[Samba] ransomware etc

L.P.H. van Belle belle at bazuin.nl
Wed Jun 28 13:13:40 UTC 2017


IMO, 

First secure your entry points.. Mail webserver and proxy and the exit points. ( your users environment in my case windows 7/10 desktops.) 

Im waiting until trevor has the antivirus vfs is ready for samba 4. 
@David Disseldrop, you know the status about that, since it was you call to get it in samba. ;-) 
(https://github.com/fumiyas/samba-virusfilter/issues/23) 
I've seen good work but it stopped..  :( 
I .. wannacry ..  :-)) 

If you setup your mail server to respect servers setup conform RFC, your spam wil drop at least 70%-90% 
Saving you lots of cpu time. Now i use postfix with its postscreen, clamav with yara rules for antivirus.
(https://virustotal.github.io/yara/) 

And a postfix with postscreen setup, something like this. 
postscreen_access_list=
    permit_mynetworks,
    cidr:/etc/postfix/cidr/postscreen_whitelist_access.cidr,
    # https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre
    pcre:/etc/postfix/pcre/fqrdns-max.pcre,
    pcre:/etc/postfix/pcre/fqrdns-plus.pcre,
    pcre:/etc/postfix/pcre/fqrdns.pcre,
postscreen_dnsbl_threshold=4
postscreen_dnsbl_sites=
        # blacklists. 
        b.barracudacentral.org*4
        bad.psky.me*4
        zen.spamhaus.org*4
        dnsbl.cobion.com*2
        bl.spameatingmonkey.net*2
        fresh.spameatingmonkey.net*2
        cbl.anti-spam.org.cn=127.0.8.2*2
        dnsbl.anonmails.de*2
        dnsbl.kempt.net*1
        dnsbl.inps.de*2
        bl.spamcop.net*2
        srn.surgate.net=127.0.0.2
        spam.dnsbl.sorbs.net*2
        rbl.rbldns.ru*2
        psbl.surriel.com*2
        bl.mailspike.net*2
        rep.mailspike.net=127.0.0.[13;14]*1
        bl.suomispam.net*2
        bl.blocklist.de*2
        ix.dnsbl.manitu.net*2
        dnsbl-2.uceprotect.net
        dnsbl.justspam.org=127.0.0.2*2
        all.s5h.net=127.0.0.2*2
        hostkarma.junkemailfilter.com=127.0.0.3
        hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
        # whitelists
        swl.spamhaus.org*-4
        list.dnswl.org=127.0.[0..255].[2;3]*-1
        rep.mailspike.net=127.0.0.[17;18]*-1
        rep.mailspike.net=127.0.0.[19;20]*-2
        hostkarma.junkemailfilter.com=127.0.0.1*-1

So it counts how often a ip is listed rbls. 
*4 means gets 4 points. So listed in barracude psky or spamhaus.. => drop. Pickup by fail2ban > in firewall. 
This is reasonable optimized. 
Untill today i have not seen 1 .. Wannacry or (how is the new one called.) email.
Same for the proxy, added icap voor scanning with yara rules. 

For my pc's. 
Adobe, disable opening thing from the internet, and disable javascript in adobe. 
MS Office, disable macros, vbs.. Aka all scripting you can disable. 
If a user needs it, open only that for that user ( but use groups to setup ) 
Most users open documentes from within browsers or mail apps, protect these locations.
article here : http://www.computerworld.com/article/2485214/microsoft-windows/cryptolocker-how-to-avoid-getting-infected-and-what-to-do-if-you-are.html
Set you antvirus heuristic scanning to high, yes you lose a bit speed, but you choose what you want. Security or extra work later.. 
And user may NEVER EVER work with Administrative rights. 
Supporting a home user, setup, explain, and tell if they change the rights, you wont fix next time.
Result, 90% less call for support from home users and 10% is in trouble but, im not fixing it .. Again.. 

And what i did for samba, only upgrade to 4.5.10 or 4.6.5 and make my daily backups. 
Just go with the flow and dont use old, older and to old programs.. 

! Thing to remember, if a crypto hits you, it always hits the "recently openend" first. 
So a "samba honeypot", well, i just dont like it, since that wil hardly work. 

But above is just how "I" like my setups.


Greetz, 

Louis 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> David Disseldorp via samba
> Verzonden: woensdag 28 juni 2017 14:42
> Aan: mj via samba
> Onderwerp: Re: [Samba] ransomware etc
> 
> Hi,
> 
> On Wed, 28 Jun 2017 11:08:11 +0200, mj via samba wrote:
> 
> > Hi all,
> > 
> > Just out of curiosity: is there anything we can do, on the 
> samba side, 
> > to counter the recent ransomware attacks? (or limit the damage done)
> > 
> > I'm thinking like: limit the number of files per second a client
> > (workstation) is allowed to edit, or some other smart tricks..?
> > 
> > It would be nice if samba could be an extra layer of defense.
> > 
> > Something perhaps a vfs module could help with..?
> > 
> > Anyone with tips, trics, ideas?
> 
> Although not bullet proof, I'd suggest taking periodic 
> snapshots of the Samba share using Btrfs, LVM, ZFS, etc. This 
> will give you a read-only restore point, should clients start 
> misbehaving.
> 
> With Btrfs you could use the Snapper VFS module to expose the 
> read-only snapshots to clients via the Windows Previous Versions UI.
> 
> Cheers, David
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 




More information about the samba mailing list