[Samba] How to track attempted breakins, authentication failure logging

Mark Foley mfoley at ohprs.org
Tue Sep 19 15:36:06 UTC 2017 

OK, thanks, I'll give that a shot. Just to confirm, I should put:

full_audit:prefix = %u|%I|%m|%S 
full_audit:failure = connect
full_audit:success = connect disconnect 

in /etc/samba/smb.conf, right?

--Mark

-----Original Message-----
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> Hai Mark, 
>
> I see the bugreport for this is still untouched. 
> https://bugzilla.samba.org/show_bug.cgi?id=11998 
>
> Is vfs_full_audit not an option? 
> with %I you can log the IP address of the client machine. 
> But i dont know if that wil work of if vfs_full_audit hase that option.
>
> With something like this. 
> full_audit:prefix = %u|%I|%m|%S 
> full_audit:failure = connect
> full_audit:success = connect disconnect 
>
> And maybe you need more options in failure and success. ( man vfs_full_audit ) 
> man smb.conf for all the variable substitutions
>
> Greetz, 
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark 
> > Foley via samba
> > Verzonden: dinsdag 19 september 2017 16:08
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] How to track attempted breakins, 
> > authentication failure logging
> > 
> > This may have been asked before, but I can't find it. I am 
> > getting repeated external attempted to log into our AD/DC 
> > (running Samba 4.4.14). In /var/log/samba/log.samba I get 
> > entried like:
> > 
> > 2017/09/19 05:02:25.562957,  2] 
> > ../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
> >   auth_check_password_recv: sam_ignoredomain authentication 
> > for user [HPRS\333] FAILED with error NT_STATUS_NO_SUCH_USER
> > 
> > [2017/09/19 05:02:33.493494,  2] 
> > ../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
> >   auth_check_password_recv: sam_ignoredomain authentication 
> > for user [HPRS\ADMINISTRATOR] FAILED with error 
> > NT_STATUS_WRONG_PASSWORD
> > 
> > The first form is the message generated for an attempt at an 
> > invalid user. The 2nd form is if they have a valid user, but 
> > invalid password.
> > 
> > I do not get the attacker's IP address which makes it 
> > difficult for me to block them.
> > 
> > My current log level is:
> > 
> >     log level = 2 passdb:5 auth:10 winbind:2 lanman:10
> >     
> > Is there some level I can set that would show me the attacking IP?
> > 
> > This is a current problem as the attacker(s) keep trying, 
> > even as I write this.
> > 
> > THX --Mark
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list