Mark Foley
2017-Sep-19 14:07 UTC
[Samba] How to track attempted breakins, authentication failure logging
This may have been asked before, but I can't find it. I am getting repeated
external attempted
to log into our AD/DC (running Samba 4.4.14). In /var/log/samba/log.samba I get
entried like:
2017/09/19 05:02:25.562957, 2]
../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\333]
FAILED with error NT_STATUS_NO_SUCH_USER
[2017/09/19 05:02:33.493494, 2]
../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
auth_check_password_recv: sam_ignoredomain authentication for user
[HPRS\ADMINISTRATOR] FAILED with error NT_STATUS_WRONG_PASSWORD
The first form is the message generated for an attempt at an invalid user. The
2nd form is if
they have a valid user, but invalid password.
I do not get the attacker's IP address which makes it difficult for me to
block them.
My current log level is:
log level = 2 passdb:5 auth:10 winbind:2 lanman:10
Is there some level I can set that would show me the attacking IP?
This is a current problem as the attacker(s) keep trying, even as I write this.
THX --Mark
L.P.H. van Belle
2017-Sep-19 15:02 UTC
[Samba] How to track attempted breakins, authentication failure logging
Hai Mark, I see the bugreport for this is still untouched. https://bugzilla.samba.org/show_bug.cgi?id=11998 Is vfs_full_audit not an option? with %I you can log the IP address of the client machine. But i dont know if that wil work of if vfs_full_audit hase that option. With something like this. full_audit:prefix = %u|%I|%m|%S full_audit:failure = connect full_audit:success = connect disconnect And maybe you need more options in failure and success. ( man vfs_full_audit ) man smb.conf for all the variable substitutions Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark > Foley via samba > Verzonden: dinsdag 19 september 2017 16:08 > Aan: samba at lists.samba.org > Onderwerp: [Samba] How to track attempted breakins, > authentication failure logging > > This may have been asked before, but I can't find it. I am > getting repeated external attempted to log into our AD/DC > (running Samba 4.4.14). In /var/log/samba/log.samba I get > entried like: > > 2017/09/19 05:02:25.562957, 2] > ../source4/auth/ntlm/auth.c:430(auth_check_password_recv) > auth_check_password_recv: sam_ignoredomain authentication > for user [HPRS\333] FAILED with error NT_STATUS_NO_SUCH_USER > > [2017/09/19 05:02:33.493494, 2] > ../source4/auth/ntlm/auth.c:430(auth_check_password_recv) > auth_check_password_recv: sam_ignoredomain authentication > for user [HPRS\ADMINISTRATOR] FAILED with error > NT_STATUS_WRONG_PASSWORD > > The first form is the message generated for an attempt at an > invalid user. The 2nd form is if they have a valid user, but > invalid password. > > I do not get the attacker's IP address which makes it > difficult for me to block them. > > My current log level is: > > log level = 2 passdb:5 auth:10 winbind:2 lanman:10 > > Is there some level I can set that would show me the attacking IP? > > This is a current problem as the attacker(s) keep trying, > even as I write this. > > THX --Mark > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Mark Foley
2017-Sep-19 15:36 UTC
[Samba] How to track attempted breakins, authentication failure logging
OK, thanks, I'll give that a shot. Just to confirm, I should put: full_audit:prefix = %u|%I|%m|%S full_audit:failure = connect full_audit:success = connect disconnect in /etc/samba/smb.conf, right? --Mark -----Original Message----- "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai Mark, > > I see the bugreport for this is still untouched. > https://bugzilla.samba.org/show_bug.cgi?id=11998 > > Is vfs_full_audit not an option? > with %I you can log the IP address of the client machine. > But i dont know if that wil work of if vfs_full_audit hase that option. > > With something like this. > full_audit:prefix = %u|%I|%m|%S > full_audit:failure = connect > full_audit:success = connect disconnect > > And maybe you need more options in failure and success. ( man vfs_full_audit ) > man smb.conf for all the variable substitutions > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark > > Foley via samba > > Verzonden: dinsdag 19 september 2017 16:08 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] How to track attempted breakins, > > authentication failure logging > > > > This may have been asked before, but I can't find it. I am > > getting repeated external attempted to log into our AD/DC > > (running Samba 4.4.14). In /var/log/samba/log.samba I get > > entried like: > > > > 2017/09/19 05:02:25.562957, 2] > > ../source4/auth/ntlm/auth.c:430(auth_check_password_recv) > > auth_check_password_recv: sam_ignoredomain authentication > > for user [HPRS\333] FAILED with error NT_STATUS_NO_SUCH_USER > > > > [2017/09/19 05:02:33.493494, 2] > > ../source4/auth/ntlm/auth.c:430(auth_check_password_recv) > > auth_check_password_recv: sam_ignoredomain authentication > > for user [HPRS\ADMINISTRATOR] FAILED with error > > NT_STATUS_WRONG_PASSWORD > > > > The first form is the message generated for an attempt at an > > invalid user. The 2nd form is if they have a valid user, but > > invalid password. > > > > I do not get the attacker's IP address which makes it > > difficult for me to block them. > > > > My current log level is: > > > > log level = 2 passdb:5 auth:10 winbind:2 lanman:10 > > > > Is there some level I can set that would show me the attacking IP? > > > > This is a current problem as the attacker(s) keep trying, > > even as I write this. > > > > THX --Mark > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
2017-Sep-19 18:51 UTC
[Samba] How to track attempted breakins, authentication failure logging
On Tue, 2017-09-19 at 17:02 +0200, L.P.H. van Belle via samba wrote:> Hai Mark, > > I see the bugreport for this is still untouched. > https://bugzilla.samba.org/show_bug.cgi?id=11998I've closed that bug now. Extensive work has been done to add this feature to Samba 4.7, due out this week: https://wiki.samba.org/index.php/Setting_up_Audit_Logging Two new debug classes, auth_audit and auth_audit_json were added to control logging of text-string and structured JSON authentication and authorization logging.> Is vfs_full_audit not an option? > with %I you can log the IP address of the client machine. > But i dont know if that wil work of if vfs_full_audit hase that option.No, this won't get you any information on failed authentication.> With something like this. > full_audit:prefix = %u|%I|%m|%S > full_audit:failure = connect > full_audit:success = connect disconnect > > And maybe you need more options in failure and success. ( man vfs_full_audit ) > man smb.conf for all the variable substitutionsAt the stage that the module operates it simply does not run if the password is wrong. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba