[Samba] samba file access rate limiting

Petr info at admin.jevklidu.cz
Wed Dec 7 11:56:39 UTC 2022 


Dne 06. 12. 22 v 19:01 Rowland Penny via samba napsal(a):
> 
> 
> On 06/12/2022 17:45, Jeremy Allison via samba wrote:
>> On Tue, Dec 06, 2022 at 01:44:09PM +0100, Petr via samba wrote:
>>> Hello,
>>>
>>> I have one share with sensitive data and there is many employees with 
>>> access to that share. I need to ban users trying to copy files from 
>>> share to other place but users normally editing files left without 
>>> any restriction.
>>>
>>> I want to set proper logging and set fail2ban to ban user accessing 
>>> too many files in some time limit.
>>>
>>> I have not find solution how to set samba to log every file access. 
>>> The current configuration snippet is below.
>>>
>>> vfs objects = full_audit
>>> full_audit:prefix = %u|%I
>>> full_audit:success = create_file
>>>
>>> Problem is that it logs directory access too and sometimes it 
>>> generates many duplicite lines and it will be hard to define correct 
>>> regex for fail2ban.
>>>
>>> Do you have any advice how to properly set file reading logging?
>>
>> How can you tell the difference between users copying
>> files and users who are editing in place ?
>>
>> I must confess I can't see how you're going to do
>> this even with perfect logging. Doesn't it depend
>> on the editor the clients are using too ?
>>
>> Can you explain a little more ?
> 
> I wondered about this and my first thought was:
> 
> What is to stop someone with 'access' permissions opening a file and 
> then saving a copy locally ?
> 
> If a user can read it, they can copy it, so the first thing to do is, 
> restrict who can access the share.
> 
> You do not need fail2ban, you just need to deny access to those who 
> cannot edit the files. You can also choose what operations are logged by 
> vfs_full_audit, try reading its manpage.
> 
> Rowland
> 

The idea i simple but my be not correct. I anyone open 1 file in samba 
share, one OPEN event is logged and it is OK. I anyone copy whole 
directory with 100 files that 100 events is logged and if for example 
the limit is set to 60/minute....he will be banned.

The idea is to ban massive actions like copying whole share or some part 
of it.

Petr

More information about the samba mailing list