[Samba] Need IP on failed logins in logfile

Mark Foley mfoley at ohprs.org
Sun Jun 26 19:22:01 UTC 2016


On Sun, 26 Jun 2016 09:24:16 Rowland penny <rpenny at samba.org> wrote:

> ...
> So, if you are looking for an ipaddress of a failed login attempt, it 
> seems you can get it.

That looked interesting.  I tried creating the logfile /var/log/samba/.log.samba.%m and restart
samba.  What it did was immediately create separate log files for each currently attached
workstation: log.samba.192.168.0.50, log.samba.192.168.0.51, etc.  I then tried connecting
remotely with a bad password as I had done before.  It created a file log.samba.%m (no IP) with
the entry

[2016/06/26 14:56:28.119286,  2] ../source4/auth/ntlm/auth.c:420(auth_check_password_recv)
  auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\mark] FAILED with error NT_STATUS_WRONG_PASSWORD

In the log files with IPs, e.g. log.samba.192.168.0.50, I do see IP addresses on messages with
"closed connection" text, but the failed login logfile does not have this message, no closed
connection. Probably because a connection was never established. 

You also have "SPNEGO login failed" whereas I have nothing like that. In my case, I'm trying to
use Remote Desktop Connection to log into a Windows 7 workstations, so perhaps the mechanism is
different.

In any case -- not working for me :(

In the meantime, while breathlessly anticipating action on MJ's bug
https://bugzilla.samba.org/show_bug.cgi?id=11998, I'll try the tcpdump solution. Here's the
tcpdump command I'm using:

tcpdump -tttt -nn portrange n-m  and 'tcp[13] & 4 != 0'

where n-m is the port range I want to monitor and the flag mask will only monitor RESET packets
(otherwise, all packets to from the affected hosts will get logged!). I'll dump these to a
periodic file (daily, weekly ... haven't decided) and if I get a clearly malicious attempt I
can at lease correlate the log.samba timestamp with an entry in this tcpdump file which will
show the rogue IP.

--Mark

> On 26/06/16 06:16, Mark Foley wrote:
> > I used to also get related log messages of the form:
> >
> > auth_check_password_send: Checking password for unmapped user [HPRS]\[mark]@[ROVER]
> >    auth_check_password_send: mapped user is: [HPRS]\[mark]@[ROVER]
> >
> > but now all I get is the auth_check_password_recv in the log.  Perhaps the change is due to an
> > upgrade to Samba, or perhaps a change I made to my smb.conf log options? (see log config in
> > my original email below mj's).
> >
> > Anyway, samba does (or did) have access to the hostname of the offending computer. The one
> > shown above, ROVER, is actual my home laptop's host name, said computer being miles away from
> > the Samba server and in no way part of the AD/DC domain. If it can know the hostname, it surely
> > must have knowledge of the computer's IP?
> >
> > Perhaps this all can be submitted somewhere as an upgrade request? I think for the sake of
> > Internet security in this day-and-age of cyber criminals it would be useful to know the IP of
> > attackers so appropriate countermeasures could be taken.
> >
> > Rowland, I will investigate pam_tally[2] to see what it does. I've not heard of it before.
> >
> > I suppose I could also run tcpdump continuously against the specific port(s) where such logins
> > can occur, but that is a bit of work, esp. since the timestamp of the samba log message is
> > detached to a separate message preceding the one listing the failed user.
> >
> > --Mark
> >
> >>> To: samba at lists.samba.org
> >>> From: mj <lists at merit.unu.edu>
> >>> Date: Sat, 25 Jun 2016 22:48:13 +0200
> >>> Subject: Re: [Samba] Need IP on failed logins in logfile
> >>>
> >>>
> >>> On 06/25/2016 06:32 PM, Mark Foley wrote:
> >>>> I think I've read something on this before, but I can't seem to find it.
> >>> As far as we know, this is impossible. :-(
> >>>
> >>> It a feature we would also VERY much like to see, for exactly the same
> >>> reason.
> >>>
> >>> MJ
> >>>
> >>> -- 
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >> From: Mark Foley <mfoley at ohprs.org>
> >> Date: Sat, 25 Jun 2016 12:32:54 -0400
> >> To: samba at lists.samba.org
> >> Subject: [Samba] Need IP on failed logins in logfile
> >>
> >> I am running Samba Version 4.1.23 as an AD/DC on Linux Slackware64 14.1. I am logging samba
> >> messages to /var/log/samba/log.samba with logging set to the following in smb.conf:
> >>
> >> log level = 2 passdb:5 auth:10 winbind:2 lanman:10
> >>
> >> I have a script that scans this logfile for message like the following:
> >>
> >> auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thisuser] FAILED with error NT_STATUS_NO_SUCH_USER
> >> auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thatuser] FAILED with error NT_STATUS_WRONG_PASSWORD
> >>
> >> Usually, these are not a big deal as they are the results of a local domain user mistyping
> >> either their login ID or password. However, occasionally the attempts are clearly outsiders
> >> trying to break in.
> >>
> >> Is there some way to get the logger to show the IP of the failure? Currently it shows only the
> >> domain and user.
> >>
> >> I think I've read something on this before, but I can't seem to find it.
> >>
> >> Thanks, Mark
>
> After a bit of thought, I remembered that you can set up logging for 
> each machine, so I added 'log file = /usr/local/samba/var/log.%m' to my 
> DCs smb.conf and restarted samba.
>
> I then tried to connect to the share with smbclient as a none existing user:
>
> rowland at devstation:~$ smbclient \\\\dc1\\data -U derf%gggfdwsscvo
>
> When I examined the resulting logfile on the DC:
>
> root at dc1:~# nano /usr/local/samba/var/log.192.168.0.180
>
> I found this:
>
> [2016/06/26 09:11:28.226254,  2] 
> ../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
>    auth_check_password_recv: sam_ignoredomain authentication for user 
> [SAMDOM\derf] FAILED with error NT_STATUS_NO_SUCH_USER
> [2016/06/26 09:11:28.226339,  2] 
> ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
>    SPNEGO login failed: NT_STATUS_NO_SUCH_USER
> [2016/06/26 09:16:55.243885,  2] ../source3/smbd/service.c:1140(close_cnum)
>    192.168.0.180 (ipv4:192.168.0.180:59351) closed connection to service 
> data
>
> So, if you are looking for an ipaddress of a failed login attempt, it 
> seems you can get it.
>
> Rowland
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list