I used to also get related log messages of the form: auth_check_password_send: Checking password for unmapped user [HPRS]\[mark]@[ROVER] auth_check_password_send: mapped user is: [HPRS]\[mark]@[ROVER] but now all I get is the auth_check_password_recv in the log. Perhaps the change is due to an upgrade to Samba, or perhaps a change I made to my smb.conf log options? (see log config in my original email below mj's). Anyway, samba does (or did) have access to the hostname of the offending computer. The one shown above, ROVER, is actual my home laptop's host name, said computer being miles away from the Samba server and in no way part of the AD/DC domain. If it can know the hostname, it surely must have knowledge of the computer's IP? Perhaps this all can be submitted somewhere as an upgrade request? I think for the sake of Internet security in this day-and-age of cyber criminals it would be useful to know the IP of attackers so appropriate countermeasures could be taken. Rowland, I will investigate pam_tally[2] to see what it does. I've not heard of it before. I suppose I could also run tcpdump continuously against the specific port(s) where such logins can occur, but that is a bit of work, esp. since the timestamp of the samba log message is detached to a separate message preceding the one listing the failed user. --Mark> > To: samba at lists.samba.org > > From: mj <lists at merit.unu.edu> > > Date: Sat, 25 Jun 2016 22:48:13 +0200 > > Subject: Re: [Samba] Need IP on failed logins in logfile > > > > > > On 06/25/2016 06:32 PM, Mark Foley wrote: > > > I think I've read something on this before, but I can't seem to find it. > > As far as we know, this is impossible. :-( > > > > It a feature we would also VERY much like to see, for exactly the same > > reason. > > > > MJ > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > From: Mark Foley <mfoley at ohprs.org> > Date: Sat, 25 Jun 2016 12:32:54 -0400 > To: samba at lists.samba.org > Subject: [Samba] Need IP on failed logins in logfile > > I am running Samba Version 4.1.23 as an AD/DC on Linux Slackware64 14.1. I am logging samba > messages to /var/log/samba/log.samba with logging set to the following in smb.conf: > > log level = 2 passdb:5 auth:10 winbind:2 lanman:10 > > I have a script that scans this logfile for message like the following: > > auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thisuser] FAILED with error NT_STATUS_NO_SUCH_USER > auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thatuser] FAILED with error NT_STATUS_WRONG_PASSWORD > > Usually, these are not a big deal as they are the results of a local domain user mistyping > either their login ID or password. However, occasionally the attempts are clearly outsiders > trying to break in. > > Is there some way to get the logger to show the IP of the failure? Currently it shows only the > domain and user. > > I think I've read something on this before, but I can't seem to find it. > > Thanks, Mark
On 26/06/16 06:16, Mark Foley wrote:> I used to also get related log messages of the form: > > auth_check_password_send: Checking password for unmapped user [HPRS]\[mark]@[ROVER] > auth_check_password_send: mapped user is: [HPRS]\[mark]@[ROVER] > > but now all I get is the auth_check_password_recv in the log. Perhaps the change is due to an > upgrade to Samba, or perhaps a change I made to my smb.conf log options? (see log config in > my original email below mj's). > > Anyway, samba does (or did) have access to the hostname of the offending computer. The one > shown above, ROVER, is actual my home laptop's host name, said computer being miles away from > the Samba server and in no way part of the AD/DC domain. If it can know the hostname, it surely > must have knowledge of the computer's IP? > > Perhaps this all can be submitted somewhere as an upgrade request? I think for the sake of > Internet security in this day-and-age of cyber criminals it would be useful to know the IP of > attackers so appropriate countermeasures could be taken. > > Rowland, I will investigate pam_tally[2] to see what it does. I've not heard of it before. > > I suppose I could also run tcpdump continuously against the specific port(s) where such logins > can occur, but that is a bit of work, esp. since the timestamp of the samba log message is > detached to a separate message preceding the one listing the failed user. > > --Mark > >>> To: samba at lists.samba.org >>> From: mj <lists at merit.unu.edu> >>> Date: Sat, 25 Jun 2016 22:48:13 +0200 >>> Subject: Re: [Samba] Need IP on failed logins in logfile >>> >>> >>> On 06/25/2016 06:32 PM, Mark Foley wrote: >>>> I think I've read something on this before, but I can't seem to find it. >>> As far as we know, this is impossible. :-( >>> >>> It a feature we would also VERY much like to see, for exactly the same >>> reason. >>> >>> MJ >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> From: Mark Foley <mfoley at ohprs.org> >> Date: Sat, 25 Jun 2016 12:32:54 -0400 >> To: samba at lists.samba.org >> Subject: [Samba] Need IP on failed logins in logfile >> >> I am running Samba Version 4.1.23 as an AD/DC on Linux Slackware64 14.1. I am logging samba >> messages to /var/log/samba/log.samba with logging set to the following in smb.conf: >> >> log level = 2 passdb:5 auth:10 winbind:2 lanman:10 >> >> I have a script that scans this logfile for message like the following: >> >> auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thisuser] FAILED with error NT_STATUS_NO_SUCH_USER >> auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thatuser] FAILED with error NT_STATUS_WRONG_PASSWORD >> >> Usually, these are not a big deal as they are the results of a local domain user mistyping >> either their login ID or password. However, occasionally the attempts are clearly outsiders >> trying to break in. >> >> Is there some way to get the logger to show the IP of the failure? Currently it shows only the >> domain and user. >> >> I think I've read something on this before, but I can't seem to find it. >> >> Thanks, MarkAfter a bit of thought, I remembered that you can set up logging for each machine, so I added 'log file = /usr/local/samba/var/log.%m' to my DCs smb.conf and restarted samba. I then tried to connect to the share with smbclient as a none existing user: rowland at devstation:~$ smbclient \\\\dc1\\data -U derf%gggfdwsscvo When I examined the resulting logfile on the DC: root at dc1:~# nano /usr/local/samba/var/log.192.168.0.180 I found this: [2016/06/26 09:11:28.226254, 2] ../source4/auth/ntlm/auth.c:430(auth_check_password_recv) auth_check_password_recv: sam_ignoredomain authentication for user [SAMDOM\derf] FAILED with error NT_STATUS_NO_SUCH_USER [2016/06/26 09:11:28.226339, 2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_NO_SUCH_USER [2016/06/26 09:16:55.243885, 2] ../source3/smbd/service.c:1140(close_cnum) 192.168.0.180 (ipv4:192.168.0.180:59351) closed connection to service data So, if you are looking for an ipaddress of a failed login attempt, it seems you can get it. Rowland
On Sun, 26 Jun 2016 09:24:16 Rowland penny <rpenny at samba.org> wrote:> ... > So, if you are looking for an ipaddress of a failed login attempt, it > seems you can get it.That looked interesting. I tried creating the logfile /var/log/samba/.log.samba.%m and restart samba. What it did was immediately create separate log files for each currently attached workstation: log.samba.192.168.0.50, log.samba.192.168.0.51, etc. I then tried connecting remotely with a bad password as I had done before. It created a file log.samba.%m (no IP) with the entry [2016/06/26 14:56:28.119286, 2] ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\mark] FAILED with error NT_STATUS_WRONG_PASSWORD In the log files with IPs, e.g. log.samba.192.168.0.50, I do see IP addresses on messages with "closed connection" text, but the failed login logfile does not have this message, no closed connection. Probably because a connection was never established. You also have "SPNEGO login failed" whereas I have nothing like that. In my case, I'm trying to use Remote Desktop Connection to log into a Windows 7 workstations, so perhaps the mechanism is different. In any case -- not working for me :( In the meantime, while breathlessly anticipating action on MJ's bug https://bugzilla.samba.org/show_bug.cgi?id=11998, I'll try the tcpdump solution. Here's the tcpdump command I'm using: tcpdump -tttt -nn portrange n-m and 'tcp[13] & 4 != 0' where n-m is the port range I want to monitor and the flag mask will only monitor RESET packets (otherwise, all packets to from the affected hosts will get logged!). I'll dump these to a periodic file (daily, weekly ... haven't decided) and if I get a clearly malicious attempt I can at lease correlate the log.samba timestamp with an entry in this