Hi All, Is there anything in Samba that will help protect against ransomware? -T -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Computers are like air conditioners. They malfunction when you open windows ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hallo, ToddAndMargo, Du meintest am 15.05.16:> Is there anything in Samba that will help protect > against ransomware?The linux principle is "one job - one tool". Antivirus software exists. It doesn't help against really new malware, it doesn't help against "social engineering", it doesn't help against a bona fide user. Perhaps "ClamAV" may fulfill some of your wishes. Viele Gruesse! Helmut
On Sat, 2016-05-14 at 22:42 -0700, ToddAndMargo wrote:> Hi All, > > Is there anything in Samba that will help protect > against ransomware?I've not had to look into this properly, but I would suggest that regular and genuinely offline backups and regular Read Only snapshots. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
I had to deal with ransomware at the end of April. One of the PCs on my customer's network was infected by opening a realistic looking email apparently from a genuine supplier to the company and personally addressed. The infection occurred on Wednesday, but encryption of the server only took place late on Friday afternoon, presumably having obtained encryption keys from the criminals. The malware did not encrypt documents on the infected PC, but documents and spreadsheets in every folder on the samba shares were encrypted. Fortunately the backup to rdx disk was working (On my previous visit to the customer the backup had NOT been working and nobody had noticed!). I used linux 'cp -npr' to restore missing files and find / -name “*.crypt” –type f –delete [deletes all files *.crypt] find / -name “*de-crypt*” –type f –delete [deletes ransom message from every directory which had contained encrypted files] The answer to the question is take extreme care with incoming emails and always make sure the backups are working. Peter On 15 May 2016 at 21:00, Andrew Bartlett <abartlet at samba.org> wrote:> On Sat, 2016-05-14 at 22:42 -0700, ToddAndMargo wrote: > > Hi All, > > > > Is there anything in Samba that will help protect > > against ransomware? > > I've not had to look into this properly, but I would suggest that > regular and genuinely offline backups and regular Read Only snapshots. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 05/15/2016 01:00 PM, Andrew Bartlett wrote:> On Sat, 2016-05-14 at 22:42 -0700, ToddAndMargo wrote: >> Hi All, >> >> Is there anything in Samba that will help protect >> against ransomware? > > I've not had to look into this properly, but I would suggest that > regular and genuinely offline backups and regular Read Only snapshots. > > Andrew Bartlett >On linux, I do xfsdump's and rotate several full backups. I also leave the drives unmounted when not in use. Ransomware is only dangerous where they can find a drive letter. I am trying to get a few of my Windows clients to back up to a Linux ftp server (no drive letters). Must have several rotations of data though. I do not like incremental backups, especially when I have all night to run a backup. And single Windows workstations to back up to an ext4 drive with four revolving partitions, so that only one drive letter is exposed at a time. Ext4 to screw with ransomware minds if they ever figure out how to attack hidden drives in Windows.
I'm jumping in here late. There's been a lot of good suggestions already. Something I haven't seen mentioned is rsnapshot. The solution to ransomware like this is a good solid backup regimen and rsnapshot can be part of that. rsnapshot is opensource and based on rsync .. it requires a unix filesystem that supports hardlinks. It works on making a complete snapshot of the file system every 'n' periods. you specify who frequently. The cool think about rsnapshot is that while every snapshot is a full backup, each snapshot only has the file deltas. So snapshots don't consume huge amounts of space. You can likely also get statistics on how many files changed between each snapshot. If you ever notice a larger than normal number of deltas you can look further to see if something is making mass changes of things. If you see more the X number of deltas, it could sent an alert. On the commercial software side of things, services like Crashplan and Carbonite and other provide point in time restores. On Sat, May 14, 2016 at 10:42 PM, ToddAndMargo <ToddAndMargo at zoho.com> wrote:> Hi All, > > Is there anything in Samba that will help protect > against ransomware? > > -T > > > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Computers are like air conditioners. > They malfunction when you open windows > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- David Bear mobile: (602) 903-6476
Would something like this help? I put a bunch of junk pictures and
other files in a samba share that everyone has access to. If I modify
them in any way, I get warned. I was thinking it might warn me so I
could prevent it spreading to backups.
#!/bin/sh
$MY_EMAIL="some at email.com"
$MY_DIR=/home/shared_to_everyone_via_samba/pictures_for_test_sub_folder
while inotifywait -qre modify "$MY_DIR"; do
#play a sound on server
play -v .3 /home/warning.wav
#send an email
mail -s "Possible malware" $MY_EMAIL </home/warning.txt
done
On Sun, May 15, 2016 at 7:07 AM, Helmut Hullen <Hullen at t-online.de> wrote:> Hallo, ToddAndMargo, > > Du meintest am 15.05.16: > >> Is there anything in Samba that will help protect >> against ransomware? > > The linux principle is "one job - one tool". Antivirus software exists. > It doesn't help against really new malware, it doesn't help against > "social engineering", it doesn't help against a bona fide user.It was a basic UNIX principle, back in BSD when I first encountered it. It's not always followed: witness "systemd" and "gnome". Samba has some advantages. If the core file server is Linux or UNIX, it can be much faster and cheaper to make regular snapshots of your filesystem and write them to a basically read-only structure, running on Linux or UNIX. Much, much, much cheaper than trying to run Windows based backup software: just getting read access to "open" files, such as the user's mailbox files that are the most important files to back up on their whole system, be a nightmare requiring serious privilege escalation that the local users should *not* need to do. File system snapshot tools like LVM snapshots, or the more sophisticated snapshots of ZFS or of a backend NetApp, can also be invaluable. Those can also often be made accessible by Samba as read-only CIFS shares, for people to recover their own files. It's invaluable for people not to have to bother their local sysadmin to get last night's copy of the files they just accidentally deleted. They will appreciate your thoughtfulness, and you can get back to playing Minecraft. If you're on a budget tools like the venerable "rsnapshot" perl script, writing to cheap local storage, can provide similar capabilities with the added expense in resources of rsnapshot having to actually scan and rsync against the filesystems it is backing up, and having to be *very careful* to expose the backups as read-only. That exposure of backups can be via CIFS using Samba, or even via NFS. Since rsnapshot relies on hardlinks among the snapshots, if you corrupt one, you've potentially corrupted them all, and you *never* want to expose those backups to ordinary userland. Does Samba provide some subtle brilliance to block ransomware from being able to act at atll? Not really, no. The CIFS network file system for providing authorized access to data doesn't *analyze* the requests to read or write data to files for their legitimacy or lack of malice: that's a job for the client side, for the virus scanners or security on the client side. If Samba started trying to say "I smell a witch!!!" based on the transformation of data requested..... oh, dear lord, that could get very resource intensive and very, very messy.> Perhaps "ClamAV" may fulfill some of your wishes. > > Viele Gruesse! > HelmutThat's a related, but distinct, problem. ClamAV has limits: Constantly morphing attack binaries, and the use of encrypted zip files with "use this password" make such attacks more and more difficult to pre-analyze.