Record failed authentication attempts in Samba #264
Replies: 3 comments
-
Hey @corrupt3k, You correct that most shares would have some sort of Authentication however we haven't built monitoring for failed login attempts into OpenCanary so for now we leave guest access open. We only monitor file reads. Ill definitely add this to the feature list because I think it would be a neat/nice addition. If you taking a stab at it, feel feel to bounce some ideas this way and we can chat about possible directions to take |
Beta Was this translation helpful? Give feedback.
-
I was thinking of trying to utilize something like this: https://www.samba.org/samba/docs/current/man-html/vfs_audit.8.html I also read that adding this line in smb.conf will log auth failure/success: But I have no idea how to parse and alert on the output. |
Beta Was this translation helpful? Give feedback.
-
hi @corrupt3k, Im sorry i missed your reply. I think that may work. If you check in I would suggest, adding the above to the |
Beta Was this translation helpful? Give feedback.
-
An enterprise environment will likely have authentication enabled on their file shares.
To make it seem more realistic, guest access should not be allowed via Samba.
After taking away guest access, I do not see a valid way to record failed authentication attempts.
Or even recording connection attempts to the service would helpful. Similar to how the HTTP logging works.
Beta Was this translation helpful? Give feedback.
All reactions