[squid-users] Logging failed authentication attempts

[Andrey K]

Amos,

I understood: the helper.cc does not parse the KK-request and does not know
about the username. He can only get the username information from the reply
of the external helper. But since the external helper returns only an error
without a username, this information is missing from the logs.

Is there any other possibility to log username and source IP address in
such NTLM-failed authentication attempts?

Kind regards,
   Ankor.

вт, 31 янв. 2023 г. в 07:56, Andrey K <ankor2023 at gmail.com>:

> Hello Amos,
>
> Thank you for the information.
>
> I turned on squid debug_options 84,9 and see in the cashe.log that in the
> first NTLM_NEGOTIATE request (YR) there is no username:
> TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
> 00000000  4e 54 4c 4d 53 53 50 00  01 00 00 00 06 82 08 00
>  |NTLMSSP.........|
> 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
>  |................|
>
> so SQUID responded with the NTLMSSP_CHALLENGE (TT).
>
> But in the second NTLMSSP_AUTH request (KK) client sends username (
> sa0000bcmon) as well as hostname (0001bcreport02):
>
> TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACwALAHAAAAAOAA4AewAAAAAAAAAAAAAABoKJAm44QOlyF2D5AAAAAAAAAAAAAAAAAAAAAJKh7kcqRqVVNSgqcPvvcdzH8RvXVpAE4nNhMDAwMGJjbW9uMDAwMWJjcmVwb3J0MDI=
>
> 00000000  4e 54 4c 4d 53 53 50 00  03 00 00 00 18 00 18 00
>  |NTLMSSP.........|
> 00000010  40 00 00 00 18 00 18 00  58 00 00 00 00 00 00 00
>  |@.......X.......|
> 00000020  70 00 00 00 0b 00 0b 00  70 00 00 00 0e 00 0e 00
>  |p.......p.......|
> 00000030  7b 00 00 00 00 00 00 00  00 00 00 00 06 82 89 02
>  |{...............|
> 00000040  6e 38 40 e9 72 17 60 f9  00 00 00 00 00 00 00 00  |n8@
> .r.`.........|
> 00000050  00 00 00 00 00 00 00 00  92 a1 ee 47 2a 46 a5 55
>  |...........G*F.U|
> 00000060  35 28 2a 70 fb ef 71 dc  c7 f1 1b d7 56 90 04 e2
>  |5(*p..q.....V...|
> 00000070  73 61 30 30 30 30 62 63  6d 6f 6e 30 30 30 31 62
>  |sa0000bcmon0001b|
> 00000080  63 72 65 70 6f 72 74 30  32                       |creport02|
>
> Client uses wrong password to calculate NTLM response so helper returns
> NT_STATUS_LOGON_FAILURE:
> 2023/01/31 07:21:18.916 kid2| 84,9| helper.cc(666) submit: placeholder:
> '0',  buf[188]=KK
> TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACwALAHAAAAAOAA4AewAAAAAAAAAAAAAABoKJAm44QOlyF2D5AAAAAAAAAAAAAAAAAAAAAJKh7kcqRqVVNSgqcPvvcdzH8RvXVpAE4nNhMDAwMGJjbW9uMDAwMWJjcmVwb3J0MDI=
>
> 2023/01/31 07:21:18.935 kid2| 84,5| helper.cc(1107)
> helperStatefulHandleRead: helperStatefulHandleRead: 27 bytes from
> ntlmauthenticator #Hlpr25
> 2023/01/31 07:21:18.935 kid2| 84,9| helper.cc(1117)
> helperStatefulHandleRead:  accumulated[27]=NA NT_STATUS_LOGON_FAILURE
>
>
>
> In the acess.log there are two records, but there is no username in both:
> 2023-01-31 07:21:18|      2 10.73.16.136 TCP_DENIED/407/- 4531 CONNECT
> google.com:443 - HIER_NONE/- text/html -
> 2023-01-31 07:21:18|     19 10.73.16.136 TCP_DENIED/407/- 4500 CONNECT
> google.com:443 - HIER_NONE/- text/html -
>
>
>
> вт, 31 янв. 2023 г. в 07:09, Amos Jeffries <squid3 at treenet.co.nz>:
>
>> On 31/01/2023 4:55 pm, Andrey K wrote:
>> > Hello,
>> >
>> > I need to log failed Proxy-authentication attempts. The log
>> > information should contain timestamp, username and client IP address.
>> > 407-records in the access.log file do not contain username if
>> > NTLM-authentication is used.
>> > I was wondering if it is possible to set up such a configuration?
>>
>> Squid log entries record username for all authentication types as soon
>> as a username exists.
>> I expect you are being confused by log records for the part of NTLM
>> handshake before the username is sent to Squid.
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230131/bbe01aa8/attachment-0001.htm>