Cool Solution - Ransomware protection with Fail2Ban

From Univention Wiki

Revision as of 10:58, 27 June 2017 by Heidelberger (talk | contribs)
Jump to: navigation, search

Installing and configuring Fail2Ban

Activate the unmaintained repository.

ucr set repository/online/unmaintained='yes'

Install fail2ban

univention-install fail2ban

By default the "SSH" jail is active. You can deactivate this as it's not necessary for the function of this article, if you don't want it. To deactivate the SSH jail open the file /etc/fail2ban/jail.conf with an editor and change this passage: [...] [ssh]

enabled = true [...]

to this

[...] [ssh]

enabled = false [...]


To configure a Samba jail with a list of file extensions known to be used by ransomwares, you can install the following package from the cool solution repository. This package configures a Samba jail, with a filter list located at /etc/fail2ban/filter.d/samba.conf and a mailing service to send mails for each banned IP. The jail bans clients for a week after one occurrence of a match on one of the regular expressions in the filter list is found in /var/log/syslog.

DO NOT FORGET! Protection is only as good as the filter list! Since new ransomwares using new file extensions are released rather frequent these days this list should be updated regularly!

univention-install univention-fail2ban-config-ransomware

After the package is installed and configuration is finished, restart Fail2Ban.

service fail2ban-server restart
Personal tools