Dual protection for Samba file server could help ward off hackers…
I recently came across an article by Heise Online, detailing a clever way to prevent machines infected from the Locky ransomware from encrypting files on a Samba file server. Of course, the first line of defense should be an application whitelisting security product on all the endpoints, but as an added layer of defense, making sure the file server cannot be tampered with is something to be considered.
The idea behind protecting the Samba server revolves around using an application called fail2ban. Fail2ban is used to update firewall rules, by blocking connections coming from various sources, such as an internal or external IP address. It can reduce the rate of incorrect authentication attempts, and helps reduce the risk against brute force attacks.
In order to protect the server, you have to add the following lines in /etc/samba/smb.conf under the [global] section.
full_audit: failure = none
full_audit: success = pwrite write rename
full_audit: prefix = IP =% I | USER =% u | MACHINE =% m | VOLUME =% S
full_audit: facility = local7
full_audit: priority = NOTICE
Also, you need to add the following line under [Volume]
vfs objects = full_audit
Next, install fail2ban by running apt-get install fail2ban
You need to update the fail2ban configuration file by adding the following to the /etc/fail2ban/filter.d/samba.conf file
failregex = smbd * \.. \ IP = <HOST> \ | * \ locky $.
. Smbd * \. \ IP = <HOST> \ | * _ Locky_recover_instructions \ .txt $
Lastly, you will need to create a config file named samba in /etc/fail2ban/jail.d/ with the following
filter = samba
enabled = true
action = iptables-multiport [name = samba, port = “135,139,445,137,138” protocol = tcp]
mail [name = samba, dest=admin@MYDOMAIN.DE]
logpath = / var / log / syslog
maxretry = 1 #the first attempt is punishable
find time = 600 #always check the last 10 minutes
bantime = 86400 #ban for a whole day
This isn’t something that replaces good security hygiene, such as regular backups, patch management, and using a whitelisting security product, but it should help prevent a machine from tampering with the files on the Samba share.