[Samba] How to track attempted breakins, authentication failure logging
L.P.H. van Belle
belle at bazuin.nl
Tue Sep 19 15:02:16 UTC 2017
Hai Mark,
I see the bugreport for this is still untouched.
https://bugzilla.samba.org/show_bug.cgi?id=11998
Is vfs_full_audit not an option?
with %I you can log the IP address of the client machine.
But i dont know if that wil work of if vfs_full_audit hase that option.
With something like this.
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = connect
full_audit:success = connect disconnect
And maybe you need more options in failure and success. ( man vfs_full_audit )
man smb.conf for all the variable substitutions
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark
> Foley via samba
> Verzonden: dinsdag 19 september 2017 16:08
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] How to track attempted breakins,
> authentication failure logging
>
> This may have been asked before, but I can't find it. I am
> getting repeated external attempted to log into our AD/DC
> (running Samba 4.4.14). In /var/log/samba/log.samba I get
> entried like:
>
> 2017/09/19 05:02:25.562957, 2]
> ../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
> auth_check_password_recv: sam_ignoredomain authentication
> for user [HPRS\333] FAILED with error NT_STATUS_NO_SUCH_USER
>
> [2017/09/19 05:02:33.493494, 2]
> ../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
> auth_check_password_recv: sam_ignoredomain authentication
> for user [HPRS\ADMINISTRATOR] FAILED with error
> NT_STATUS_WRONG_PASSWORD
>
> The first form is the message generated for an attempt at an
> invalid user. The 2nd form is if they have a valid user, but
> invalid password.
>
> I do not get the attacker's IP address which makes it
> difficult for me to block them.
>
> My current log level is:
>
> log level = 2 passdb:5 auth:10 winbind:2 lanman:10
>
> Is there some level I can set that would show me the attacking IP?
>
> This is a current problem as the attacker(s) keep trying,
> even as I write this.
>
> THX --Mark
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list