samba - Dec 2021 - Fail2Ban for AD

On Mon, Dec 13, 2021, 05:50 Andrea Venturoli via samba <
samba at lists.samba.org> wrote:
> On 12/12/21 04:35, Philippe LeCavalier via samba wrote:
>
> > Thanks. I was going to follow this[1] but I'm a little confused
about
> this
> > "Validate that log redirection is activated in the file
smb.conf"
> comment.
> > Is it just a matter of installing and configuring fail2ban or must I
> > "redirect" my log sys to rsyslog?
>
> You can tell f2b which file to watch.
> It needs not be written via syslog.
>
>   bye
>         av.
> Thank you.

On Mon, Dec 13, 2021 at 7:31 AM Philippe LeCavalier <support at
plecavalier.com>
wrote:
>
>
> On Mon, Dec 13, 2021, 05:50 Andrea Venturoli via samba <
> samba at lists.samba.org> wrote:
>
>> On 12/12/21 04:35, Philippe LeCavalier via samba wrote:
>>
>> > Thanks. I was going to follow this[1] but I'm a little
confused about
>> this
>> > "Validate that log redirection is activated in the file
smb.conf"
>> comment.
>> > Is it just a matter of installing and configuring fail2ban or must
I
>> > "redirect" my log sys to rsyslog?
>>
>> You can tell f2b which file to watch.
>> It needs not be written via syslog.
>>
>>   bye
>>         av.
>> Thank you.
>
> I've implemented this[1]. Where should I be seeing the increase in
verbosity? I poked around in various samba logs under /var/log/samba and
didn't seee any additional or even relevant information. dmesg and
/var/log/messages didn't seem to have more either.

Also, the below settings are specifically geared towards anti-ransomware
attacks in that they're telling samba to log file and folder access. I'm
looking for failed login against AD. Are these the same settings I should
be implementing? If not can someone suggest some adjustments?

ref.
[1] # Anti-ransom
    full_audit: failure = none
    full_audit: success = pwrite write rename
    full_audit: prefix = IP=%I | USER=%u | MACHINE=%m | VOLUME=%S
    full_audit: facility = local7
    full_audit: priority = NOTICE