Linux Lite Forums

General => Security & Bug Fixes => Topic started by: bitsnpcs on April 22, 2017, 08:04:34 PM

Title: Samba [SOLVED]
Post by: bitsnpcs on April 22, 2017, 08:04:34 PM
Hello,

this week there were quite a few updates for Samba.

I noticed tonight when checking UFW, there were Samba rules that bypass the default Deny incoming, by having an "allow connections from ANYWHERE" in capitals like this from a range of ports.

Ufw would not allow editing of this rule saying Ufw had made the rule.

I removed these rules rebooted and checked again if they had enabled on startup, they are currently not enabled, I will keep an eye on it.

I would suggest everyone checks their current ufw status to ensure it is not allowing access from anywhere to their system since these updates from Ubuntu.
Title: Re: Samba [SOLVED]
Post by: newtusmaximus on April 23, 2017, 04:36:38 AM
Thank you.   Please advise where I can find the procedure for checking this ?



UPDATE
Have installed latest updates just now.

menu/settings/Firewall configuration     Status On    DENY Incoming     ALLOW outgoing    RULES -  BLANK

Therefore presume my pc has not been vulnerable? as no rules evident

Is that a correct assumption??
Title: Re: Samba [SOLVED]
Post by: bitsnpcs on April 23, 2017, 11:24:04 AM
I noticed it first when checking this way in terminal

Code: [Select]
sudo ufw status verbose
You can find more details of it at https://help.ubuntu.com/community/UFW

I then checked graphically  Menu>Settings>Firewall Configuration
entered password.
In the GUI clicked the tab "Rules" and seen the two rules that had been added.
I used the Minus symbol at the base of GUI to remove them.

I also went back to terminal for help on those before deleting rules, there were 6 active connections, 4 dropped whilst I was checking it, 2 remained until after the rules were deleted and until I restarted the computer. I have seen no connections in checks since.

I am unsure if it is related to those connections/rules, or whether it is currently being upgrading, or whether it was attacked, but the help manual in the main menu does not work now, when clicked it now opens and displays as a text document file on the desktop, showing the html and css.

I will look around the computer tonight and see if I can find any other changes.
Title: Re: Samba [SOLVED]
Post by: bitsnpcs on April 23, 2017, 11:38:58 AM
Thank you.   Please advise where I can find the procedure for checking this ?



UPDATE
Have installed latest updates just now.

menu/settings/Firewall configuration     Status On    DENY Incoming     ALLOW outgoing    RULES -  BLANK

Therefore presume my pc has not been vulnerable? as no rules evident

Is that a correct assumption??

Yes this sounds good, it is how it should look. :)

Keep in mind I check for updates several times per session, first thing after startup, before shutdown, and during the session etc.
Does your help manual in the main menu work currently ?
Title: Re: Samba [SOLVED]
Post by: paul1149 on April 23, 2017, 11:42:27 AM
Good catch, bitsnpcs. My ufw was in the same open state, whereas before (with LL 3,2, I didn't check after the 3.4 upgrade) I only allowed access from the LAN here.
Title: Re: Samba [SOLVED]
Post by: bitsnpcs on April 23, 2017, 12:14:22 PM
Hello paul1149,

I am glad it was helpful.:)
Title: Re: Samba [SOLVED]
Post by: newtusmaximus on April 23, 2017, 02:09:43 PM
bitsnpcs,

HP dc7700p LL3.4 64bit

A )SAMBA  Help seems to be working OK , also all links correct    via menu/setting/  Config. Firewall

Terminal

-HP-Compaq-dc7700p-Ultra-slim-Desktop:~$  sudo ufw status verbose
[sudo] password for lHP-Compaq:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
HP-Compaq-dc7700p-Ultra-slim-Desktop:~$

Not sure what the signiifcance of "New profiles - Skip"

Assuming  my pc not effected, then why yours and others??  I am updating regularly as notified.
Title: Re: Samba [SOLVED]
Post by: Ottawagrant on April 23, 2017, 03:09:20 PM
In UFW I don't have any added rules in either x32 or x64 copies of Linux Lite 3.6. Both my 32 & 64bit LL's are fresh installs. Even though you can upgrade I usually do a fresh install. Only because I have the time & for no other reason. Using my HP Compaq 7900's right now. This is an interesting one.
Title: Re: Samba [SOLVED]
Post by: newtusmaximus on April 23, 2017, 04:39:38 PM
Just checked the two family laptops after updates.  Neither show any additional scripts .  The V3405  route was fresh install of 3.2 32 bit eventually  upgraded to 3.4 32 bit.   The Si1520 was a fresh install of 3.4 64bit.
Title: Re: Samba [SOLVED]
Post by: bitsnpcs on April 23, 2017, 10:48:45 PM
Hello newtusmaximus,

in the

Code: [Select]
man ufw
under "Application Integration" section it says the new profiles skip, my understanding (which may be wrong) that -
1/you can add rules to allow the applications to pass the firewall.
2/ without adding the specific rule to allow an application "ufw allow<app name>" then default is to skip, the process of adding new rules for applications.

I think it means for example if a rogue app decided to add its own rules to bypass the firewall it wouldn't allow this as the sudo user has not entered the rule specifying the app/software by name in terminal ?

