Home Security
PC Matic
PC Matic VPN
More Products
Support Unlimited
Identity Theft Protection
PC Magnum
Threat Awareness
How PC Matic Protects You
SuperShield Whitelist
Compare PC Matic
Norton
McAfee
Avast
AVG
Business Protection
PC Matic Pro
PC Matic MSP
Solutions
Allowlisting
Script Enforcement
Device Control
Patch Management
Remote Tools
Integrations
Server Security
Learn More
Resellers
Affiliates
Resources
Case Studies
Compare PC Matic Pro
ThreatLocker
Airlock Digital
VMware Carbon Black
AppLocker
For Federal
Partner Programs
Managed Service Providers
Channel Partners
Affiliate Partners
OEM Partners
Resource Center
All Resources
Case Studies
Data Sheets
User Guides
White Papers
Blog Resources
PC Matic Blog
Business Security
Home Security
Cyber News
Scam Alerts
Customer Service
Home Support
Business Support
Learn More
Getting Started
Knowledgebase
Tech Support Scams
Fake Virus Scams
Tools & More
Ransomware Center
Internet Speed Test
PC Matic
About
Careers
Learn More
Industry Recognition
Leadership
Commercials
Stay Up-to-Date
Newsroom
Blog
Events
TechTalk Podcast
Home Customers
My Account
PC Matic App
Add a Device
Renew Subscription
Business Customers
Business Login
Business Support
Search

A Creative Way to Protect Your Linux Samba Server from Ransomware

 

Dual protection for Samba file server could help ward off hackers…

I recently came across an article by Heise Online, detailing a clever way to prevent machines infected from the Locky ransomware from encrypting files on a Samba file server. Of course, the first line of defense should be an application whitelisting security product on all the endpoints, but as an added layer of defense, making sure the file server cannot be tampered with is something to be considered.

The idea behind protecting the Samba server revolves around using an application called fail2ban. Fail2ban is used to update firewall rules, by blocking connections coming from various sources, such as an internal or external IP address. It can reduce the rate of incorrect authentication attempts, and helps reduce the risk against brute force attacks.

In order to protect the server, you have to add the following lines in /etc/samba/smb.conf under the [global] section.

full_audit: failure = none

full_audit: success = pwrite write rename

full_audit: prefix = IP =% I | USER =% u | MACHINE =% m | VOLUME =% S

full_audit: facility = local7

full_audit: priority = NOTICE

 

Also, you need to add the following line under [Volume]

vfs objects = full_audit

 

Next, install fail2ban by running apt-get install fail2ban

You need to update the fail2ban configuration file by adding the following to the /etc/fail2ban/filter.d/samba.conf file

[Definition]

failregex = smbd * \.. \ IP = <HOST> \ | * \ locky $.

. Smbd * \. \ IP = <HOST> \ | * _ Locky_recover_instructions \ .txt $

 

Lastly, you will need to create a config file named samba in /etc/fail2ban/jail.d/ with the following

[samba]

filter = samba

enabled = true

action = iptables-multiport [name = samba, port = “135,139,445,137,138” protocol = tcp]

mail [name = samba, [email protected]]

logpath = / var / log / syslog

maxretry = 1 #the first attempt is punishable

find time = 600 #always check the last 10 minutes

bantime = 86400 #ban for a whole day

 

This isn’t something that replaces good security hygiene, such as regular backups, patch management, and using a whitelisting security product, but it should help prevent a machine from tampering with the files on the Samba share.

Stop Responding to Threats.
Prevent Them.

Get Protected

Want to get monthly tips & tricks?

Subscribe to our newsletter to get cybersecurity tips & tricks and stay up to date with the constantly evolving world of cybersecurity.

Related Articles