{"id":54418,"date":"2016-09-15T14:37:11","date_gmt":"2016-09-15T14:37:11","guid":{"rendered":"https:\/\/www.pcmatic.com\/blog\/?p=54418"},"modified":"2016-09-15T14:37:11","modified_gmt":"2016-09-15T14:37:11","slug":"54418","status":"publish","type":"post","link":"https:\/\/www.pcmatic.com\/blog\/54418\/","title":{"rendered":"A Creative Way to Protect Your Linux Samba Server from Ransomware"},"content":{"rendered":"

 <\/p>\n

Dual protection for Samba file server could help ward off hackers…<\/h3>\n

I recently came across an article by Heise Online<\/a>, detailing a clever way to prevent machines infected from the Locky ransomware from encrypting files on a Samba file server. Of course, the first line of defense should be an application whitelisting security product on all the endpoints, but as an added layer of defense, making sure the file server cannot be tampered with is something to be considered.<\/p>\n

The idea behind protecting the Samba server revolves around using an application called fail2ban<\/a>. Fail2ban is used to update firewall rules, by blocking connections coming from various sources, such as an internal or external IP address. It can reduce the rate of incorrect authentication attempts, and helps reduce the risk against brute force attacks.<\/p>\n

In order to protect the server, you have to add the following lines in \/etc\/samba\/smb.conf under the [global] section.<\/p>\n

full_audit: failure = none <\/em><\/p>\n

full_audit: success = pwrite write rename <\/em><\/p>\n

full_audit: prefix = IP =% I | USER =% u | MACHINE =% m | VOLUME =% S <\/em><\/p>\n

full_audit: facility = local7 <\/em><\/p>\n

full_audit: priority = NOTICE<\/em><\/p>\n

 <\/p>\n

Also, you need to add the following line under [Volume]<\/p>\n

vfs objects = full_audit<\/em><\/p>\n

 <\/p>\n

Next, install fail2ban by running apt-get install fail2ban<\/em><\/p>\n

You need to update the fail2ban configuration file by adding the following to the \/etc\/fail2ban\/filter.d\/samba.conf file<\/p>\n

[Definition] <\/em><\/p>\n

failregex = smbd * \\.. \\ IP = <HOST> \\ | * \\ locky $. <\/em><\/p>\n

. Smbd * \\. \\ IP = <HOST> \\ | * _ Locky_recover_instructions \\ .txt $<\/em><\/p>\n

\u00a0<\/em><\/p>\n

Lastly, you will need to create a config file named samba in \/etc\/fail2ban\/jail.d\/ with the following<\/p>\n

[samba] <\/em><\/p>\n

filter = samba <\/em><\/p>\n

enabled = true <\/em><\/p>\n

action = iptables-multiport [name = samba, port = “135,139,445,137,138” protocol = tcp] <\/em><\/p>\n

mail [name = samba, dest=admin@MYDOMAIN.DE] <\/em><\/p>\n

logpath = \/ var \/ log \/ syslog <\/em><\/p>\n

maxretry = 1 #the first attempt is punishable <\/em><\/p>\n

find time = 600 #always check the last 10 minutes <\/em><\/p>\n

bantime = 86400 #ban for a whole day<\/em><\/p>\n

 <\/p>\n

This isn\u2019t something that replaces good security hygiene, such as regular backups, patch management, and using a whitelisting security product, but it should help prevent a machine from tampering with the files on the Samba share.<\/p>\n","protected":false},"excerpt":{"rendered":"

  Dual protection for Samba file server could help ward off hackers…<\/p>\n","protected":false},"author":55,"featured_media":54423,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[7,5000,183],"tags":[4363,5047],"class_list":["post-54418","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-newsletter","category-ransomwarewar","category-tips","tag-ransomware","tag-samba-server"],"yoast_head":"\nA Creative Way to Protect Your Linux Samba Server from Ransomware<\/title>\n<meta name=\"description\" content=\"An alternative approach adds an additional layer of security to your Samba server - keeping it malware free...\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.pcmatic.com\/blog\/54418\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A Creative Way to Protect Your Linux Samba Server from Ransomware\" \/>\n<meta property=\"og:description\" content=\"An alternative approach adds an additional layer of security to your Samba server - keeping it malware free...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.pcmatic.com\/blog\/54418\/\" \/>\n<meta property=\"og:site_name\" content=\"PC Matic Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/pcmatic\" \/>\n<meta property=\"article:published_time\" content=\"2016-09-15T14:37:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.pcmatic.com\/blog\/wp-content\/uploads\/red-padlock-200x200-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"200\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Dodi Glenn\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@pcmatic\" \/>\n<meta name=\"twitter:site\" content=\"@pcmatic\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Dodi Glenn\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/54418\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/54418\\\/\"},\"author\":{\"name\":\"Dodi Glenn\",\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/#\\\/schema\\\/person\\\/48ddc92048489e51436331f82e991e37\"},\"headline\":\"A Creative Way to Protect Your Linux Samba Server from Ransomware\",\"datePublished\":\"2016-09-15T14:37:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/54418\\\/\"},\"wordCount\":364,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/54418\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/wp-content\\\/uploads\\\/red-padlock-200x200-1.jpg\",\"keywords\":[\"ransomware\",\"Samba server\"],\"articleSection\":[\"Newsletter\",\"RansomwareWar\",\"tips\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/54418\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/54418\\\/\",\"url\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/54418\\\/\",\"name\":\"A Creative Way to Protect Your Linux Samba Server from Ransomware\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/54418\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/54418\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/wp-content\\\/uploads\\\/red-padlock-200x200-1.jpg\",\"datePublished\":\"2016-09-15T14:37:11+00:00\",\"description\":\"An alternative approach adds an additional layer of security to your Samba server - keeping it malware free...\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/54418\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/54418\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/54418\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/wp-content\\\/uploads\\\/red-padlock-200x200-1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/wp-content\\\/uploads\\\/red-padlock-200x200-1.jpg\",\"width\":200,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/54418\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A Creative Way to Protect Your Linux Samba Server from Ransomware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/\",\"name\":\"PC Matic Blog\",\"description\":\"Tech Tips and Tricks\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/#organization\",\"name\":\"PC Matic - Top Antivirus Company in the USA.\",\"url\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/techtalk.pcmatic.com\\\/wp-content\\\/uploads\\\/PC-MaticLogo-e1472689639222.png\",\"contentUrl\":\"https:\\\/\\\/techtalk.pcmatic.com\\\/wp-content\\\/uploads\\\/PC-MaticLogo-e1472689639222.png\",\"width\":1535,\"height\":483,\"caption\":\"PC Matic - Top Antivirus Company in the USA.\"},\"image\":{\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/pcmatic\",\"https:\\\/\\\/x.com\\\/pcmatic\",\"https:\\\/\\\/www.instagram.com\\\/pcmaticusa\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/pcmatic\",\"https:\\\/\\\/www.youtube.com\\\/c\\\/PCMaticVideo\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/#\\\/schema\\\/person\\\/48ddc92048489e51436331f82e991e37\",\"name\":\"Dodi Glenn\",\"url\":\"https:\\\/\\\/www.pcmatic.com\\\/blog\\\/author\\\/dodig\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A Creative Way to Protect Your Linux Samba Server from Ransomware","description":"An alternative approach adds an additional layer of security to your Samba server - keeping it malware free...","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.pcmatic.com\/blog\/54418\/","og_locale":"en_US","og_type":"article","og_title":"A Creative Way to Protect Your Linux Samba Server from Ransomware","og_description":"An alternative approach adds an additional layer of security to your Samba server - keeping it malware free...","og_url":"https:\/\/www.pcmatic.com\/blog\/54418\/","og_site_name":"PC Matic Blog","article_publisher":"https:\/\/www.facebook.com\/pcmatic","article_published_time":"2016-09-15T14:37:11+00:00","og_image":[{"width":200,"height":200,"url":"https:\/\/www.pcmatic.com\/blog\/wp-content\/uploads\/red-padlock-200x200-1.jpg","type":"image\/jpeg"}],"author":"Dodi Glenn","twitter_card":"summary_large_image","twitter_creator":"@pcmatic","twitter_site":"@pcmatic","twitter_misc":{"Written by":"Dodi Glenn","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.pcmatic.com\/blog\/54418\/#article","isPartOf":{"@id":"https:\/\/www.pcmatic.com\/blog\/54418\/"},"author":{"name":"Dodi Glenn","@id":"https:\/\/www.pcmatic.com\/blog\/#\/schema\/person\/48ddc92048489e51436331f82e991e37"},"headline":"A Creative Way to Protect Your Linux Samba Server from Ransomware","datePublished":"2016-09-15T14:37:11+00:00","mainEntityOfPage":{"@id":"https:\/\/www.pcmatic.com\/blog\/54418\/"},"wordCount":364,"commentCount":0,"publisher":{"@id":"https:\/\/www.pcmatic.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.pcmatic.com\/blog\/54418\/#primaryimage"},"thumbnailUrl":"https:\/\/www.pcmatic.com\/blog\/wp-content\/uploads\/red-padlock-200x200-1.jpg","keywords":["ransomware","Samba server"],"articleSection":["Newsletter","RansomwareWar","tips"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.pcmatic.com\/blog\/54418\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.pcmatic.com\/blog\/54418\/","url":"https:\/\/www.pcmatic.com\/blog\/54418\/","name":"A Creative Way to Protect Your Linux Samba Server from Ransomware","isPartOf":{"@id":"https:\/\/www.pcmatic.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.pcmatic.com\/blog\/54418\/#primaryimage"},"image":{"@id":"https:\/\/www.pcmatic.com\/blog\/54418\/#primaryimage"},"thumbnailUrl":"https:\/\/www.pcmatic.com\/blog\/wp-content\/uploads\/red-padlock-200x200-1.jpg","datePublished":"2016-09-15T14:37:11+00:00","description":"An alternative approach adds an additional layer of security to your Samba server - keeping it malware free...","breadcrumb":{"@id":"https:\/\/www.pcmatic.com\/blog\/54418\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.pcmatic.com\/blog\/54418\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.pcmatic.com\/blog\/54418\/#primaryimage","url":"https:\/\/www.pcmatic.com\/blog\/wp-content\/uploads\/red-padlock-200x200-1.jpg","contentUrl":"https:\/\/www.pcmatic.com\/blog\/wp-content\/uploads\/red-padlock-200x200-1.jpg","width":200,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.pcmatic.com\/blog\/54418\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.pcmatic.com\/blog\/"},{"@type":"ListItem","position":2,"name":"A Creative Way to Protect Your Linux Samba Server from Ransomware"}]},{"@type":"WebSite","@id":"https:\/\/www.pcmatic.com\/blog\/#website","url":"https:\/\/www.pcmatic.com\/blog\/","name":"PC Matic Blog","description":"Tech Tips and Tricks","publisher":{"@id":"https:\/\/www.pcmatic.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.pcmatic.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.pcmatic.com\/blog\/#organization","name":"PC Matic - Top Antivirus Company in the USA.","url":"https:\/\/www.pcmatic.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.pcmatic.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/techtalk.pcmatic.com\/wp-content\/uploads\/PC-MaticLogo-e1472689639222.png","contentUrl":"https:\/\/techtalk.pcmatic.com\/wp-content\/uploads\/PC-MaticLogo-e1472689639222.png","width":1535,"height":483,"caption":"PC Matic - Top Antivirus Company in the USA."},"image":{"@id":"https:\/\/www.pcmatic.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/pcmatic","https:\/\/x.com\/pcmatic","https:\/\/www.instagram.com\/pcmaticusa\/","https:\/\/www.linkedin.com\/company\/pcmatic","https:\/\/www.youtube.com\/c\/PCMaticVideo"]},{"@type":"Person","@id":"https:\/\/www.pcmatic.com\/blog\/#\/schema\/person\/48ddc92048489e51436331f82e991e37","name":"Dodi Glenn","url":"https:\/\/www.pcmatic.com\/blog\/author\/dodig\/"}]}},"_links":{"self":[{"href":"https:\/\/www.pcmatic.com\/blog\/wp-json\/wp\/v2\/posts\/54418","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pcmatic.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pcmatic.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pcmatic.com\/blog\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pcmatic.com\/blog\/wp-json\/wp\/v2\/comments?post=54418"}],"version-history":[{"count":0,"href":"https:\/\/www.pcmatic.com\/blog\/wp-json\/wp\/v2\/posts\/54418\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.pcmatic.com\/blog\/wp-json\/wp\/v2\/media\/54423"}],"wp:attachment":[{"href":"https:\/\/www.pcmatic.com\/blog\/wp-json\/wp\/v2\/media?parent=54418"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pcmatic.com\/blog\/wp-json\/wp\/v2\/categories?post=54418"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pcmatic.com\/blog\/wp-json\/wp\/v2\/tags?post=54418"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}