Web lists-archives.com

Re: [Samba] How to track attempted breakins, authentication failure logging




On Tue, 2017-09-19 at 17:02 +0200, L.P.H. van Belle via samba wrote:
> Hai Mark, 
> 
> I see the bugreport for this is still untouched. 
> https://bugzilla.samba.org/show_bug.cgi?id=11998 

I've closed that bug now.

Extensive work has been done to add this feature to Samba 4.7, due out
this week:

https://wiki.samba.org/index.php/Setting_up_Audit_Logging

Two new debug classes, auth_audit and auth_audit_json were added to
control logging of text-string and structured JSON authentication and
authorization logging.

> Is vfs_full_audit not an option? 
> with %I you can log the IP address of the client machine. 
> But i dont know if that wil work of if vfs_full_audit hase that option.

No, this won't get you any information on failed authentication. 

> With something like this. 
> full_audit:prefix = %u|%I|%m|%S 
> full_audit:failure = connect
> full_audit:success = connect disconnect 
> 
> And maybe you need more options in failure and success. ( man vfs_full_audit ) 
> man smb.conf for all the variable substitutions

At the stage that the module operates it simply does not run if the
password is wrong. 

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba