[Samba] [ISC Crosspost] Novel method for slowing down Locky on Samba server using fail2ban
John Schmerold
schmerold2 at gmail.com
Thu Mar 10 13:26:31 UTC 2016
From: bounces at isc.sans.edu
To: sbradcpa at pacbell.net <sbradcpa at pacbell.net>
Novel method for slowing down Locky on Samba server using fail2ban
https://isc.sans.edu/diary.html?n&storyid=20805
http://www.heise.de/security/artikel/Erpressungs-Trojaner-wie-Locky-aussperren-3120956.html
Google Translate version of above:
If you teach the Samba server to monitor and write Rename actions, you
can start fail2ban on Locky activities and shut infected computers
before they can cause great harm.
The following lines do in the /etc/samba/smb.conf in section [global]
full_audit: failure = none
full_audit: success = pwrite write rename
full_audit: prefix = IP =% I | USER =% u | MACHINE =% m | VOLUME =% S
full_audit: facility = local7
full_audit: priority = NOTICE
and to be monitored at every [Volume]
vfs objects = full_audit
This leads to such a line in the log:
2016-02-29T11:07:36.162528+01:00 hort
smbd_audit:IP=1.2.3.4|USER=dha|MACHINE=win7dha|VOLUME=dha|pwrite|ok|bla/Q-Dir_Installer.zip
2016-02-29T11:08:43.945654+01:00 hort
smbd_audit:IP=1.2.3.4|USER=dha|MACHINE=win7dha|VOLUME=dha|pwrite|ok|bla/ganzböserverschlüsselungstrojaner.locky
apt-get install fail2ban
with filter definitions in /etc/fail2ban/filter.d/samba.conf as
[Definition]
failregex = smbd.*\:\ IP=<HOST>\|.*\.locky$
smbd.*\:\ IP=<HOST>\|.*_Locky_recover_instructions\.txt$
ignoreregex =
The jump to the typical Locky files ending .locky and the ransom
_Locky_recover_instructions.tx t on. It can, however, easily extend to
other ransomware typical files. When creating new messages you have to
note the indentation; fail2ban is a Python script and accordingly fussy
about leading spaces and tabs are concerned. It becomes difficult for
files like .mp3, as it applies the latest version of TeslaCrypt. 3 You
have to decide whether music files have to look on the server rather
then as Admin.
fail2ban locked out
Arm the filter with a config file named samba.conf in /etc/fail2ban/jail.d/
[samba]
filter = samba
enabled = true
action = iptables-multiport[name=samba, port="135,139,445,137,138",
protocol=tcp]
mail[name=samba, dest=admin at MYDOMAIN.DE]
logpath = /var/log/syslog
maxretry = 1 #block after first attempt
findtime = 600 #always look at the last 10 minutes
bantime = 86400 #24 hour ban
[samba]
filter = samba
enabled = true
action = iptables-multiport [name = samba, port =
"135,139,445,137,138" protocol = tcp]
mail [name = samba, dest=admin at MYDOMAIN.DE]
logpath = / var / log / syslog
maxretry = 1 #Schon the first attempt is punishable
find time = 600 #Schaut always the last 10 minutes
bantime = 86400 #ban for a whole day
This ensures that a Locky-infected client via iptables disconnected for
24 hours and the Admin via mail will be notified.
More information about the samba
mailing list