Re: Logging failed authentication attempts

Andrey K <ankor2023@xxxxxxxxx> · Tue, 31 Jan 2023 08:13:32 +0300

Amos, 

I understood: the helper.cc does not parse the KK-request and does not know about the username. He can only get the username information from the reply of the external helper. But since the external helper returns only an error without a username, this information is missing from the logs.

Is there any other possibility to log username and source IP address in such NTLM-failed authentication attempts?

Kind regards,
   Ankor.

вт, 31 янв. 2023 г. в 07:56, Andrey K <ankor2023@xxxxxxxxx>:
Hello Amos,
Thank you for the information.

I turned on squid debug_options 84,9 and see in the cashe.log that in the first NTLM_NEGOTIATE request (YR) there is no username: 
TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
00000000  4e 54 4c 4d 53 53 50 00  01 00 00 00 06 82 08 00  |NTLMSSP.........|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

so SQUID responded with the NTLMSSP_CHALLENGE (TT).

But in the second NTLMSSP_AUTH request (KK) client sends username (sa0000bcmon) as well as hostname (0001bcreport02):
TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACwALAHAAAAAOAA4AewAAAAAAAAAAAAAABoKJAm44QOlyF2D5AAAAAAAAAAAAAAAAAAAAAJKh7kcqRqVVNSgqcPvvcdzH8RvXVpAE4nNhMDAwMGJjbW9uMDAwMWJjcmVwb3J0MDI=

00000000  4e 54 4c 4d 53 53 50 00  03 00 00 00 18 00 18 00  |NTLMSSP.........|
00000010  40 00 00 00 18 00 18 00  58 00 00 00 00 00 00 00  |@.......X.......|
00000020  70 00 00 00 0b 00 0b 00  70 00 00 00 0e 00 0e 00  |p.......p.......|
00000030  7b 00 00 00 00 00 00 00  00 00 00 00 06 82 89 02  |{...............|
00000040  6e 38 40 e9 72 17 60 f9  00 00 00 00 00 00 00 00  |n8@.r.`.........|
00000050  00 00 00 00 00 00 00 00  92 a1 ee 47 2a 46 a5 55  |...........G*F.U|
00000060  35 28 2a 70 fb ef 71 dc  c7 f1 1b d7 56 90 04 e2  |5(*p..q.....V...|
00000070  73 61 30 30 30 30 62 63  6d 6f 6e 30 30 30 31 62  |sa0000bcmon0001b|
00000080  63 72 65 70 6f 72 74 30  32                       |creport02|

Client uses wrong password to calculate NTLM response so helper returns NT_STATUS_LOGON_FAILURE:
2023/01/31 07:21:18.916 kid2| 84,9| helper.cc(666) submit: placeholder: '0',  buf[188]=KK TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACwALAHAAAAAOAA4AewAAAAAAAAAAAAAABoKJAm44QOlyF2D5AAAAAAAAAAAAAAAAAAAAAJKh7kcqRqVVNSgqcPvvcdzH8RvXVpAE4nNhMDAwMGJjbW9uMDAwMWJjcmVwb3J0MDI=

2023/01/31 07:21:18.935 kid2| 84,5| helper.cc(1107) helperStatefulHandleRead: helperStatefulHandleRead: 27 bytes from ntlmauthenticator #Hlpr25
2023/01/31 07:21:18.935 kid2| 84,9| helper.cc(1117) helperStatefulHandleRead:  accumulated[27]=NA NT_STATUS_LOGON_FAILURE

In the acess.log there are two records, but there is no username in both:
2023-01-31 07:21:18|      2 10.73.16.136 TCP_DENIED/407/- 4531 CONNECT google.com:443 - HIER_NONE/- text/html -
2023-01-31 07:21:18|     19 10.73.16.136 TCP_DENIED/407/- 4500 CONNECT google.com:443 - HIER_NONE/- text/html -

вт, 31 янв. 2023 г. в 07:09, Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On 31/01/2023 4:55 pm, Andrey K wrote:

> Hello,

>

> I need to log failed Proxy-authentication attempts. The log 

> information should contain timestamp, username and client IP address.

> 407-records in the access.log file do not contain username if 

> NTLM-authentication is used.

> I was wondering if it is possible to set up such a configuration?

Squid log entries record username for all authentication types as soon 

as a username exists.

I expect you are being confused by log records for the part of NTLM 

handshake before the username is sent to Squid.

Amos

_______________________________________________

squid-users mailing list

squid-users@xxxxxxxxxxxxxxxxxxxxx

http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users