[Samba] Need IP on failed logins in logfile
rpenny at samba.org
Sun Jun 26 08:24:16 UTC 2016
On 26/06/16 06:16, Mark Foley wrote:
> I used to also get related log messages of the form:
> auth_check_password_send: Checking password for unmapped user [HPRS]\[mark]@[ROVER]
> auth_check_password_send: mapped user is: [HPRS]\[mark]@[ROVER]
> but now all I get is the auth_check_password_recv in the log. Perhaps the change is due to an
> upgrade to Samba, or perhaps a change I made to my smb.conf log options? (see log config in
> my original email below mj's).
> Anyway, samba does (or did) have access to the hostname of the offending computer. The one
> shown above, ROVER, is actual my home laptop's host name, said computer being miles away from
> the Samba server and in no way part of the AD/DC domain. If it can know the hostname, it surely
> must have knowledge of the computer's IP?
> Perhaps this all can be submitted somewhere as an upgrade request? I think for the sake of
> Internet security in this day-and-age of cyber criminals it would be useful to know the IP of
> attackers so appropriate countermeasures could be taken.
> Rowland, I will investigate pam_tally to see what it does. I've not heard of it before.
> I suppose I could also run tcpdump continuously against the specific port(s) where such logins
> can occur, but that is a bit of work, esp. since the timestamp of the samba log message is
> detached to a separate message preceding the one listing the failed user.
>>> To: samba at lists.samba.org
>>> From: mj <lists at merit.unu.edu>
>>> Date: Sat, 25 Jun 2016 22:48:13 +0200
>>> Subject: Re: [Samba] Need IP on failed logins in logfile
>>> On 06/25/2016 06:32 PM, Mark Foley wrote:
>>>> I think I've read something on this before, but I can't seem to find it.
>>> As far as we know, this is impossible. :-(
>>> It a feature we would also VERY much like to see, for exactly the same
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>> From: Mark Foley <mfoley at ohprs.org>
>> Date: Sat, 25 Jun 2016 12:32:54 -0400
>> To: samba at lists.samba.org
>> Subject: [Samba] Need IP on failed logins in logfile
>> I am running Samba Version 4.1.23 as an AD/DC on Linux Slackware64 14.1. I am logging samba
>> messages to /var/log/samba/log.samba with logging set to the following in smb.conf:
>> log level = 2 passdb:5 auth:10 winbind:2 lanman:10
>> I have a script that scans this logfile for message like the following:
>> auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thisuser] FAILED with error NT_STATUS_NO_SUCH_USER
>> auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thatuser] FAILED with error NT_STATUS_WRONG_PASSWORD
>> Usually, these are not a big deal as they are the results of a local domain user mistyping
>> either their login ID or password. However, occasionally the attempts are clearly outsiders
>> trying to break in.
>> Is there some way to get the logger to show the IP of the failure? Currently it shows only the
>> domain and user.
>> I think I've read something on this before, but I can't seem to find it.
>> Thanks, Mark
After a bit of thought, I remembered that you can set up logging for
each machine, so I added 'log file = /usr/local/samba/var/log.%m' to my
DCs smb.conf and restarted samba.
I then tried to connect to the share with smbclient as a none existing user:
rowland at devstation:~$ smbclient \\\\dc1\\data -U derf%gggfdwsscvo
When I examined the resulting logfile on the DC:
root at dc1:~# nano /usr/local/samba/var/log.192.168.0.180
I found this:
[2016/06/26 09:11:28.226254, 2]
auth_check_password_recv: sam_ignoredomain authentication for user
[SAMDOM\derf] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/06/26 09:11:28.226339, 2]
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/06/26 09:16:55.243885, 2] ../source3/smbd/service.c:1140(close_cnum)
192.168.0.180 (ipv4:192.168.0.180:59351) closed connection to service
So, if you are looking for an ipaddress of a failed login attempt, it
seems you can get it.
More information about the samba