I'm running Samba on Debian Woody. I have been running it for a couple of weeks with no problem. But today I noticed something that caught my eye. Perhaps this is fairly common and I have never noticed, so I thought I would see if you all have something similar.

When I check and see what processes are running on my machine, nmbd is running like 20 times. I see:

nmbd -a netbios-ssn stream tcp nowait root /usr/sbin/tcpd /usr/sbin/smbd

I don't recall seeing this running so much previously. I just counted the number of instances and I currently have 40. I have made no changes to my samba configuration. When I look in my log files for samba and syslog I don't see anything suspicious, but this smells odd to me. Perhaps I am paranoid. Is this the norm?

No, I don't believe that's normal if there's only a few people connected. I don't suppose you have samba setup using inetd. If yes then perhaps it starts up a new session everytime you mount the share again.

Joe

There is nobody connected.

Ok. Even upon bootup I have like 20 of the following:

nmbd -a netbios-ssn stream tcp nowait root /usr/sbin/tcpd /usr/sbin/smbd

If I kill them all, everything is fine. But if I let them go it just keeps multiplying until I have over a 100 of these processes running. When I do "who" I'm the only one on. If I do a "netstat -a" there is no activity. This just started. I'm sure of it.

Sounds like it's a bug somewhere. I don't know where but I really don't think it's normal. My samba server doesn't do anything like that, in fact I don't even get that much output when I do a ps. It looks like an entry in the /etc/services file. What do you do to get the output that you posted?

Joe

BTW...not running it through /etc/inetd.conf either :(

That sure looks like something that is running under TCP wrappers and inetd.conf.

Are you running anything under TCP wrappers using inetd.conf? If not, do you have tcpd running? If tcpd is running and you don't need it, set it so it doesn't start at boot up and see if the problem stops.

I think you're on to something cowanrl. It's definitely using tcp wrappers and in that line it actually looks like it's smbd sessions rather than nmbd sessions. The smbd session is what's wrapped when the nmbd daemon is called. I wonder if the bandwidth pig has been hacked and vandalized. ;-)

Joe

Hmmm. Interesting. I removed Samba (saved my smb.conf file). Purged it. Did a reinstall and now I no longer seem to have the problem. Turns out I did have nmbd and smbd not commented out in inetd.conf. I commented those out and now the problem seems to be gone. Thanks for the help! I wonder why it started out of nowhere though? I'm sure I haven't changed anything in quite a while. As far as the vandalizing and hacking, it's possible, but I suspect not. None of my log files show anything and I'm not running much in the way of services at all. I don't really have any ports open except those required by samba. Well...that and rpc :)
RPC...perhaps I'll get rid of that one. Was planning on using it for NFS though.

Remote services are especially dangerous. One of the first things they teach you in any course that talks about security and UNIX is that not only should you turn off all unnecessary services you should find ways of doing things that don't require remote services. If you have to you have to but know that those are prime targets for hackers (not that hackers would want much with a home PC but why take chances that you don't have to? )

Joe

Yes. You would think people wouldn't really be interested in home computers in terms of cracking. But they seem to be as my firewall catches people trying all kinds of things :)