[Samba] Preventing brute force password attacks

Ed Ravin eravin at panix.com
Tue Apr 17 14:32:05 MDT 2012

I was hoping to set up fail2ban to block IP addresses that generate
too many Samba password failures, but it needs a syslog message with
the IP address of the computer that failed password authentication.

Unfortunately, Samba doesn't seem to do this in my environment.  Here's
a sample error message:

smbd[312]:  smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User brutus !

I tried turning on full_audit, and I see the audit messages for successful
connections, but there aren't any audit messages for login failures.  I
used these settings:

   full_audit:failure = connect
   full_audit:success = connect disconnect
   full_audit:facility = local5
   full_audit:priority = notice

Can Samba be configured to log authentication errors with IP addresses?
Or do we need to change the source?

More information about the samba mailing list