[Samba] Fail2Ban for AD

Philippe LeCavalier support at plecavalier.com
Fri Dec 17 19:05:49 UTC 2021


On Mon, Dec 13, 2021 at 7:31 AM Philippe LeCavalier <support at plecavalier.com>
wrote:

>
>
> On Mon, Dec 13, 2021, 05:50 Andrea Venturoli via samba <
> samba at lists.samba.org> wrote:
>
>> On 12/12/21 04:35, Philippe LeCavalier via samba wrote:
>>
>> > Thanks. I was going to follow this[1] but I'm a little confused about
>> this
>> > "Validate that log redirection is activated in the file smb.conf"
>> comment.
>> > Is it just a matter of installing and configuring fail2ban or must I
>> > "redirect" my log sys to rsyslog?
>>
>> You can tell f2b which file to watch.
>> It needs not be written via syslog.
>>
>>   bye
>>         av.
>> Thank you.
>
> I've implemented this[1]. Where should I be seeing the increase in
verbosity? I poked around in various samba logs under /var/log/samba and
didn't seee any additional or even relevant information. dmesg and
/var/log/messages didn't seem to have more either.

Also, the below settings are specifically geared towards anti-ransomware
attacks in that they're telling samba to log file and folder access. I'm
looking for failed login against AD. Are these the same settings I should
be implementing? If not can someone suggest some adjustments?

ref.
[1] # Anti-ransom
    full_audit: failure = none
    full_audit: success = pwrite write rename
    full_audit: prefix = IP=%I | USER=%u | MACHINE=%m | VOLUME=%S
    full_audit: facility = local7
    full_audit: priority = NOTICE


More information about the samba mailing list