I'm looking through my server's /var/log/messages and I see a fair amount of these, is somebody trying to gain unauthorized access to my data? should I worry about these?


Aug 15 05:23:53 localhost smbd[22401]: [2004/08/15 05:23:53, 0] lib/access.c:check_access(333)
Aug 15 05:23:53 localhost smbd[22401]: Denied connection from (217.81.254.235)


Aug 15 05:53:41 localhost smbd[22403]: [2004/08/15 05:53:41, 0] lib/access.c:check_access(333)
Aug 15 05:53:41 localhost smbd[22403]: Denied connection from (4.152.207.50)

Do either of these look familiar.
*pd951feeb.dip.t-dialin.net
*dialup-4.152.207.50.dial1.atlanta1.level3.net

Try doing a traceroute to a random web site. See if any of the URLs that JohnT mentioned pop up.

Originally posted by JohnT
Do either of these look familiar.
*pd951feeb.dip.t-dialin.net
*dialup-4.152.207.50.dial1.atlanta1.level3.net

the 1st one dosen't look familiar at all, the second is related to my ISP. but this raises another question: why would my ISP be trying to gain access to my data?

Originally posted by jrbishop79
I'm looking through my server's /var/log/messages and I see a fair amount of these, is somebody trying to gain unauthorized access to my data? should I worry about these?


Aug 15 05:23:53 localhost smbd[22401]: [2004/08/15 05:23:53, 0] lib/access.c:check_access(333)
Aug 15 05:23:53 localhost smbd[22401]: Denied connection from (217.81.254.235)


Aug 15 05:53:41 localhost smbd[22403]: [2004/08/15 05:53:41, 0] lib/access.c:check_access(333)
Aug 15 05:53:41 localhost smbd[22403]: Denied connection from (4.152.207.50)

This thread may clarify;

http://archives.neohapsis.com/archives/linux/mandrake/2000-q4/0016.html

Originally posted by jrbishop79
the 1st one dosen't look familiar at all, the second is related to my ISP. but this raises another question: why would my ISP be trying to gain access to my data? Its not unusual for your IP to ping you looking for activity...they find none they disconnect.

Yeah but smbd would imply a Samba connection attempt wouldn't it?

yeah, a ping attempt has a completely different entry in the log, and I checked and that IP address within that hostname was not the one I was using at the time. I have samba setup to only allow access to the computers within my network(I have those computers explicitly defined) and access denied to everyone else, so I don't think that they will be able to get in no matter how hard they try. My question is still, should I be worried about this or gloat because they aren't getting in?

I wouldn't worry. The fact that the connection attempt is denied means that everything is working correctly. If you were truly being hacked, you would be the last person to know about it.