PDA

View Full Version : Question about the nmbd daemon


malex
08-27-2003, 06:09 AM
Hello

I have a process running on my ibook (connected to a LAN via a zyxel router and a switch, itself connected to cable) that is called nmbd. I know it is related to Samba, but I can see it is constantly requesting IP's in random places such as Poland and Russia. Why would this process be running on my computer? I thought it could be related to mlnet, which I run sometimes, but it is not currently active.

Where can I find more info about this process/daemon?

Thanks a lot

yellow
08-27-2003, 06:25 AM
A Google search showed up many pages about the NetBIOS name server. Here's one from the Darwin man page:

http://www.hmug.org/man/8/nmbd.html

malex
08-27-2003, 07:11 AM
Hi

In fact that is what the man pages told me when I read them locally. However what I don't understand is what types of requests this daemon actually does. In other terms, to speak in "simple" terms, if I didn"t "ask" him anything, why is he making all these requests?

Thanks

hayne
08-27-2003, 10:22 AM
Originally posted by malex
what I don't understand is what types of requests this daemon actually does. In other terms, to speak in "simple" terms, if I didn"t "ask" him anything, why is he making all these requests? Daemons don't usually request anything by themselves. Their purpose in life is to wait, doing nothing, until someone else makes a request of them and then they respond to that request.

So it seems that what you are seeing is log entries about your machine responding to samba queries from external machines. You should be aware of the scurity risks of having a samba server accessible to the Internet.

malex
08-27-2003, 10:42 AM
Thanks for that.
So how do I desactivate the samba server. Should I just kill its process? Can I find out what type of queries are coming in?

Thanks

yellow
08-27-2003, 10:47 AM
One easy way to stop it is:
System Preferences -> Sharing Pane -> Windows File Sharing -> Stop button.

hayne
08-27-2003, 10:47 AM
Originally posted by malex
So how do I desactivate the samba server. Should I just kill its process? Presumably you started it by using the Sharing pane of System Preferences - so that is the way to stop it as well.

yellow
08-27-2003, 10:48 AM
Heh, I won!! Again I say we need to see 'seconds' on posting times :)

malex
08-27-2003, 10:54 AM
Hmm, what worries me though is that the Window file sharing was off. I had turned it off a while ago, but it has been off for some time.
I suppose this means shutting Samba off does quit the nmbd daemon.
Wouldn't you qualify this as a major security break? If people could acess my computer, then they could obviously access my entire LAN. And all this because I turned on Windows sharing at some point?

Am I right in assuming this?

Thanks for all the help, at least I know how to protect myself a bit better

hayne
08-27-2003, 12:09 PM
You should restart your Mac.
Then check whether Windows file sharing is on or off and check if 'nmbd' is running.
If 'nmbd' is running then something must have started it. Do you have any 3rd-party startup items?

I'm not sure what you are asking when you ask about access to your LAN. Is your Mac is directly connected to the Internet? Or is it behind some kind of router? Consumer-level routers usually provide firewall capabilities so I can't see how you would be getting external samba requests in that case.

malex
08-27-2003, 01:49 PM
I'll try the restart.

About the LAN think, my Ibook is behing a consumer level zyxel router. The problem is that I could see that loads of requests were coming from nmbd, and that if these requests were being emitted something was causing this. The only PC on my LAN was off when this was happening, Windows File sharing was off, so there was definitely something coming from the outside.
The only third party startup items I have are maxmenus and suitcase. So I doubt they could be the culprits.

hayne
08-27-2003, 02:55 PM
Originally posted by malex
my Ibook is behing a consumer level zyxel router. The problem is that I could see that loads of requests were coming from nmbd, and that if these requests were being emitted something was causing this. If teh requests are coming form externel machines then they must be getting through the router somehow. Normally these routers ship configured to not allow any such requests through. Did you perhaps turn on "port-mapping" or "port-forwarding" on the router?