[Samba] ransomware etc (referencing in part Samba-virusfilter)

Trever L. Adams trever at middleearth.sapphiresunday.org
Thu Jun 29 00:54:03 UTC 2017 

On 06/28/2017 07:13 AM, L.P.H. van Belle via samba wrote:
> IMO, 
>
> First secure your entry points.. Mail webserver and proxy and the exit points. ( your users environment in my case windows 7/10 desktops.) 
>
> Im waiting until trevor has the antivirus vfs is ready for samba 4. 
> @David Disseldrop, you know the status about that, since it was you call to get it in samba. ;-) 
> (https://github.com/fumiyas/samba-virusfilter/issues/23) 
> I've seen good work but it stopped..  :( 
> I .. wannacry ..  :-)) 
https://github.com/treveradams/samba/tree/testing is actually where to
look, I believe it is current for 4.6.x (be warned you may have to reset
to past versions from time to time as the code base is git push -f to
keep the changelog short and as simple patches for merging). I am
waiting on reviews for the last patch set. I am watching Samba 4.7/5.0
cycle. It appears there will be some changes needed. The discussions
went off list, but it should be ready for review. If there is an rc for
4.7, I will be happy to work on rebasing for that. I like the changes I
am seeing and want to make sure it stays working.
> If you setup your mail server to respect servers setup conform RFC, your spam wil drop at least 70%-90% 
> Saving you lots of cpu time. Now i use postfix with its postscreen, clamav with yara rules for antivirus.
> (https://virustotal.github.io/yara/) 
Thank you. I was unaware of this project (yara). I use postscreen on
mail systems I administer as well. Mix it with something like amavisd,
dspam, and clamav and you can have a very low spam rate (most of it on
any system I work with actually comes from an old account I have that I
use fetchmail to pull into that system).
>
> And a postfix with postscreen setup, something like this. 
> postscreen_access_list=
>     permit_mynetworks,
>     cidr:/etc/postfix/cidr/postscreen_whitelist_access.cidr,
>     # https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre
>     pcre:/etc/postfix/pcre/fqrdns-max.pcre,
>     pcre:/etc/postfix/pcre/fqrdns-plus.pcre,
>     pcre:/etc/postfix/pcre/fqrdns.pcre,
> postscreen_dnsbl_threshold=4
> postscreen_dnsbl_sites=
>         # blacklists. 
>         b.barracudacentral.org*4
>         bad.psky.me*4
>         zen.spamhaus.org*4
>         dnsbl.cobion.com*2
>         bl.spameatingmonkey.net*2
>         fresh.spameatingmonkey.net*2
>         cbl.anti-spam.org.cn=127.0.8.2*2
>         dnsbl.anonmails.de*2
>         dnsbl.kempt.net*1
>         dnsbl.inps.de*2
>         bl.spamcop.net*2
>         srn.surgate.net=127.0.0.2
>         spam.dnsbl.sorbs.net*2
>         rbl.rbldns.ru*2
>         psbl.surriel.com*2
>         bl.mailspike.net*2
>         rep.mailspike.net=127.0.0.[13;14]*1
>         bl.suomispam.net*2
>         bl.blocklist.de*2
>         ix.dnsbl.manitu.net*2
>         dnsbl-2.uceprotect.net
>         dnsbl.justspam.org=127.0.0.2*2
>         all.s5h.net=127.0.0.2*2
>         hostkarma.junkemailfilter.com=127.0.0.3
>         hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
>         # whitelists
>         swl.spamhaus.org*-4
>         list.dnswl.org=127.0.[0..255].[2;3]*-1
>         rep.mailspike.net=127.0.0.[17;18]*-1
>         rep.mailspike.net=127.0.0.[19;20]*-2
>         hostkarma.junkemailfilter.com=127.0.0.1*-1
>
> So it counts how often a ip is listed rbls. 
> *4 means gets 4 points. So listed in barracude psky or spamhaus.. => drop. Pickup by fail2ban > in firewall. 
> This is reasonable optimized. 
> Untill today i have not seen 1 .. Wannacry or (how is the new one called.) email.
> Same for the proxy, added icap voor scanning with yara rules. 
>
> For my pc's. 
> Adobe, disable opening thing from the internet, and disable javascript in adobe. 
> MS Office, disable macros, vbs.. Aka all scripting you can disable. 
> If a user needs it, open only that for that user ( but use groups to setup ) 
> Most users open documentes from within browsers or mail apps, protect these locations.
> article here : http://www.computerworld.com/article/2485214/microsoft-windows/cryptolocker-how-to-avoid-getting-infected-and-what-to-do-if-you-are.html
> Set you antvirus heuristic scanning to high, yes you lose a bit speed, but you choose what you want. Security or extra work later.. 
> And user may NEVER EVER work with Administrative rights. 
> Supporting a home user, setup, explain, and tell if they change the rights, you wont fix next time.
> Result, 90% less call for support from home users and 10% is in trouble but, im not fixing it .. Again.. 
>
> And what i did for samba, only upgrade to 4.5.10 or 4.6.5 and make my daily backups. 
> Just go with the flow and dont use old, older and to old programs.. 
>
> ! Thing to remember, if a crypto hits you, it always hits the "recently openend" first. 
> So a "samba honeypot", well, i just dont like it, since that wil hardly work. 
>
> But above is just how "I" like my setups.
>
>
> Greetz, 
>
> Louis 
Thank you for what you do here with your postfix server. I learned a few
things that will help make mine better.

Trever
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>> David Disseldorp via samba
>> Verzonden: woensdag 28 juni 2017 14:42
>> Aan: mj via samba
>> Onderwerp: Re: [Samba] ransomware etc
>>
>> Hi,
>>
>> On Wed, 28 Jun 2017 11:08:11 +0200, mj via samba wrote:
>>
>>> Hi all,
>>>
>>> Just out of curiosity: is there anything we can do, on the 
>> samba side, 
>>> to counter the recent ransomware attacks? (or limit the damage done)
>>>
>>> I'm thinking like: limit the number of files per second a client
>>> (workstation) is allowed to edit, or some other smart tricks..?
>>>
>>> It would be nice if samba could be an extra layer of defense.
>>>
>>> Something perhaps a vfs module could help with..?
>>>
>>> Anyone with tips, trics, ideas?
>> Although not bullet proof, I'd suggest taking periodic 
>> snapshots of the Samba share using Btrfs, LVM, ZFS, etc. This 
>> will give you a read-only restore point, should clients start 
>> misbehaving.
>>
>> With Btrfs you could use the Snapper VFS module to expose the 
>> read-only snapshots to clients via the Windows Previous Versions UI.
>>
>> Cheers, David
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 886 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20170628/51962a75/signature.sig>

More information about the samba mailing list