samba - Jun 2016 - Need IP on failed logins in logfile

Hi Jeremy, list,

On 06/26/2016 12:11 AM, Jeremy Allison wrote:
> We should probably have something in the server that logs
> this as an official "event". Can someone log a RFE bug in
> the bugzilla so we don't forget this request ?
I created this bug:
https://bugzilla.samba.org/show_bug.cgi?id=11998

I hope it is (approximately) what you mean. :-)

Best regards,
MJ

On Sun, Jun 26, 2016 at 03:40:07PM +0200, mj wrote:
> Hi Jeremy, list,
> 
> On 06/26/2016 12:11 AM, Jeremy Allison wrote:
> >We should probably have something in the server that logs
> >this as an official "event". Can someone log a RFE bug in
> >the bugzilla so we don't forget this request ?
> 
> I created this bug:
> https://bugzilla.samba.org/show_bug.cgi?id=11998
> 
> I hope it is (approximately) what you mean. :-)
Perfect. Thanks very much for your help !

While waiting for the samba logging to eventually get changed per Jeremy
Allison's bug report,
I have meanwhile developed a bash script to find the IP associated with failed
logins in order
to watch for people trying to break into the Domain from the outside.  The
script is run from
cron and outputs to a logfile which can be scanned by another cron job to
automatically look
for intruders and potentially block them by IP with an iptables command. 

Since the samba log does not provide the IP, I am running tcpdump, which is
restarted weekly by
logrotate. Here is my logrotate entry:

/var/log/samba/tcpdump.log
{
    weekly
    rotate 12

    sharedscripts
        prerotate
            killall tcpdump
        endscript

        postrotate
            tcpdump -tttt -l -nn portrange xx-yy and 'tcp[13] & 4 !=
0' > /var/log/samba/tcpdump.log 2>&1 &
        endscript
}

tcpdump is monitoring the external portrange mapped to port 3389 (Remote Desktop
Connection),
for particular Windows workstations.  This means that local Domain workstations
do not get
logged by tcpdump unless someone is trying to connect to them from the outside. 
I'll probably
add those ports once I figure out which port(s) local domain workstations use to
authenticate with
Samba (does anyone know off-hand?)

The following script looks for auth_check_password_recv.*FAILED messages in the
samba log.
These will get logged to the failed login logfile, but if they are also
NT_STATUS_NO_SUCH_USER,
the script will search the tcpdump log for an access with that timestamp and
snag the IP
address from there.  I could look for the IP for password failure as well as
no_such_user, but
I'm mostly trying to trap hackers trying to break in different user IDs --
legit users mistype
their passwords all the time. 

I hope someone finds this useful.

--Mark

#!/bin/bash

# Monitor Failed Domain login attempts

SAMBALOG=/var/log/samba/log.samba
TCPDUMPLOG=/var/log/samba/tcpdump.log
MSGFILE=`tempfile -p FAIL_`

# Timestamp of the last scan

if [ ! -e /root/.monitorFailedLogins ]
then
   lastTime=0
else
   lastTime=`cat /root/.monitorFailedLogins`
fi

lastDate=`date -d@$lastTime "+%Y/%m/%d %H:%M:%S"`

# the log.samba file puts the timestamp and error on separate lines. Merge them

grep -B1 "auth_check_password_recv.*FAILED" "$SAMBALOG" |
grep -v "^--" | \
    sed -e N -e 's/\n//' -e 's#\\#/#g'| \
while read
do
    # Skip to last timestamp

    dte=`echo "$REPLY" | awk '{print $1 " " $2}' |
sed -e 's/^.//' -e 's/.$//'`
    thisTime=`date -d "$dte" +%s`

    if [ "$thisTime" -gt "$lastTime" ]
    then
        user=`echo $REPLY | cut "-d[" -f3`
        domain=`echo $user | cut "-d/" -f1`
        user=`echo $user | cut "-d/" -f2 | sed 's/\].*$//g'`
        timestamp=`echo $REPLY | cut -c 2-20`

        echo -n $REPLY | sed 's/\].*authentication/\] authentication/'
>>$MSGFILE

        # The samba log does not record the IP. Search the tcpdump log.
        # Only check this setting if the error is NT_STATUS_NO_SUCH_USER

        x=`echo $REPLY | grep NT_STATUS_NO_SUCH_USER`

        if [ -n "$x" ]
        then
            timestamp=`date "-d $timestamp" "+%Y-%m-%d
%H:%M:%S"`
            x=`grep "^$timestamp" "$TCPDUMPLOG"`

            if [ -z "$x" ]
            then
                # tcpdump could log a second later
                ts=`date -d "$timestamp" +%s`
                ts=$[ $ts + 1 ]
                timestamp=`date -d@${ts} "+%Y-%m-%d %H:%M:%S"`
                x=`grep "^$timestamp" "$TCPDUMPLOG"`
            fi

            if [ -n "$x" ]
            then
                IP=`echo $x | awk '{print $6}' | cut -d. -f1-4`
                echo -n , IP: $IP >>$MSGFILE
            fi
        fi

        echo -e "\n" >>$MSGFILE
    fi
done

if [ -s $MSGFILE ]
then
    cat $MSGFILE
    cat "$MSGFILE" | mail -r noreply at ohprs.org -s "OHPRS
${HOSTNAME^^} Failed Login Attempts" sysadmin
fi

rm -f $MSGFILE
date +%s > /root/.monitorFailedLogins

-----Original Message-----
> Date: Mon, 27 Jun 2016 11:17:00 -0700
> From: Jeremy Allison <jra at samba.org>
> To: mj <lists at merit.unu.edu>
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Need IP on failed logins in logfile
>
> On Sun, Jun 26, 2016 at 03:40:07PM +0200, mj wrote:
> > Hi Jeremy, list,
> > 
> > On 06/26/2016 12:11 AM, Jeremy Allison wrote:
> > >We should probably have something in the server that logs
> > >this as an official "event". Can someone log a RFE bug
in
> > >the bugzilla so we don't forget this request ?
> > 
> > I created this bug:
> > https://bugzilla.samba.org/show_bug.cgi?id=11998
> > 
> > I hope it is (approximately) what you mean. :-)
>
> Perfect. Thanks very much for your help !
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>