1

I've got a problem with my debian server. Probably there is some vulnerable script at my web-serser, which is running from www-data user. I also have samba with winbind installed, and samba is joined to windows domain.

So, probably this vulnerable script allows hacker to bruteforce out domain controller through winbind unix domain socket.

Actually I have lots of such lines at netstat -a output:

unix 3 [ ] STREAM CONNECTED 509027 /var/run/samba/winbindd_privileged/pipe

And our DC logs contain lots of recorded authentication attems from root or guest accounts.

How can I restrict my apaches access to winbind? I had an idea to use some kind of firewall for IPC sockets. Is it possible?

lagab
  • 11
  • 1

3 Answers3

0

If you are seeing webserver scripts accessing parts of the filesystem they shouldn't be then the solution is not to block that access but find and eliminate the scripts which are exposing access.

(actually blocking access to the socket is simply a matter of setting the permisions on the socket or running the webserver chroot'd)

symcbean
  • 19,931
  • 1
  • 29
  • 49
  • And if I'll change permissions for this socket file, could samba break? Because its using it too. In fact I need to restrict only apache using this file, and all other services should be able to use it. – lagab Mar 14 '11 at 13:56
  • 1) as stated thats not the right way to fix the problem 2) it depends what you change the permissions to - you should have a permissions model for your system – symcbean Mar 15 '11 at 11:37
0

This is exactly the kind of thing that SELinux was designed to address. If you are feeling queasy about setting it up, then use a distro that was designed for it, such as Red Hat or one of the derivatives, such as CentOS.

Kevin M
  • 2,302
  • 1
  • 16
  • 21
0

Just FYI that since your machine is joined to the domain through winbind that userid and group lookups will go through winbind through NSS. Running ls(1) in a directory will cause the userid/group mapping lookups to be done, running ps(1), etc. will cause the mapping lookup to be done, both in the /etc/passwd file and in AD. That may be the source of all your traffic.

mtinberg
  • 1,803
  • 10
  • 9