[Samba] Need IP on failed logins in logfile

Mark Foley mfoley at ohprs.org
Wed Jul 20 18:51:28 UTC 2016 

While waiting for the samba logging to eventually get changed per Jeremy Allison's bug report,
I have meanwhile developed a bash script to find the IP associated with failed logins in order
to watch for people trying to break into the Domain from the outside.  The script is run from
cron and outputs to a logfile which can be scanned by another cron job to automatically look
for intruders and potentially block them by IP with an iptables command. 

Since the samba log does not provide the IP, I am running tcpdump, which is restarted weekly by
logrotate. Here is my logrotate entry:

/var/log/samba/tcpdump.log
{
    weekly
    rotate 12

    sharedscripts
        prerotate
            killall tcpdump
        endscript

        postrotate
            tcpdump -tttt -l -nn portrange xx-yy and 'tcp[13] & 4 != 0' > /var/log/samba/tcpdump.log 2>&1 &
        endscript
}

tcpdump is monitoring the external portrange mapped to port 3389 (Remote Desktop Connection),
for particular Windows workstations.  This means that local Domain workstations do not get
logged by tcpdump unless someone is trying to connect to them from the outside.  I'll probably
add those ports once I figure out which port(s) local domain workstations use to authenticate with
Samba (does anyone know off-hand?)

The following script looks for auth_check_password_recv.*FAILED messages in the samba log. 
These will get logged to the failed login logfile, but if they are also NT_STATUS_NO_SUCH_USER,
the script will search the tcpdump log for an access with that timestamp and snag the IP
address from there.  I could look for the IP for password failure as well as no_such_user, but
I'm mostly trying to trap hackers trying to break in different user IDs -- legit users mistype
their passwords all the time. 

I hope someone finds this useful.

--Mark

#!/bin/bash

# Monitor Failed Domain login attempts

SAMBALOG=/var/log/samba/log.samba
TCPDUMPLOG=/var/log/samba/tcpdump.log
MSGFILE=`tempfile -p FAIL_`

# Timestamp of the last scan

if [ ! -e /root/.monitorFailedLogins ]
then
   lastTime=0
else
   lastTime=`cat /root/.monitorFailedLogins`
fi

lastDate=`date -d@$lastTime "+%Y/%m/%d %H:%M:%S"`

# the log.samba file puts the timestamp and error on separate lines. Merge them

grep -B1 "auth_check_password_recv.*FAILED" "$SAMBALOG" | grep -v "^--" | \
    sed -e N -e 's/\n//' -e 's#\\#/#g'| \
while read
do
    # Skip to last timestamp

    dte=`echo "$REPLY" | awk '{print $1 " " $2}' | sed -e 's/^.//' -e 's/.$//'`
    thisTime=`date -d "$dte" +%s`

    if [ "$thisTime" -gt "$lastTime" ]
    then
        user=`echo $REPLY | cut "-d[" -f3`
        domain=`echo $user | cut "-d/" -f1`
        user=`echo $user | cut "-d/" -f2 | sed 's/\].*$//g'`
        timestamp=`echo $REPLY | cut -c 2-20`

        echo -n $REPLY | sed 's/\].*authentication/\] authentication/' >>$MSGFILE

        # The samba log does not record the IP. Search the tcpdump log.
        # Only check this setting if the error is NT_STATUS_NO_SUCH_USER

        x=`echo $REPLY | grep NT_STATUS_NO_SUCH_USER`

        if [ -n "$x" ]
        then
            timestamp=`date "-d $timestamp" "+%Y-%m-%d %H:%M:%S"`
            x=`grep "^$timestamp" "$TCPDUMPLOG"`

            if [ -z "$x" ]
            then
                # tcpdump could log a second later
                ts=`date -d "$timestamp" +%s`
                ts=$[ $ts + 1 ]
                timestamp=`date -d@${ts} "+%Y-%m-%d %H:%M:%S"`
                x=`grep "^$timestamp" "$TCPDUMPLOG"`
            fi

            if [ -n "$x" ]
            then
                IP=`echo $x | awk '{print $6}' | cut -d. -f1-4`
                echo -n , IP: $IP >>$MSGFILE
            fi
        fi

        echo -e "\n" >>$MSGFILE
    fi
done

if [ -s $MSGFILE ]
then
    cat $MSGFILE
    cat "$MSGFILE" | mail -r noreply at ohprs.org -s "OHPRS ${HOSTNAME^^} Failed Login Attempts" sysadmin
fi

rm -f $MSGFILE
date +%s > /root/.monitorFailedLogins

-----Original Message-----
> Date: Mon, 27 Jun 2016 11:17:00 -0700
> From: Jeremy Allison <jra at samba.org>
> To: mj <lists at merit.unu.edu>
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Need IP on failed logins in logfile
>
> On Sun, Jun 26, 2016 at 03:40:07PM +0200, mj wrote:
> > Hi Jeremy, list,
> > 
> > On 06/26/2016 12:11 AM, Jeremy Allison wrote:
> > >We should probably have something in the server that logs
> > >this as an official "event". Can someone log a RFE bug in
> > >the bugzilla so we don't forget this request ?
> > 
> > I created this bug:
> > https://bugzilla.samba.org/show_bug.cgi?id=11998
> > 
> > I hope it is (approximately) what you mean. :-)
>
> Perfect. Thanks very much for your help !
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list