[Samba] Nessus test issues with open shares
This is a discussion on [Samba] Nessus test issues with open shares within the Samba forums, part of the Networking and Network Related category; Hi, My name is Joseph Villa, I'm new to the message boards and I'm also new to Samba. ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-28-2008
|
|||
|
|||
[Samba] Nessus test issues with open shares
Hi,
My name is Joseph Villa, I'm new to the message boards and I'm also new to Samba. I just got an e-mail back on our Nessus scans.. Here are the 2 that are relivant.. 1.) The remote host has accessible LOGS$ share. ScriptLogic creates this share to store the logs, but does not properly set the permissions on it. As a result, anyone can use it to read the remote logs. Solution: Limit access to this share to the backup account and the Domain Administrator. 2.) Backup share can be accessed without authentication. The remote host has an accessible ARCSERVE$ share. Several versions of ARCserve store the backup agent username and password in cleartext in this share., An attacker may use this flaw to obtain the password file of the remote backup agent and use it to gain privilages on the host. Solution is to limit the access to this share to backup account and domain administrator. Both of these are off of our Sun server running Solaris 10 as the OS. I'm thinking both directories are being shared via Samba. Although there is much I don't know about this system. Has anyone out there run into the same issue? Thanks, Joseph P Villa, IT Services USGS Mounds View, MN -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba 
|
|
05-28-2008
|
|||
|
|||
|
Re: [Samba] Nessus test issues with open shares
On Wed, May 28, 2008 at 12:58:12PM -0400, Joseph P Villa wrote:
> Hi, > > My name is Joseph Villa, I'm new to the message boards and I'm also new to > Samba. I just got an e-mail back on our Nessus scans.. Here are the 2 that > are relivant.. > > 1.) The remote host has accessible LOGS$ share. > > ScriptLogic creates this share to store the logs, but does not properly > set the permissions on it. As a result, anyone > can use it to read the remote logs. > > Solution: Limit access to this share to the backup account and the Domain > Administrator. > > > > > 2.) Backup share can be accessed without authentication. > > The remote host has an accessible ARCSERVE$ share. > > Several versions of ARCserve store the backup agent username and password > in cleartext in this share., > An attacker may use this flaw to obtain the password file of the remote > backup agent and use it to gain privilages on the host. > > Solution is to limit the access to this share to backup account and domain > administrator. > > > > Both of these are off of our Sun server running Solaris 10 as the OS. I'm > thinking both directories are being shared via Samba. Although > there is much I don't know about this system. Has anyone out there run > into the same issue? Post your smb.conf so we can see what shares you have defiend. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
05-28-2008
|
|||
|
|||
|
Re: [Samba] Nessus test issues with open shares
There were a few things that I needed to blot out (I used #'s to blot out
the areas that I shouldn't be showing) .. but here it is! Thanks for all of your help! # Samba 3.0.23C Global prameters 09/26/06 # WINBIND removed [global] ## Configured with /usr/local/samba/bin/config_samba workgroup = GS security = domain encrypt passwords = yes password server = #### wins server = #### allow hosts = .gs.doi.net .usgs.gov ## ## Disable Browsing Services os level = 0 preferred master = no domain master = no local master = no ## Please set netbios name to GS naming standard ## example: netbios name = IGS########## ## Pre-stage (create) this computer account in Active Directory before ## joining to domain netbios name = igs########### ## server string = NAME username map = /usr/local/samba/lib/users.map password level = 2 printcap name = /usr/local/samba/lib/printers preload = homes printers default service = tmp message command = csh -c 'xedit %s;rm %s' & NIS homedir = Yes print command = lp -c -o nobanner -d%p %s; rm %s ## Use a separate log file for each machine log file = /usr/local/samba/var/log.smbd ## Put a cap on the size of the log files (in Kb). max log size = 50 map archive = no ## Performance Parameters log level = 1 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=16834 SO_RCVBUF=16 834 SO_KEEPALIVE read raw = yes write raw = yes max xmit = 65535 getwd cache = yes ## Recommended Security Setting Restrict anonymous = yes allow trusted domains = no client use spnego = yes client NTLMv2 auth = yes client lanman auth = no client plaintext auth = no ldap ssl = no ## File Oplock Settings can be set globally although should be set a the ## share level depending if you are having problems with Excel or other ## applications not saving properly. ## oplocks = no ## level 2 oplocks = no # Home Section Samba User home directories are automatically mapped [homes] comment = Home Directories path = %H read only = No create mask = 0664 directory mask = 0775 hide dot files = No ## File Oplock Settings oplocks = no level 2 oplocks = no # Printer Section used to list available UNIX printers [printers] comment = All Printers path = /tmp username = %U create mask = 0700 guest ok = Yes print ok = Yes domain master = no local master = no ## Please set netbios name to GS naming standard ## example: netbios name = IGS######## ## Pre-stage (create) this computer account in Active Directory before ## joining to domain netbios name = igs########### ## server string = NAME username map = /usr/local/samba/lib/users.map password level = 2 printcap name = /usr/local/samba/lib/printers preload = homes printers default