I don't know why it has happened to mine and others, yet not yours, but its good it didn't happen  :)


Hello Ottawagrant,

Good to read you have not had the rules added  :)

I also have not added any rules, there were only the default rules until these appeared.
I have done both ways, upgrading in the 2.n series. A clean install in 3 series, as I had first installed quite soon before the next version.

In the Install Updates last week there was almost a full GUI of Samba updates from Ubuntu repo, I think 1 or 2 lines short of a full window.
If it was something that came down in the Ubuntu repo updates would this have went out to every distro based on Ubuntu ?
Title: Re: Samba [SOLVED]
Post by: newtusmaximus on April 24, 2017, 04:17:06 AM
All this is way beyond my abilities/understanding.
A)  Could it be that the ppa from which those that are affected get their updates is different to those who are not affected??
B) Once scripts under the Rules have been removed, do they reappear after a later update?? or before an update??
C) If before a later update, what is the cauuse - malware / virus already penetrated the system??

Title: Re: Samba [SOLVED]
Post by: bitsnpcs on April 24, 2017, 02:31:52 PM
Hello newtusmaximus,

A/ I use the default repositories.
B/ I removed the rules and have updated 2 times and the rules have not been re-added in these future updates.
C/ I don't think it is a virus or malware because -
a/ I have not executed any files other than updates from the Ubuntu repository, and LL repository, or those I created myself, eg Python files made as exercises in the book.
b/ I don't think it is from a website as on this computer I only visit, this forum, OMG Blog, my own blog, Google Blogger/G+, Raspberry Pi blog, and YouTube, OSMC forums a few weeks ago.
c/ only 1 of my email accounts is set up on this computer, example ProtonMail I use only on their site or via the Android app.
Only 2 sources of email arrive to this email address, notifications from this forum, and weekly update notifications from OSMC forum. Neither of these contained any attachments, both are read as plain text only.
I did not receive spam.

There are no personal photos on this computer, no webcam connected, no money stuff eg; I don't have any cards, online banks, or Paypal, they cannot get credit in my name for a few years yet as I am not old enough for that.
There is x1 mp3 music mix I made when first using linux, x2 desktop screenshots, x273 of my blog files that have all already been published online and are free, x13 Python files I made during the exercises in the Python book so far, x1 directory with 2 subdirectories I made as part of the exercises in the Command Line book so far, x54 pdfs from Raspberry Pi foundation that are available free online.
There is no networking of computers.
No idea why Samba is even installed, as none of the 3 reasons given on Ubuntu for what it is used for are ever used on this computer.

I have no idea if the system was penetrated, but it is likely it was, as the help manual was tampered with and is broken which doesn't occur on its own. Maybe other stuff, I am to be checking more later when I get back, I go out now etc.
Title: Re: Samba [SOLVED]
Post by: bitsnpcs on April 24, 2017, 07:58:28 PM
(http://i67.tinypic.com/2e22umg.png)


has the last week Manual updates added the rules to use Samba in UFW and it is why deleting them is why the manual is broken ?
Title: Re: Samba [SOLVED]
Post by: ralphy on April 24, 2017, 10:22:34 PM
has the last week Manual updates added the rules to use Samba in UFW and it is why deleting them is why the manual is broken ?

Hi @bitsnpcs

The manual is not broken as far as we can tell. Your screenshot shows http protocol ports 80 and 443 - nothing wrong with that in the javascript.

Samba Firewall rules are automatically added to the firewall as soon as Network Share Settings is launched (after authentication). That has been done to simplify user's sharing setup. It happens that the firewall not allowing samba traffic is a common issue for most new users to believe that something is wrong with their samba service or configuration. At the end, the determination was made to add firewall rules automatically to allow samba traffic. Samba is enabled by default in Linux Lite. We do not consider it a security risk since the the default smb configuration does not provide any open or guest accessible shares by default. Also, most desktop computers are likely running behind a firewall'd local area network (LAN); even connecting straight to a gateway will put users behind a NAT and some firewall in almost every case and when it doesn't, Linux Lite firewall is still there only allowing samba traffic with no default shares accessible anyways.

Hope that explains the mystery regarding Samba rules.

Cheers!
Title: Re: Samba [SOLVED]
Post by: bitsnpcs on April 25, 2017, 01:03:41 AM
Hello Ralphy,

thank you for your time trying to explain it to me.
I will mark it as solved although I dont understand what you wrote.

When Menu>favourites>Help Manual  is clicked, it does not open the manual only the html file and looks as per the screenshot.
I can use it online instead.
This began when I disabled the backdoor.
Title: Re: Samba [SOLVED]
Post by: Jerry on April 25, 2017, 01:14:13 AM
It probably opens the html in Leafpad because your Mime types have changed. Menu, search 'mime' MIME Type Editor. Filter, html. Set as below:

(http://i.imgur.com/zK8uyIv.png)
Title: Re: Samba [SOLVED]
Post by: bitsnpcs on April 25, 2017, 12:10:08 PM
(http://i67.tinypic.com/2qs334i.png)

Hello Jerry,

it looks like this currently, the default application of hh is not available in the "select application" choices (x2 click first item on list).

My literal thinking is overtime today :-[ Menu, Search "mime" , I used Catfish, instead of searching the actual menu. :-[