how to check who's accessing samba shared folder from windows
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i confirmed to person belong to ip address regarding acessing my pc but only 2 person has been access my pc rest no one has access...then why this false log generating...
mostly ip belong to remote location few ip belongs to my loation.
i tested a machine with the following config & i found that i can see a log file which denoted the ip address of that machine which is connected to the samba share so u can just try it
with the helps of %m variable, we can create log files for specifically users or clients/IP,
log file = /var/log/samba/log.%m
i tested a machine with the following config & i found that i can see a log file which denoted the ip address of that machine which is connected to the samba share so u can just try it
with the helps of %m variable, we can create log files for specifically users or clients/IP,
log file = /var/log/samba/log.%m
[root@localhost ~]# cd /var/log/samba/
[root@localhost samba]# ll
total 28
drwx------. 3 root root 4096 May 8 11:18 cores -rw-r--r--. 1 root root 0 May 8 11:43 log.__ffff_192.168.45.1
-rw-r--r--. 1 root root 1024 May 8 11:53 log.macbook-672edc
-rw-r--r--. 1 root root 13960 May 8 11:53 log.smbd
drwx------. 2 root root 4096 Oct 26 2011 old
[root@localhost samba]#
same configuration iam using and previous post is output of that log.....
iam saying that in log, ip shows who acess my pc.but many of ip didnot access my pc.only 2 pc have access my pc.then why rest of ip is showing accessed my pc?
Distribution: debian on servers and embedded, kubuntu elsewhere
Posts: 31
Rep:
Quote:
Originally Posted by centos123
yes that's right...many person dont know samba ip also then also their ip is showing in to log
Samba emulates a windows smb server, and as such it "announces" itself in the network. It may (depending on your config) become a "Master Browser" for the network, so the other computers use it to find stuff in the smb network. The windows client machines will be trying to access it for example to fill their "network neighborhood" / "machines near me", shared printers, and all those things windows does without being asked for.
Of course, there is also the possibility that worms in the client machines are just trying to spread through smb in the network, thus probing all hosts including the samba server.
Now, if you are getting smb connection attempts from outside your network, or from a network you are not supposed to have any client but which is connected to one of your interfaces, you should setup your "interfaces" and "socket address" settings in smb.conf to control where your samba server is announcing itself and listening to requests. You can also configure your firewall to block smb from undesired addresses/networks.
Distribution: debian on servers and embedded, kubuntu elsewhere
Posts: 31
Rep:
Quote:
Originally Posted by centos123
my network interface use hosts allow 127. 192.168. 172.16. so this range can access but only if they are knowing server ip....
Sorry, I did not mean to scare you.
The user doesn't need to know that there is a smb server in the network, nor its ip address. The smb server (and actually the clients too) announces itself in the network, and they just start poking each other.
If you do a
tshark -i ethX
on one of the interfaces you have the server bound to, you will see a lot of smb/nmb chitchat even when no user is accessing the shares - even if there is no worm nor any wrongdoing in your network. Just boot a windows (or samba server with default config) in the network, and they'll start blabbering.
This is normal smb behavior. When broadband internet started to be deployed in Brazil, and ISPs didn't have a clue, it was very funny to see the flood of smb announcements arriving in our PCs. Then who could resist peeking into the announced open shares...
tshark -i eth0
shows continuously log
109.894479 172.16.27.10 -> 172.16.255.255 NBNS Name query NB WORKGROUP<1b>
109.935347 Micro-St_dc:2e:48 -> Broadcast ARP Who has 169.254.162.51? Tell 169.254.162.67
109.988069 172.16.37.23 -> 172.16.255.255 NBNS Name query NB WPAD<00>
109.988849 172.16.7.2 -> 172.16.255.255 NBNS Name query NB CORP1-PUR-001<20>
109.989372 172.16.7.2 -> 172.16.255.255 NBNS Name query NB CORP1-PUR-001<00>
110.033990 172.16.14.9 -> 172.16.255.255 NBNS Name query NB IXDHJEHL.COM<00>
110.034009 172.16.14.9 -> 172.16.255.255 NBNS Name query NB XUWGMJCRLWV.COM<00>
110.034168 172.16.14.9 -> 172.16.255.255 NBNS Name query NB CZFAAXXQ.COM<00>
110.034175 172.16.14.9 -> 172.16.255.255 NBNS Name query NB UGTLEZXAA.COM<00>
110.034316 172.16.14.9 -> 172.16.255.255 NBNS Name
90880 Intel_41:30:c1 -> Broadcast ARP Who has 172.16.246.202? Tell 172.16.21.56
262.748223 172.16.7.2 -> 172.16.255.255 NBNS Name query NB CORP1-PUR-001<20>
262.748242 172.16.7.2 -> 172.16.255.255 NBNS Name query NB CORP1-PUR-001<00>
262.836215 Dell_07:cf:ab -> Broadcast ARP Who has 172.16.9.111? Tell 172.16.26.5
262.852324 AsustekC_ad:a4:d7 -> Broadcast ARP Who has 172.16.11.16? Tell 172.16.37.24
262.854602 192.168.0.2 -> 192.168.0.255 UDP Source port
thanks for this command....this command bring flood in my pc.but i can't understand the log it shows...can you tell me some more.
today when i checked update file , i found tha one shared dir is access by some one .so i want to know when these dir is access and by whom...how can i check this...and also is thier any program for continuously checking smbstatus -u.this command runs one and gives out.i need continously...iam trying to make shell script if any one know please share it....
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.