service = tmp message command = csh -c 'xedit %s;rm %s' & NIS homedir = Yes print command = lp -c -o nobanner -d%p %s; rm %s ## Use a separate log file for each machine log file = /usr/local/samba/var/log.smbd ## Put a cap on the size of the log files (in Kb). max log size = 50 map archive = no ## Performance Parameters log level = 1 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=16834 SO_RCVBUF=16 834 SO_KEEPALIVE read raw = yes write raw = yes max xmit = 65535 getwd cache = yes # Samba 3.0.23C Global prameters 09/26/06 # WINBIND removed [global] ## Configured with /usr/local/samba/bin/config_samba workgroup = GS security = domain encrypt passwords = yes password server = igsbccidc01 * wins server = ##### allow hosts = .gs.doi.net .usgs.gov ## ## Disable Browsing Services os level = 0 preferred master = no domain master = no local master = no ## Please set netbios name to GS naming standard ## example: netbios name = IGS######## ## Pre-stage (create) this computer account in Active Directory before ## joining to domain netbios name = igs########## ## server string = NAME username map = /usr/local/samba/lib/users.map password level = 2 printcap name = /usr/local/samba/lib/printers # Samba 3.0.23C Global prameters 09/26/06 # WINBIND removed [global] ## Configured with /usr/local/samba/bin/config_samba workgroup = GS security = domain encrypt passwords = yes password server = igsbccidc01 * wins server = ##### allow hosts = .gs.doi.net .usgs.gov ## ## Disable Browsing Services os level = 0 preferred master = no domain master = no # Samba 3.0.23C Global prameters 09/26/06 # WINBIND removed [global] ## Configured with /usr/local/samba/bin/config_samba workgroup = GS security = domain encrypt passwords = yes password server = ##### wins server = ##### allow hosts = .gs.doi.net .usgs.gov ## ## Disable Browsing Services os level = 0 preferred master = no domain master = no local master = no ## Please set netbios name to GS naming standard ## example: netbios name = IGSKIACIFS001 ## Pre-stage (create) this computer account in Active Directory before ## joining to domain netbios name = igs########### ## server string = NAME username map = /usr/local/samba/lib/users.map password level = 2 printcap name = /usr/local/samba/lib/printers preload = homes printers default service = tmp message command = csh -c 'xedit %s;rm %s' & NIS homedir = Yes print command = lp -c -o nobanner -d%p %s; rm %s ## Use a separate log file for each machine log file = /usr/local/samba/var/log.smbd ## Put a cap on the size of the log files (in Kb). max log size = 50 map archive = no ## Performance Parameters log level = 1 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=16834 SO_RCVBUF=16 834 SO_KEEPALIVE read raw = yes write raw = yes max xmit = 65535 getwd cache = yes ## Recommended Security Setting Restrict anonymous = yes allow trusted domains = no client use spnego = yes client NTLMv2 auth = yes client lanman auth = no client plaintext auth = no ldap ssl = no ## File Oplock Settings can be set globally although should be set a the ## share level depending if you are having problems with Excel or other ## applications not saving properly. ## oplocks = no ## level 2 oplocks = no # Home Section Samba User home directories are automatically mapped [homes] comment = Home Directories path = %H read only = No create mask = 0664 directory mask = 0775 hide dot files = No ## File Oplock Settings oplocks = no level 2 oplocks = no # Printer Section used to list available UNIX printers [printers] comment = All Printers path = /tmp username = %U create mask = 0700 guest ok = Yes print ok = Yes Joseph P Villa, IT Services USGS Mounds View, MN Jeremy Allison <jra@samba.org> 05/28/2008 12:39 PM Please respond to Jeremy Allison <jra@samba.org> To Joseph P Villa <jvilla@usgs.gov> cc samba@lists.samba.org Subject Re: [Samba] Nessus test issues with open shares On Wed, May 28, 2008 at 12:58:12PM -0400, Joseph P Villa wrote: > Hi, > > My name is Joseph Villa, I'm new to the message boards and I'm also new to > Samba. I just got an e-mail back on our Nessus scans.. Here are the 2 that > are relivant.. > > 1.) The remote host has accessible LOGS$ share. > > ScriptLogic creates this share to store the logs, but does not properly > set the permissions on it. As a result, anyone > can use it to read the remote logs. > > Solution: Limit access to this share to the backup account and the Domain > Administrator. > > > > > 2.) Backup share can be accessed without authentication. > > The remote host has an accessible ARCSERVE$ share. > > Several versions of ARCserve store the backup agent username and password > in cleartext in this share., > An attacker may use this flaw to obtain the password file of the remote > backup agent and use it to gain privilages on the host. > > Solution is to limit the access to this share to backup account and domain > administrator. > > > > Both of these are off of our Sun server running Solaris 10 as the OS. I'm > thinking both directories are being shared via Samba. Although > there is much I don't know about this system. Has anyone out there run > into the same issue? Post your smb.conf so we can see what shares you have defiend. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
05-29-2008
|
|||
|
|||
|
Re: [Samba] Nessus test issues with open shares
I think something went wrong here (at least I hope you don't have 4
global sections). Joseph P Villa wrote: > <snip> > > ... > [global] > ... > [global] > ... > [global] > ... > [global] > ... > Joseph P Villa, IT Services > USGS Mounds View, MN > > <snip> Also this doesn't mention LOGS$ or ARCSERV$. *Michael Heydon - IT Administrator * michaelh@jaswin.com.au <mailto:michaelh@jaswin.com.au> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
Linear Mode