tcpdump file which will show the rogue IP. --Mark> On 26/06/16 06:16, Mark Foley wrote: > > I used to also get related log messages of the form: > > > > auth_check_password_send: Checking password for unmapped user [HPRS]\[mark]@[ROVER] > > auth_check_password_send: mapped user is: [HPRS]\[mark]@[ROVER] > > > > but now all I get is the auth_check_password_recv in the log. Perhaps the change is due to an > > upgrade to Samba, or perhaps a change I made to my smb.conf log options? (see log config in > > my original email below mj's). > > > > Anyway, samba does (or did) have access to the hostname of the offending computer. The one > > shown above, ROVER, is actual my home laptop's host name, said computer being miles away from > > the Samba server and in no way part of the AD/DC domain. If it can know the hostname, it surely > > must have knowledge of the computer's IP? > > > > Perhaps this all can be submitted somewhere as an upgrade request? I think for the sake of > > Internet security in this day-and-age of cyber criminals it would be useful to know the IP of > > attackers so appropriate countermeasures could be taken. > > > > Rowland, I will investigate pam_tally[2] to see what it does. I've not heard of it before. > > > > I suppose I could also run tcpdump continuously against the specific port(s) where such logins > > can occur, but that is a bit of work, esp. since the timestamp of the samba log message is > > detached to a separate message preceding the one listing the failed user. > > > > --Mark > > > >>> To: samba at lists.samba.org > >>> From: mj <lists at merit.unu.edu> > >>> Date: Sat, 25 Jun 2016 22:48:13 +0200 > >>> Subject: Re: [Samba] Need IP on failed logins in logfile > >>> > >>> > >>> On 06/25/2016 06:32 PM, Mark Foley wrote: > >>>> I think I've read something on this before, but I can't seem to find it. > >>> As far as we know, this is impossible. :-( > >>> > >>> It a feature we would also VERY much like to see, for exactly the same > >>> reason. > >>> > >>> MJ > >>> > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > >> From: Mark Foley <mfoley at ohprs.org> > >> Date: Sat, 25 Jun 2016 12:32:54 -0400 > >> To: samba at lists.samba.org > >> Subject: [Samba] Need IP on failed logins in logfile > >> > >> I am running Samba Version 4.1.23 as an AD/DC on Linux Slackware64 14.1. I am logging samba > >> messages to /var/log/samba/log.samba with logging set to the following in smb.conf: > >> > >> log level = 2 passdb:5 auth:10 winbind:2 lanman:10 > >> > >> I have a script that scans this logfile for message like the following: > >> > >> auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thisuser] FAILED with error NT_STATUS_NO_SUCH_USER > >> auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thatuser] FAILED with error NT_STATUS_WRONG_PASSWORD > >> > >> Usually, these are not a big deal as they are the results of a local domain user mistyping > >> either their login ID or password. However, occasionally the attempts are clearly outsiders > >> trying to break in. > >> > >> Is there some way to get the logger to show the IP of the failure? Currently it shows only the > >> domain and user. > >> > >> I think I've read something on this before, but I can't seem to find it. > >> > >> Thanks, Mark > > After a bit of thought, I remembered that you can set up logging for > each machine, so I added 'log file = /usr/local/samba/var/log.%m' to my > DCs smb.conf and restarted samba. > > I then tried to connect to the share with smbclient as a none existing user: > > rowland at devstation:~$ smbclient \\\\dc1\\data -U derf%gggfdwsscvo > > When I examined the resulting logfile on the DC: > > root at dc1:~# nano /usr/local/samba/var/log.192.168.0.180 > > I found this: > > [2016/06/26 09:11:28.226254, 2] > ../source4/auth/ntlm/auth.c:430(auth_check_password_recv) > auth_check_password_recv: sam_ignoredomain authentication for user > [SAMDOM\derf] FAILED with error NT_STATUS_NO_SUCH_USER > [2016/06/26 09:11:28.226339, 2] > ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg) > SPNEGO login failed: NT_STATUS_NO_SUCH_USER > [2016/06/26 09:16:55.243885, 2] ../source3/smbd/service.c:1140(close_cnum) > 192.168.0.180 (ipv4:192.168.0.180:59351) closed connection to service > data > > So, if you are looking for an ipaddress of a failed login attempt, it > seems you can get it. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba