Web lists-archives.com

[Samba] How to track attempted breakins, authentication failure logging




This may have been asked before, but I can't find it. I am getting repeated external attempted
to log into our AD/DC (running Samba 4.4.14). In /var/log/samba/log.samba I get entried like:

2017/09/19 05:02:25.562957,  2] ../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
  auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\333] FAILED with error NT_STATUS_NO_SUCH_USER

[2017/09/19 05:02:33.493494,  2] ../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
  auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\ADMINISTRATOR] FAILED with error NT_STATUS_WRONG_PASSWORD

The first form is the message generated for an attempt at an invalid user. The 2nd form is if
they have a valid user, but invalid password.

I do not get the attacker's IP address which makes it difficult for me to block them.

My current log level is:

    log level = 2 passdb:5 auth:10 winbind:2 lanman:10
    
Is there some level I can set that would show me the attacking IP?

This is a current problem as the attacker(s) keep trying, even as I write this.

THX --Mark

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba