Cool Solution - Ransomware protection with Fail2Ban
From Univention Wiki
Installing and configuring Fail2Ban
Activate the unmaintained repository.
ucr set repository/online/unmaintained='yes'
By default the "SSH" jail is active. You can deactivate this as it's not necessary for the function of this article, if you don't want it. To deactivate the SSH jail open the file
/etc/fail2ban/jail.conf with an editor and change this passage:
enabled = true
enabled = false
To configure a Samba jail with a list of file extensions known to be used by ransomwares, you can install the following package from the cool solution repository. This package configures a Samba jail, with a filter list located at
/etc/fail2ban/filter.d/samba.conf and a mailing service to send mails for each banned IP.
The jail bans clients for a week after one occurrence of a match on one of the regular expressions in the filter list is found in /var/log/syslog.
DO NOT FORGET! Protection is only as good as the filter list! Since new ransomwares using new file extensions are released rather frequent these days this list should be updated regularly!
After the package is installed and configuration is finished, restart Fail2Ban.
service fail2ban-server restart