samba - Jun 2017 - ransomware etc

Hi all,

Just out of curiosity: is there anything we can do, on the samba side, 
to counter the recent ransomware attacks? (or limit the damage done)

I'm thinking like: limit the number of files per second a client 
(workstation) is allowed to edit, or some other smart tricks..?

It would be nice if samba could be an extra layer of defense.

Something perhaps a vfs module could help with..?

Anyone with tips, trics, ideas?

MJ

On 06/28/2017 11:08 AM, mj via samba wrote:
> Anyone with tips, trics, ideas?
I am now looking into this:

https://github.com/CanaryTek/ransomware-samba-tools

Interesting approach with full_audit and fail2ban.

MJ

28.06.2017 13:08, mj via samba пишет:
> Something perhaps a vfs module could help with..?
> 
> Anyone with tips, trics, ideas?
Use antivirus. (vfs module, for example drweb antivirus)


-- 
Administrator

Am 28.06.2017 um 11:08 schrieb mj via samba:
> Just out of curiosity: is there anything we can do, on the samba side, 
> to counter the recent ransomware attacks? (or limit the damage done)
> 
> I'm thinking like: limit the number of files per second a client 
> (workstation) is allowed to edit, or some other smart tricks..?
that would break normal usecases like replace a folder with thousands of 
files with a older version especially on fast networks

On 06/28/2017 01:33 PM, Reindl Harald via samba wrote:
> that would break normal usecases like replace a folder with thousands of 
> files with a older version especially on fast networks
True. That's why I'm asking here for (better) ideas.

And I posted one idea I found (the ransomware-samba-tools link earlier) 
already, but I'm just trying to get some dialogue / brainstorming going 
on here... :-)

MJ

Hi,

On Wed, 28 Jun 2017 11:08:11 +0200, mj via samba wrote:
> Hi all,
> 
> Just out of curiosity: is there anything we can do, on the samba side, 
> to counter the recent ransomware attacks? (or limit the damage done)
> 
> I'm thinking like: limit the number of files per second a client 
> (workstation) is allowed to edit, or some other smart tricks..?
> 
> It would be nice if samba could be an extra layer of defense.
> 
> Something perhaps a vfs module could help with..?
> 
> Anyone with tips, trics, ideas?
Although not bullet proof, I'd suggest taking periodic snapshots of the
Samba share using Btrfs, LVM, ZFS, etc. This will give you a read-only
restore point, should clients start misbehaving.

With Btrfs you could use the Snapper VFS module to expose the read-only
snapshots to clients via the Windows Previous Versions UI.

Cheers, David

IMO, 

First secure your entry points.. Mail webserver and proxy and the exit points. (
your users environment in my case windows 7/10 desktops.)

Im waiting until trevor has the antivirus vfs is ready for samba 4. 
@David Disseldrop, you know the status about that, since it was you call to get
it in samba. ;-)
(https://github.com/fumiyas/samba-virusfilter/issues/23) 
I've seen good work but it stopped..  :( 
I .. wannacry ..  :-)) 

If you setup your mail server to respect servers setup conform RFC, your spam
wil drop at least 70%-90%
Saving you lots of cpu time. Now i use postfix with its postscreen, clamav with
yara rules for antivirus.
(https://virustotal.github.io/yara/) 

And a postfix with postscreen setup, something like this. 
postscreen_access_list    permit_mynetworks,
    cidr:/etc/postfix/cidr/postscreen_whitelist_access.cidr,
    # https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre
    pcre:/etc/postfix/pcre/fqrdns-max.pcre,
    pcre:/etc/postfix/pcre/fqrdns-plus.pcre,
    pcre:/etc/postfix/pcre/fqrdns.pcre,
postscreen_dnsbl_threshold=4
postscreen_dnsbl_sites        # blacklists. 
        b.barracudacentral.org*4
        bad.psky.me*4
        zen.spamhaus.org*4
        dnsbl.cobion.com*2
        bl.spameatingmonkey.net*2
        fresh.spameatingmonkey.net*2
        cbl.anti-spam.org.cn=127.0.8.2*2
        dnsbl.anonmails.de*2
        dnsbl.kempt.net*1
        dnsbl.inps.de*2
        bl.spamcop.net*2
        srn.surgate.net=127.0.0.2
        spam.dnsbl.sorbs.net*2
        rbl.rbldns.ru*2
        psbl.surriel.com*2
        bl.mailspike.net*2
        rep.mailspike.net=127.0.0.[13;14]*1
        bl.suomispam.net*2
        bl.blocklist.de*2
        ix.dnsbl.manitu.net*2
        dnsbl-2.uceprotect.net
        dnsbl.justspam.org=127.0.0.2*2
        all.s5h.net=127.0.0.2*2
        hostkarma.junkemailfilter.com=127.0.0.3
        hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
        # whitelists
        swl.spamhaus.org*-4
        list.dnswl.org=127.0.[0..255].[2;3]*-1
        rep.mailspike.net=127.0.0.[17;18]*-1
        rep.mailspike.net=127.0.0.[19;20]*-2
        hostkarma.junkemailfilter.com=127.0.0.1*-1

So it counts how often a ip is listed rbls. 
*4 means gets 4 points. So listed in barracude psky or spamhaus.. => drop.
Pickup by fail2ban > in firewall.
This is reasonable optimized. 
Untill today i have not seen 1 .. Wannacry or (how is the new one called.)
email.
Same for the proxy, added icap voor scanning with yara rules. 

For my pc's. 
Adobe, disable opening thing from the internet, and disable javascript in adobe.
MS Office, disable macros, vbs.. Aka all scripting you can disable. 
If a user needs it, open only that for that user ( but use groups to setup ) 
Most users open documentes from within browsers or mail apps, protect these
locations.
article here :
http://www.computerworld.com/article/2485214/microsoft-windows/cryptolocker-how-to-avoid-getting-infected-and-what-to-do-if-you-are.html
Set you antvirus heuristic scanning to high, yes you lose a bit speed, but you
choose what you want. Security or extra work later..
And user may NEVER EVER work with Administrative rights. 
Supporting a home user, setup, explain, and tell if they change the rights, you
wont fix next time.
Result, 90% less call for support from home users and 10% is in trouble but, im
not fixing it .. Again..

And what i did for samba, only upgrade to 4.5.10 or 4.6.5 and make my daily
backups.
Just go with the flow and dont use old, older and to old programs.. 

! