Re: Logging failed authentication attempts

[Andrey K <ankor2023@xxxxxxxxx>]

Hello Amos,

Thank you for the information.

I turned on squid debug_options 84,9 and see in the cashe.log that in the first NTLM_NEGOTIATE request (YR) there is no username: 

TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=

00000000  4e 54 4c 4d 53 53 50 00  01 00 00 00 06 82 08 00  |NTLMSSP.........|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

so SQUID responded with the NTLMSSP_CHALLENGE (TT).

But in the second NTLMSSP_AUTH request (KK) client sends username (sa0000bcmon) as well as hostname (0001bcreport02):

TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACwALAHAAAAAOAA4AewAAAAAAAAAAAAAABoKJAm44QOlyF2D5AAAAAAAAAAAAAAAAAAAAAJKh7kcqRqVVNSgqcPvvcdzH8RvXVpAE4nNhMDAwMGJjbW9uMDAwMWJjcmVwb3J0MDI=

00000000  4e 54 4c 4d 53 53 50 00  03 00 00 00 18 00 18 00  |NTLMSSP.........|
00000010  40 00 00 00 18 00 18 00  58 00 00 00 00 00 00 00  |@.......X.......|
00000020  70 00 00 00 0b 00 0b 00  70 00 00 00 0e 00 0e 00  |p.......p.......|
00000030  7b 00 00 00 00 00 00 00  00 00 00 00 06 82 89 02  |{...............|
00000040  6e 38 40 e9 72 17 60 f9  00 00 00 00 00 00 00 00  |n8@.r.`.........|
00000050  00 00 00 00 00 00 00 00  92 a1 ee 47 2a 46 a5 55  |...........G*F.U|
00000060  35 28 2a 70 fb ef 71 dc  c7 f1 1b d7 56 90 04 e2  |5(*p..q.....V...|
00000070  73 61 30 30 30 30 62 63  6d 6f 6e 30 30 30 31 62  |sa0000bcmon0001b|
00000080  63 72 65 70 6f 72 74 30  32                       |creport02|

Client uses wrong password to calculate NTLM response so helper returns NT_STATUS_LOGON_FAILURE:

2023/01/31 07:21:18.916 kid2| 84,9| helper.cc(666) submit: placeholder: '0',  buf[188]=KK TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACwALAHAAAAAOAA4AewAAAAAAAAAAAAAABoKJAm44QOlyF2D5AAAAAAAAAAAAAAAAAAAAAJKh7kcqRqVVNSgqcPvvcdzH8RvXVpAE4nNhMDAwMGJjbW9uMDAwMWJjcmVwb3J0MDI=

2023/01/31 07:21:18.935 kid2| 84,5| helper.cc(1107) helperStatefulHandleRead: helperStatefulHandleRead: 27 bytes from ntlmauthenticator #Hlpr25
2023/01/31 07:21:18.935 kid2| 84,9| helper.cc(1117) helperStatefulHandleRead:  accumulated[27]=NA NT_STATUS_LOGON_FAILURE

In the acess.log there are two records, but there is no username in both:

2023-01-31 07:21:18|      2 10.73.16.136 TCP_DENIED/407/- 4531 CONNECT google.com:443 - HIER_NONE/- text/html -
2023-01-31 07:21:18|     19 10.73.16.136 TCP_DENIED/407/- 4500 CONNECT google.com:443 - HIER_NONE/- text/html -

вт, 31 янв. 2023 г. в 07:09, Amos Jeffries <squid3@xxxxxxxxxxxxx>:

On 31/01/2023 4:55 pm, Andrey K wrote:
> Hello,
>
> I need to log failed Proxy-authentication attempts. The log
> information should contain timestamp, username and client IP address.
> 407-records in the access.log file do not contain username if
> NTLM-authentication is used.
> I was wondering if it is possible to set up such a configuration?

Squid log entries record username for all authentication types as soon
as a username exists.
I expect you are being confused by log records for the part of NTLM
handshake before the username is sent to Squid.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users