[Samba] Preventing brute force password attacks
Ed Ravin
eravin at panix.com
Tue Apr 17 14:32:05 MDT 2012
I was hoping to set up fail2ban to block IP addresses that generate
too many Samba password failures, but it needs a syslog message with
the IP address of the computer that failed password authentication.
Unfortunately, Samba doesn't seem to do this in my environment. Here's
a sample error message:
smbd[312]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User brutus !
I tried turning on full_audit, and I see the audit messages for successful
connections, but there aren't any audit messages for login failures. I
used these settings:
full_audit:failure = connect
full_audit:success = connect disconnect
full_audit:facility = local5
full_audit:priority = notice
Can Samba be configured to log authentication errors with IP addresses?
Or do we need to change the source?
More information about the samba
mailing list