LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-09-2010, 03:57 AM   #1
guna_pmk
Member
 
Registered: Sep 2008
Posts: 220

Rep: Reputation: 5
Unknown entries in samba log


Hello all,

I have been getting the following in the samba section of the log watch report for the past few days. But don't know what it means.

Code:
**Unmatched Entries**
 auth/auth.c:get_ntlm_challenge(136)  auth_context challenge created by random : 5 Time(s)
 auth/auth.c:get_ntlm_challenge(137)  challenge is:  : 5 Time(s)
 auth/auth.c:get_ntlm_challenge(96)  auth_get_challenge: module guest did not want to specify a challenge : 5 Time(s)
 auth/auth.c:get_ntlm_challenge(96)  auth_get_challenge: module sam did not want to specify a challenge : 5 Time(s)
 auth/auth.c:get_ntlm_challenge(96)  auth_get_challenge: module winbind did not want to specify a challenge : 5 Time(s)
 auth/auth.c:load_auth_module(387)  load_auth_module: Attempting to find an auth method to match guest : 5 Time(s)
 auth/auth.c:load_auth_module(387)  load_auth_module: Attempting to find an auth method to match sam : 5 Time(s)
 auth/auth.c:load_auth_module(387)  load_auth_module: Attempting to find an auth method to match trustdomain : 5 Time(s)
 auth/auth.c:load_auth_module(387)  load_auth_module: Attempting to find an auth method to match winbind:trustdomain : 5 Time(s)
 auth/auth.c:load_auth_module(412)  load_auth_module: auth method guest has a valid init : 5 Time(s)
 auth/auth.c:load_auth_module(412)  load_auth_module: auth method sam has a valid init : 5 Time(s)
 auth/auth.c:load_auth_module(412)  load_auth_module: auth method trustdomain has a valid init : 5 Time(s)
 auth/auth.c:load_auth_module(412)  load_auth_module: auth method winbind has a valid init : 5 Time(s)
 auth/auth.c:make_auth_context_subsystem(485)  Making default auth method list for DC, security=user, encrypt passwords = yes : 5 Time(s)
 auth/auth.c:smb_register_auth(46)  Attempting to register auth backend guest : 5 Time(s)
 auth/auth.c:smb_register_auth(46)  Attempting to register auth backend ntdomain : 5 Time(s)
 auth/auth.c:smb_register_auth(46)  Attempting to register auth backend sam : 5 Time(s)
 auth/auth.c:smb_register_auth(46)  Attempting to register auth backend sam_ignoredomain : 5 Time(s)
 auth/auth.c:smb_register_auth(46)  Attempting to register auth backend smbserver : 5 Time(s)
.
.
.
and more. What does it mean? Does it mean any attempt to hack or is it some kind of status update? If this is not a threat and can be suppressed, how can I do this?

Will be very helpful if somebody can explain this.

Thanks
 
Old 11-09-2010, 04:21 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599
Quote:
Originally Posted by guna_pmk View Post
Code:
**Unmatched Entries**
Unmatched entries means /path/to/logwatch/scripts/services/samba does not contain filters to either mark this as a problem or filter it out as harmless.


Quote:
Originally Posted by guna_pmk View Post
What does it mean? Does it mean any attempt to hack or is it some kind of status update?
Logwatch gives you a summary. So if there is no context to glean the meaning of the message from the easiest thing to do is to look up the specific message and the actual order of log lines in a log file. From the order of log lines you should find that these are from common authentication methods that cause recurring log entries.


Quote:
Originally Posted by guna_pmk View Post
(..) can be suppressed, how can I do this?
Locate your /path/to/logwatch/scripts/services/samba and open it in a text editor and below "#Don't care about these..." (line 147) add your exclusions, test the filters and maybe submit them to the Logwatch maintainers for inclusion as the last CVS revision was 1.31 on 2008/05/06.
 
Old 11-12-2010, 05:42 AM   #3
guna_pmk
Member
 
Registered: Sep 2008
Posts: 220

Original Poster
Rep: Reputation: 5
Hi unSpawn,
Thanks for the explanation and apologies for the delay in replying. If this is something that does not need to be worried, should be fine for now. I shall implement your solution and give an update here later.

Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange log entries in apache log under debian... hacking tentative ? strelok Linux - Security 4 11-11-2009 06:55 AM
a command or way to log time of iptables LOG entries? dividingbyzero Linux - Security 3 06-06-2008 01:23 AM
Can Samhain log my entries in /var/log/secure and /var/log/mesage to a central server abefroman Linux - Software 2 04-13-2008 04:13 PM
Lots of unknown entries in /etc/services ashwin_cse Linux - Security 2 08-13-2007 04:56 AM
Hosts file unknown entries rabeea General 8 12-08-2004 01:21 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration