Difference between revisions of "Cool Solution - Ransomware protection with Fail2Ban"

From Univention Wiki

Jump to: navigation, search
Line 1: Line 1:
{{Version|UCS=4.2}}
 
{{Cool Solutions Disclaimer|Repository=yes}}
 
{{Review-Status}}
 
 
This article desribes how to setup thorough Samba logging and Fail2Ban log analysis to detect and prevent ransomware attacks on Samba shares. We use a logging called "full_audit", which logs write and rename operations on files along with the user, machine and file of each operation. In this setup the log is continously analysed by Fail2Ban. It uses a list of known bad files and extensions used by ransomwares to detect and ban infected hosts from accessing shares.
 
 
== Activate full_audit logging for Samba shares ==
 
 
To configure full_audit logging, execute the following UCR command.
 
 
<syntaxhighlight lang="bash">ucr set 'samba/global/options/full_audit:failure=none' \
 
'samba/global/options/full_audit:success=pwrite write rename' \
 
'samba/global/options/full_audit:prefix=IP=%I|USER=%u|MACHINE=%m|VOLUME=%S' \
 
'samba/global/options/full_audit:facility=local7' \
 
'samba/global/options/full_audit:priority=NOTICE'</syntaxhighlight>
 
 
Now that full_audit is configured, you can either configure it manually for every share or use the following command to activate it for every share on the current host:
 
<syntaxhighlight lang="bash">for i in $(udm shares/share list --filter=host=$(hostname -f) | grep DN: | sed 's/DN: //'); do udm shares/share modify "$@" --dn "$i" --set sambaVFSObjects="full_audit" || die; done</syntaxhighlight>
 
 
If you want to manually add the option to a share, here's how to do it:
 
Open the UMC, click the tab "Domain" and open "Shares". Select and open the share you want to create a full_audit log for and open the "Samba" options on the right. On the bottom of that page you will find a text field called "VFS objects". Type "full_audit" in here and "Save" the share.
 
 
A rename operation on a file called "test.txt" to "test.crypted" laying on a share called "share1" on server "master" made by a user "john.doe" on machine "win7-pc" with IP "10.200.14.71" would look like this in the log now that full_audit is active:
 
 
<code>Jun 27 10:29:47 master smbd_audit: IP=10.200.14.71|USER=UCS+john.doe|MACHINE=win7-pc|VOLUME=share1|rename|ok|test.txt|test.crypted</code>
 
 
These can now be used by Fail2Ban to ban hosts if certain files or file endings are detected.
 
 
 
== Installing and configuring Fail2Ban ==
 
== Installing and configuring Fail2Ban ==
  
Line 59: Line 31:
 
The jail bans clients for a week after one occurrence of a match on one of the regular expressions in the filter list is found in /var/log/syslog.
 
The jail bans clients for a week after one occurrence of a match on one of the regular expressions in the filter list is found in /var/log/syslog.
  
'''DO NOT FORGET!''' Protection is only as good as the filter list! Since new ransomwares using new file extensions are released rather frequent these days this list should be updated regularly!
+
'''DO NOT FORGET! Protection is only as good as the filter list! Since new ransomwares using new file extensions are released rather frequent these days this list should be updated regularly!'''
  
 
<pre>univention-install univention-fail2ban-config-ransomware</pre>
 
<pre>univention-install univention-fail2ban-config-ransomware</pre>
Line 66: Line 38:
  
 
<pre>service fail2ban-server restart</pre>
 
<pre>service fail2ban-server restart</pre>
 
== Adding new regular expressions to the filter list ==
 
 
To add a new regular expression to the filter list, simply append it to the "failregex" paragraph.
 
 
You can test if the regular expression works by using the "fail2ban-regex" tool. This tool can be used to see which regexes match how often on a given log. It does not ban or unban anything, it's more like a so called "dry run".
 
 
It works as follows:
 
 
<pre>fail2ban-regex <LOG FILE> <FILTER LIST></pre>
 
 
So if you want to test the samba filter list, that comes with the above package on syslog, the command would look as follows:
 
 
<pre>fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/samba.conf</pre>
 

Revision as of 10:58, 27 June 2017

Installing and configuring Fail2Ban

Activate the unmaintained repository.

ucr set repository/online/unmaintained='yes'

Install fail2ban

univention-install fail2ban

By default the "SSH" jail is active. You can deactivate this as it's not necessary for the function of this article, if you don't want it. To deactivate the SSH jail open the file /etc/fail2ban/jail.conf with an editor and change this passage: [...] [ssh]

enabled = true [...]

to this

[...] [ssh]

enabled = false [...]


To configure a Samba jail with a list of file extensions known to be used by ransomwares, you can install the following package from the cool solution repository. This package configures a Samba jail, with a filter list located at /etc/fail2ban/filter.d/samba.conf and a mailing service to send mails for each banned IP. The jail bans clients for a week after one occurrence of a match on one of the regular expressions in the filter list is found in /var/log/syslog.

DO NOT FORGET! Protection is only as good as the filter list! Since new ransomwares using new file extensions are released rather frequent these days this list should be updated regularly!

univention-install univention-fail2ban-config-ransomware

After the package is installed and configuration is finished, restart Fail2Ban.

service fail2ban-server restart
Personal tools