At Tue, 17 Apr 2012 20:32:05 + (UTC) era...@panix.com (Ed Ravin) wrote:
I was hoping to set up fail2ban to block IP addresses that generate
too many Samba password failures, but it needs a syslog message with
the IP address of the computer that failed password authentication.
Unfortunately, Samba doesn't seem to do this in my environment. Here's
a sample error message:
smbd[312]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User
brutus !
I tried turning on full_audit, and I see the audit messages for successful
connections, but there aren't any audit messages for login failures. I
used these settings:
full_audit:failure = connect
full_audit:success = connect disconnect
full_audit:facility = local5
full_audit:priority = notice
Can Samba be configured to log authentication errors with IP addresses?
Or do we need to change the source?
You do understand that fail2ban works with your firewall and is meant
for public internet services, such as Mail (eg Sendmail or Postfix) or
HTTP or DNS. Since NETBIOS services are NOT services that should ever
be used over the public internet. You should only have smbd/nmbd
listening on you local LAN and not on your WAN / public Internet
connection. Since your LAN will have only known local IP addresses
(either statically assigned or from a limited pool of IP address), it
really isn't meaningful to block these addresses.
What *exactly* do you want to accomplish here? Do you really want to
ban machines on your LAN from accessing your (office) server?
--
Robert Heller -- 978-544-6933 / hel...@deepsoft.com
Deepwoods Software-- http://www.deepsoft.com/
() ascii ribbon campaign -- against html e-mail
/\ www.asciiribbon.org -- against proprietary attachments
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
