samba - Mar 2016 - [ISC Crosspost] Novel method for slowing down Locky on Samba server using fail2ban

From: bounces at isc.sans.edu
To: sbradcpa at pacbell.net <sbradcpa at pacbell.net>

Novel method for slowing down Locky on Samba server using fail2ban
https://isc.sans.edu/diary.html?n&storyid=20805
http://www.heise.de/security/artikel/Erpressungs-Trojaner-wie-Locky-aussperren-3120956.html

Google Translate version of above:
If you teach the Samba server to monitor and write Rename actions, you 
can start fail2ban on Locky activities and shut infected computers 
before they can cause great harm.

The following lines do in the /etc/samba/smb.conf in section [global]
  full_audit: failure = none
  full_audit: success = pwrite write rename
  full_audit: prefix = IP =% I | USER =% u | MACHINE =% m | VOLUME =% S
  full_audit: facility = local7
  full_audit: priority = NOTICE

and to be monitored at every [Volume]
   vfs objects = full_audit

This leads to such a line in the log:

   2016-02-29T11:07:36.162528+01:00 hort
 
smbd_audit:IP=1.2.3.4|USER=dha|MACHINE=win7dha|VOLUME=dha|pwrite|ok|bla/Q-Dir_Installer.zip

   2016-02-29T11:08:43.945654+01:00 hort
 
smbd_audit:IP=1.2.3.4|USER=dha|MACHINE=win7dha|VOLUME=dha|pwrite|ok|bla/ganzböserverschlüsselungstrojaner.locky

  apt-get install fail2ban
with filter definitions in /etc/fail2ban/filter.d/samba.conf as

  [Definition]
  failregex = smbd.*\:\ IP=<HOST>\|.*\.locky$
  smbd.*\:\ IP=<HOST>\|.*_Locky_recover_instructions\.txt$

  ignoreregex 
The jump to the typical Locky files ending .locky and the ransom 
_Locky_recover_instructions.tx t on. It can, however, easily extend to 
other ransomware typical files. When creating new messages you have to 
note the indentation; fail2ban is a Python script and accordingly fussy 
about leading spaces and tabs are concerned. It becomes difficult for 
files like .mp3, as it applies the latest version of TeslaCrypt. 3 You 
have to decide whether music files have to look on the server rather 
then as Admin.

fail2ban locked out

Arm the filter with a config file named samba.conf in /etc/fail2ban/jail.d/
   [samba]
   filter = samba
   enabled = true
   action = iptables-multiport[name=samba, port="135,139,445,137,138",
protocol=tcp]
   mail[name=samba, dest=admin at MYDOMAIN.DE]
   logpath = /var/log/syslog
   maxretry = 1 #block after first attempt
   findtime = 600 #always look at the last 10 minutes
   bantime = 86400 #24 hour ban

  [samba]
  filter = samba
  enabled = true
  action = iptables-multiport [name = samba, port = 
"135,139,445,137,138" protocol = tcp]
  mail [name = samba, dest=admin at MYDOMAIN.DE]
  logpath = / var / log / syslog
  maxretry = 1 #Schon the first attempt is punishable
  find time = 600 #Schaut always the last 10 minutes
  bantime = 86400 #ban for a whole day
This ensures that a Locky-infected client via iptables disconnected for 
24 hours and the Admin via mail will be notified.