[squid-users] Logging failed authentication attempts

Andrey K ankor2023 at gmail.com
Tue Jan 31 04:56:59 UTC 2023 

Hello Amos,

Thank you for the information.

I turned on squid debug_options 84,9 and see in the cashe.log that in the
first NTLM_NEGOTIATE request (YR) there is no username:
TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
00000000  4e 54 4c 4d 53 53 50 00  01 00 00 00 06 82 08 00
 |NTLMSSP.........|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
 |................|

so SQUID responded with the NTLMSSP_CHALLENGE (TT).

But in the second NTLMSSP_AUTH request (KK) client sends username (
sa0000bcmon) as well as hostname (0001bcreport02):
TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACwALAHAAAAAOAA4AewAAAAAAAAAAAAAABoKJAm44QOlyF2D5AAAAAAAAAAAAAAAAAAAAAJKh7kcqRqVVNSgqcPvvcdzH8RvXVpAE4nNhMDAwMGJjbW9uMDAwMWJjcmVwb3J0MDI=

00000000  4e 54 4c 4d 53 53 50 00  03 00 00 00 18 00 18 00
 |NTLMSSP.........|
00000010  40 00 00 00 18 00 18 00  58 00 00 00 00 00 00 00
 |@.......X.......|
00000020  70 00 00 00 0b 00 0b 00  70 00 00 00 0e 00 0e 00
 |p.......p.......|
00000030  7b 00 00 00 00 00 00 00  00 00 00 00 06 82 89 02
 |{...............|
00000040  6e 38 40 e9 72 17 60 f9  00 00 00 00 00 00 00 00  |n8@
.r.`.........|
00000050  00 00 00 00 00 00 00 00  92 a1 ee 47 2a 46 a5 55
 |...........G*F.U|
00000060  35 28 2a 70 fb ef 71 dc  c7 f1 1b d7 56 90 04 e2
 |5(*p..q.....V...|
00000070  73 61 30 30 30 30 62 63  6d 6f 6e 30 30 30 31 62
 |sa0000bcmon0001b|
00000080  63 72 65 70 6f 72 74 30  32                       |creport02|

Client uses wrong password to calculate NTLM response so helper returns
NT_STATUS_LOGON_FAILURE:
2023/01/31 07:21:18.916 kid2| 84,9| helper.cc(666) submit: placeholder:
'0',  buf[188]=KK
TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACwALAHAAAAAOAA4AewAAAAAAAAAAAAAABoKJAm44QOlyF2D5AAAAAAAAAAAAAAAAAAAAAJKh7kcqRqVVNSgqcPvvcdzH8RvXVpAE4nNhMDAwMGJjbW9uMDAwMWJjcmVwb3J0MDI=

2023/01/31 07:21:18.935 kid2| 84,5| helper.cc(1107)
helperStatefulHandleRead: helperStatefulHandleRead: 27 bytes from
ntlmauthenticator #Hlpr25
2023/01/31 07:21:18.935 kid2| 84,9| helper.cc(1117)
helperStatefulHandleRead:  accumulated[27]=NA NT_STATUS_LOGON_FAILURE



In the acess.log there are two records, but there is no username in both:
2023-01-31 07:21:18|      2 10.73.16.136 TCP_DENIED/407/- 4531 CONNECT
google.com:443 - HIER_NONE/- text/html -
2023-01-31 07:21:18|     19 10.73.16.136 TCP_DENIED/407/- 4500 CONNECT
google.com:443 - HIER_NONE/- text/html -



вт, 31 янв. 2023 г. в 07:09, Amos Jeffries <squid3 at treenet.co.nz>:

> On 31/01/2023 4:55 pm, Andrey K wrote:
> > Hello,
> >
> > I need to log failed Proxy-authentication attempts. The log
> > information should contain timestamp, username and client IP address.
> > 407-records in the access.log file do not contain username if
> > NTLM-authentication is used.
> > I was wondering if it is possible to set up such a configuration?
>
> Squid log entries record username for all authentication types as soon
> as a username exists.
> I expect you are being confused by log records for the part of NTLM
> handshake before the username is sent to Squid.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230131/438877c8/attachment.htm>

More information about the squid-users mailing list