[Samba] Determining client IP address in failed connections

Joel Hammer Joel at HammersHome.com
Fri Jul 12 20:25:21 GMT 2002


I am not a security expert, but:
In your fire wall, you could log all activity coming in on ports 137 or 139
or whatever and just grep that file when your samba log shows funny activity.
I do that now for all attempts to connect to restricted ports. Works fine.
Joel

On Fri, Jul 12, 2002 at 09:44:50AM +0200, Xavi Serrano wrote:
> Hello all,
> 
> Anyone knows if there is an easy way to determine the IP address
> of a client who is trying to connect unsuccessfully? The client
> is providing an invalid login name. The error logs are like these:
> 
> [2002/07/12 09:28:18, 1] smbd/password.c:pass_check_smb(545)
>   Couldn't find user 'foo' in passdb.
> [2002/07/12 09:28:18, 1] smbd/password.c:pass_check_smb(545)
>   Couldn't find user 'foo' in passdb.
> [2002/07/12 09:28:18, 1] smbd/reply.c:reply_sesssetup_and_X(989)
>   Rejecting user 'foo': authentication failed
> 
> I am using samba version 2.2.4 in a RedHat Linux box.
> 
> Browsing the source at smbd/reply.c I see no possibility to include
> source IP address in the log message (connection_struct *conn is NULL
> at this point). Neither it is possible at smbd/password.c.
> 
> I think this feature is pretty interesting to determine where some
> kinds of attacks are coming from (especially the ones trying to guess
> privileged accounts and their passwords in a samba server).
> 
> Any comments will be much appreciated.
> Best regards,
> - Xavi.
> 
> P.S.: Sorry if this has been posted before. Please include a reference
>       if so. Thanks a lot.
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba




More information about the samba mailing list