[Samba] Fail2Ban for AD
Philippe LeCavalier
support at plecavalier.com
Tue Dec 21 15:59:06 UTC 2021
On Fri, Dec 17, 2021, 14:05 Philippe LeCavalier <support at plecavalier.com>
wrote:
> On Mon, Dec 13, 2021 at 7:31 AM Philippe LeCavalier <
> support at plecavalier.com> wrote:
>
>>
>>
>> On Mon, Dec 13, 2021, 05:50 Andrea Venturoli via samba <
>> samba at lists.samba.org> wrote:
>>
>>> On 12/12/21 04:35, Philippe LeCavalier via samba wrote:
>>>
>>> > Thanks. I was going to follow this[1] but I'm a little confused about
>>> this
>>> > "Validate that log redirection is activated in the file smb.conf"
>>> comment.
>>> > Is it just a matter of installing and configuring fail2ban or must I
>>> > "redirect" my log sys to rsyslog?
>>>
>>> You can tell f2b which file to watch.
>>> It needs not be written via syslog.
>>>
>>> bye
>>> av.
>>> Thank you.
>>
>> I've implemented this[1]. Where should I be seeing the increase in
> verbosity? I poked around in various samba logs under /var/log/samba and
> didn't seee any additional or even relevant information. dmesg and
> /var/log/messages didn't seem to have more either.
>
> Also, the below settings are specifically geared towards anti-ransomware
> attacks in that they're telling samba to log file and folder access. I'm
> looking for failed login against AD. Are these the same settings I should
> be implementing? If not can someone suggest some adjustments?
>
> ref.
> [1] # Anti-ransom
> full_audit: failure = none
> full_audit: success = pwrite write rename
> full_audit: prefix = IP=%I | USER=%u | MACHINE=%m | VOLUME=%S
> full_audit: facility = local7
> full_audit: priority = NOTICE
> Anyone?
>
More information about the samba
mailing list