Xavi Serrano
2002-Jul-12 10:19 UTC
[Samba] Determining client IP address in failed connections
Hello all,
Anyone knows if there is an easy way to determine the IP address
of a client who is trying to connect unsuccessfully? The client
is providing an invalid login name. The error logs are like these:
[2002/07/12 09:28:18, 1] smbd/password.c:pass_check_smb(545)
Couldn't find user 'foo' in passdb.
[2002/07/12 09:28:18, 1] smbd/password.c:pass_check_smb(545)
Couldn't find user 'foo' in passdb.
[2002/07/12 09:28:18, 1] smbd/reply.c:reply_sesssetup_and_X(989)
Rejecting user 'foo': authentication failed
I am using samba version 2.2.4 in a RedHat Linux box.
Browsing the source at smbd/reply.c I see no possibility to include
source IP address in the log message (connection_struct *conn is NULL
at this point). Neither it is possible at smbd/password.c.
I think this feature is pretty interesting to determine where some
kinds of attacks are coming from (especially the ones trying to guess
privileged accounts and their passwords in a samba server).
Any comments will be much appreciated.
Best regards,
- Xavi.
P.S.: Sorry if this has been posted before. Please include a reference
if so. Thanks a lot.
Joel Hammer
2002-Jul-12 20:25 UTC
[Samba] Determining client IP address in failed connections
I am not a security expert, but: In your fire wall, you could log all activity coming in on ports 137 or 139 or whatever and just grep that file when your samba log shows funny activity. I do that now for all attempts to connect to restricted ports. Works fine. Joel On Fri, Jul 12, 2002 at 09:44:50AM +0200, Xavi Serrano wrote:> Hello all, > > Anyone knows if there is an easy way to determine the IP address > of a client who is trying to connect unsuccessfully? The client > is providing an invalid login name. The error logs are like these: > > [2002/07/12 09:28:18, 1] smbd/password.c:pass_check_smb(545) > Couldn't find user 'foo' in passdb. > [2002/07/12 09:28:18, 1] smbd/password.c:pass_check_smb(545) > Couldn't find user 'foo' in passdb. > [2002/07/12 09:28:18, 1] smbd/reply.c:reply_sesssetup_and_X(989) > Rejecting user 'foo': authentication failed > > I am using samba version 2.2.4 in a RedHat Linux box. > > Browsing the source at smbd/reply.c I see no possibility to include > source IP address in the log message (connection_struct *conn is NULL > at this point). Neither it is possible at smbd/password.c. > > I think this feature is pretty interesting to determine where some > kinds of attacks are coming from (especially the ones trying to guess > privileged accounts and their passwords in a samba server). > > Any comments will be much appreciated. > Best regards, > - Xavi. > > P.S.: Sorry if this has been posted before. Please include a reference > if so. Thanks a lot. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba