Cool Solution - Ransomware protection with Fail2Ban
From Univention Wiki
This article desribes how to setup thorough Samba logging and Fail2Ban log analysis to detect and prevent ransomware attacks on Samba shares. We use a logging called "full_audit", which logs write and rename operations on files along with the user, machine and file of each operation. In this setup the log is continously analysed by Fail2Ban. It uses a list of known bad files and extensions used by ransomwares to detect and ban infected hosts from accessing shares.
To configure full_audit logging, execute the following UCR command.
ucr set 'samba/global/options/full_audit:failure=none' \ 'samba/global/options/full_audit:success=pwrite write rename' \ 'samba/global/options/full_audit:prefix=IP=%I|USER=%u|MACHINE=%m|VOLUME=%S' \ 'samba/global/options/full_audit:facility=local7' \ 'samba/global/options/full_audit:priority=NOTICE'
Now that full_audit is configured, you can either configure it manually for every share or use the following command to activate it for every share on the current host:
for i in $(udm shares/share list --filter=host=$(hostname -f) | grep DN: | sed 's/DN: //'); do udm shares/share modify "$@" --dn "$i" --set sambaVFSObjects="full_audit" || die; done
If you want to manually add the option to a share, here's how to do it: Open the UMC, click the tab "Domain" and open "Shares". Select and open the share you want to create a full_audit log for and open the "Samba" options on the left. On the bottom of that page you will find a text field called "VFS objects". Type "full_audit" in here and "Save" the share.
A rename operation on a file called "test.txt" to "test.crypted" laying on a share called "share1" on server "master" made by a user "john.doe" on machine "win7-pc" with IP "10.200.14.71" would look like this in the log now that full_audit is active:
Jun 27 10:29:47 master smbd_audit: IP=10.200.14.71|USER=UCS+john.doe|MACHINE=win7-pc|VOLUME=share1|rename|ok|test.txt|test.crypted
These can now be used by Fail2Ban to ban hosts if certain files or file endings are detected.
Installing and configuring Fail2Ban
Activate the "unmaintained" repository:
ucr set repository/online/unmaintained=yes
By default the "SSH" jail is active. You can deactivate this as it's not necessary for the function of this article, if you don't want it. To deactivate the SSH jail open the file
/etc/fail2ban/jail.conf with an editor and change this passage:
enabled = true [...]
enabled = false [...]
To configure a Samba jail with a list of file extensions known to be used by ransomwares, you can install the following package from the cool solution repository. This package configures a Samba jail, with a filter list located at
/etc/fail2ban/filter.d/samba.conf and a mailing service to send mails for each banned IP.
The jail bans clients for a week after one occurrence of a match on one of the regular expressions in the filter list is found in /var/log/syslog.
DO NOT FORGET! Protection is only as good as the filter list! Since new ransomwares using new file extensions are released rather frequent these days the list at
/etc/fail2ban/filter.d/samba.conf should be updated regularly!
After the package is installed and configuration is finished, restart Fail2Ban.
service fail2ban-server restart
Adding new regular expressions to the filter list
To add a new regular expression to the filter list, simply append it to the "failregex" paragraph.
You can test if the regular expression works by using the "fail2ban-regex" tool. This tool can be used to see which regexes match how often on a given log. It does not ban or unban anything, it's more like a so called "dry run".
It works as follows:
fail2ban-regex <LOG FILE> <FILTER LIST>
So if you want to test the samba filter list, that comes with the above package on syslog, the command would look as follows:
fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/samba.conf