[Samba] Preventing brute force password attacks

Robert Heller heller at deepsoft.com
Tue Apr 17 14:50:24 MDT 2012

At Tue, 17 Apr 2012 20:32:05 +0000 (UTC) eravin at panix.com (Ed Ravin) wrote:

> I was hoping to set up fail2ban to block IP addresses that generate
> too many Samba password failures, but it needs a syslog message with
> the IP address of the computer that failed password authentication.
> Unfortunately, Samba doesn't seem to do this in my environment.  Here's
> a sample error message:
> smbd[312]:  smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User brutus !
> I tried turning on full_audit, and I see the audit messages for successful
> connections, but there aren't any audit messages for login failures.  I
> used these settings:
>    full_audit:failure = connect
>    full_audit:success = connect disconnect
>    full_audit:facility = local5
>    full_audit:priority = notice
> Can Samba be configured to log authentication errors with IP addresses?
> Or do we need to change the source?

You do understand that fail2ban works with your firewall and is meant
for public internet services, such as Mail (eg Sendmail or Postfix) or
HTTP or DNS.  Since NETBIOS services are NOT services that should ever
be used over the public internet.  You should only have smbd/nmbd
listening on you local LAN and not on your WAN / public Internet
connection. Since your LAN will have only known local IP addresses
(either statically assigned or from a limited pool of IP address), it
really isn't meaningful to block these addresses.

What *exactly* do you want to accomplish here?  Do you really want to
ban machines on your LAN from accessing your (office) server?

Robert Heller             -- 978-544-6933 / heller at deepsoft.com
Deepwoods Software        -- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments


More information about the samba mailing list