With this configuration service (fail2ban
) starts, logfile register wrong attempts, but still not count attempts in fail2ban-client
. I suspect that there is a problem with regex, but this is the only regex with which the fail2ban
service starts. I try several from different article, including one from this site and this other one but the service fails to start. I apologise if I do not structure question in an appropriate way.
fail2ban-client status samba
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/samba/auth_json_audit.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
And cat /var/log/samba/auth_json_audit.log
{"timestamp": "2023-09-29T04:25:46.305161-0400", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.2.238:445", "remoteAddress": "ipv4:192.168.2.196:21997", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": ".", "clientAccount": "wronguser", "workstation": "HOME", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "wronguser", "mappedDomain": ".", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 2776}}
And cat /etc/fail2ban/jail.d/samba.conf
[samba]
enabled = true
port = 88,135,139,389,445,464,636,3328,3329
filter = samba
logpath = /var/log/samba/auth_json_audit.log
maxretry = 5
findtime = 600
bantime = 600
This regex I found in one forum with which service start, but not register attempts. Here's /etc/fail2ban/filter.d/samba.conf
:
[Definition]
#failregex = NT_STATUS_WRONG_PASSWORD.*remoteAddress": "ipv4:<HOST>:<PORT>"
failregex = NT_STATUS_NO_SUCH_USER.*remoteAddress": "ipv4:<HOST>:<PORT>" - not working too
Here's my /etc/samba/smb.conf
[global]
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = rocky-8
security = user
map to guest = bad user
dns proxy = no
ntlm auth = true
encrypt passwords = yes
guest account = nobody
socket options = TCP_NODELAY IPTOS_LOWDELAY
#log file = /var/log/samba/log.%m
max log size = 1000
#hosts allow = 192.168.1. 127.
#hosts deny = ALL
log level = auth_json_audit:3@/var/log/samba/auth_json_audit.log