[Samba] How to track attempted breakins, authentication failure logging
Andrew Bartlett
abartlet at samba.org
Tue Sep 19 18:51:29 UTC 2017
On Tue, 2017-09-19 at 17:02 +0200, L.P.H. van Belle via samba wrote:
> Hai Mark,
>
> I see the bugreport for this is still untouched.
> https://bugzilla.samba.org/show_bug.cgi?id=11998
I've closed that bug now.
Extensive work has been done to add this feature to Samba 4.7, due out
this week:
https://wiki.samba.org/index.php/Setting_up_Audit_Logging
Two new debug classes, auth_audit and auth_audit_json were added to
control logging of text-string and structured JSON authentication and
authorization logging.
> Is vfs_full_audit not an option?
> with %I you can log the IP address of the client machine.
> But i dont know if that wil work of if vfs_full_audit hase that option.
No, this won't get you any information on failed authentication.
> With something like this.
> full_audit:prefix = %u|%I|%m|%S
> full_audit:failure = connect
> full_audit:success = connect disconnect
>
> And maybe you need more options in failure and success. ( man vfs_full_audit )
> man smb.conf for all the variable substitutions
At the stage that the module operates it simply does not run if the
password is wrong.
Sorry,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list