A Creative Way to Protect Your Linux Samba Server from Ransomware

 

Dual protection for Samba file server could help ward off hackers…

I recently came across an article by Heise Online, detailing a clever way to prevent machines infected from the Locky ransomware from encrypting files on a Samba file server. Of course, the first line of defense should be an application whitelisting security product on all the endpoints, but as an added layer of defense, making sure the file server cannot be tampered with is something to be considered.

The idea behind protecting the Samba server revolves around using an application called fail2ban. Fail2ban is used to update firewall rules, by blocking connections coming from various sources, such as an internal or external IP address. It can reduce the rate of incorrect authentication attempts, and helps reduce the risk against brute force attacks.

In order to protect the server, you have to add the following lines in /etc/samba/smb.conf under the [global] section.

full_audit: failure = none

full_audit: success = pwrite write rename

full_audit: prefix = IP =% I | USER =% u | MACHINE =% m | VOLUME =% S

full_audit: facility = local7

full_audit: priority = NOTICE

 

Also, you need to add the following line under [Volume]

vfs objects = full_audit

 

Next, install fail2ban by running apt-get install fail2ban

You need to update the fail2ban configuration file by adding the following to the /etc/fail2ban/filter.d/samba.conf file

[Definition]

failregex = smbd * \.. \ IP = <HOST> \ | * \ locky $.

. Smbd * \. \ IP = <HOST> \ | * _ Locky_recover_instructions \ .txt $

 

Lastly, you will need to create a config file named samba in /etc/fail2ban/jail.d/ with the following

[samba]

filter = samba

enabled = true

action = iptables-multiport [name = samba, port = “135,139,445,137,138” protocol = tcp]

mail [name = samba, dest=admin@MYDOMAIN.DE]

logpath = / var / log / syslog

maxretry = 1 #the first attempt is punishable

find time = 600 #always check the last 10 minutes

bantime = 86400 #ban for a whole day

 

This isn’t something that replaces good security hygiene, such as regular backups, patch management, and using a whitelisting security product, but it should help prevent a machine from tampering with the files on the Samba share.

3,680 total views, 4 views today

(Visited 3,120 times, 3 visits today)

2 thoughts on “A Creative Way to Protect Your Linux Samba Server from Ransomware

  1. That config blocks a locky detection IP for 1 day, right? Wouldn’t it be better to go permanent, so you’re forced to manually unblock once you clean the infected computer? Far too often, I’ve seen people report the encryption a day or 2 after it happened, so blocking for just one day would mean it could have another go the next day.

    Also, I’d add in a collection of the known “how to decrypt” file names, and some of the other commonly used extensions. See here for an older list (not mine): https://www.reddit.com/r/sysadmin/comments/46361k/list_of_ransomware_extensions_and_known_ransom/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.