was just a thought. You should always start by eliminating the simple answers. I usually don't and frequently end up with egg on my face :)
I also noticed the following interesting entires in the log files...
in the "warn" log...
Apr 19 18:32:23 linux kernel: 199.170.68.4 sent an invalid ICMP error to a broadcast. Apr 19 18:32:24 linux kernel: 199.170.68.4 sent an invalid ICMP error to a broadcast.
in the "messages" log...
Apr 19 23:16:24 linux useradd[3496]: new user: name=mailnull, uid=47, gid=100, home=/var/spool/mqueue, shell=/dev/null
Do these mean anything??
Well, it means a user has been added, which means that whoever was on your system on April 19 had root access. I would suggest a full reinstall. Take the machine off the internet as soon as possible, if you haven't already, back up any data you want to save, and do a full reinstall. Even if the person who cracked your machine wasn't very good (since you can read those lines in the log it means he didn't even try to clean up after himself), you still can't trust any programs on that machine.
And before you put the machine back on the net, get all security patches, and look at firewalls. Look twice at firewalls. And look at all passwords you use, to make sure you don't use simple words, or combinations of words. Passwords like that can be cracked very quickly. And don't put *any* services on the net which uses plaintext passwords.