[Samba] How to track attempted breakins, authentication failure logging

Mark Foley mfoley at ohprs.org
Wed Sep 20 03:03:06 UTC 2017

On Wed, 20 Sep 2017 06:51:29 +1200 Andrew Bartlett via samba <samba at lists.samba.org> wrote:

> On Tue, 2017-09-19 at 17:02 +0200, L.P.H. van Belle via samba wrote:
> > Hai Mark, 
> > 
> > I see the bugreport for this is still untouched. 
> > https://bugzilla.samba.org/show_bug.cgi?id=11998 
> I've closed that bug now.
> Extensive work has been done to add this feature to Samba 4.7, due out
> this week:
> https://wiki.samba.org/index.php/Setting_up_Audit_Logging

Well, I will anticipate the release of 4.7, although my distro certainly won't have it included
for some time.  Meanwhile, I've created a script to catch the offenders.  I'll post it here in
case anyone else would like to try catching hackers before 4.7 is available.

First, I also run tcpdump in order to get the IP addresses of attempted accesses:

tcpdump -tttt -l -nn portrange $myPortRange and 'tcp[13] & 4 != 0' > /var/log/samba/tcpdump.log 2>&1 &

(sorry, myPortRange is SECRET!)

I run this from logrotate.d rotating the tcpdump.log weekly. The logrotate.d entry is:

/var/log/samba/tcpdump.log /root/logfiles/monitorFailedLogins.log
    rotate 12

            killall tcpdump
            tcpdump -tttt -l -nn portrange myPortRange and 'tcp[13] & 4 != 0' > /var/log/samba/tcpdump.log 2>&1 &

This tcpdump produces output like:

2017-09-19 22:37:12.994750 IP > w.x.y.x.port: Flags [R.], seq 450913492, ack 3240423989, win 0, length 0

The log.samba failure messages are of the form:

[2017/09/19 21:41:03.085898,  2] ../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
  auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\FUTUREPOS] FAILED with error NT_STATUS_NO_SUCH_USER

I then have a script that runs from root cron every 5 minutes, shown below.  I won't go into
detail, but some highlights:

o I save a timestamp of the last run so I don't peruse the entire log.samba file each time. 

o The log.samba file puts the timestamp and failure messages on separate lines, unfortunately,
so the script merges these lines. 

o I grab the log.samba timestamp and search the tcpdump.log for the latest entry less than or
equal to the log.samba timestamp.  The assumption here is that tcpdump will likely log its
message before samba does.  I've never found and exact timestamp match. 

The rest should be easy enough to figure out. I email the info to the system administrator. I
also have another script that will monitor the resulting log and block the IPs after a certain
number of failed attempts.

I hope someone finds this useful.



MSGFILE=`tempfile -p FAIL_`

if [ ! -e /root/.monitorFailedLogins ]
   lastTime=`cat /root/.monitorFailedLogins`

lastDate=`date -d@$lastTime "+%Y/%m/%d %H:%M:%S"`

# the log.samba file puts the timestamp and error on separate lines. Merge them.

grep -B1 "auth_check_password_recv.*FAILED" "$SAMBALOG" | grep -v "^--" | \
    sed -e N -e 's/\n//' -e 's#\\#/#g'| \
while read
    # Skip to last timestamp

    dte=`echo "$REPLY" | awk '{print $1 " " $2}' | sed -e 's/^.//' -e 's/.$//'`
    thisTime=`date -d "$dte" +%s`

    if [ "$thisTime" -gt "$lastTime" ]
        user=`echo $REPLY | cut "-d[" -f3`
        domain=`echo $user | cut "-d/" -f1`
        user=`echo $user | cut "-d/" -f2 | sed 's/\].*$//g'`
        timestamp=`echo $REPLY | cut -c 2-20`

        # The samba log does not record the IP. Search the tcpdump log.
        # Search the entire 'minute' in which the attempt occured as the tcpdump will
        # likely log its access before Samba. If the attempt is on a minute
        # boundry, we'll probably miss it.

        echo -n $REPLY | sed 's/\].*authentication/\] authentication/' >>$MSGFILE

        logsec=`date -d "$timestamp" +%s`
        timestamp=`date "-d $timestamp" "+%Y-%m-%d %H:%M:"`

        grep "^$timestamp" "$TCPDUMPLOG" | tac | \
        while read msg
            tm=`echo $msg | cut -d. -f1`
            sec=`date -d "$tm" +%s`

            if [ $sec -le $logsec ]     # This One
                IP=`echo $msg | awk '{print $4}' | cut -d. -f1-4`
                port=`echo $msg | awk '{print $6}' | cut -d. -f5 | sed 's/://'`
                echo ", port: $port, IP: $IP" >>$MSGFILE

if [ -s $MSGFILE ]
    cat $MSGFILE
    cat "$MSGFILE" | mail -r noreply at mydom.org -s "OHPRS ${HOSTNAME^^} Failed Login Attempts" sysadmin

rm -f $MSGFILE
date +%s > /root/.monitorFailedLogins

> Two new debug classes, auth_audit and auth_audit_json were added to
> control logging of text-string and structured JSON authentication and
> authorization logging.
> > Is vfs_full_audit not an option? 
> > with %I you can log the IP address of the client machine. 
> > But i dont know if that wil work of if vfs_full_audit hase that option.
> No, this won't get you any information on failed authentication. 
> > With something like this. 
> > full_audit:prefix = %u|%I|%m|%S 
> > full_audit:failure = connect
> > full_audit:success = connect disconnect 
> > 
> > And maybe you need more options in failure and success. ( man vfs_full_audit ) 
> > man smb.conf for all the variable substitutions
> At the stage that the module operates it simply does not run if the
> password is wrong. 
> Sorry,
> Andrew Bartlett
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list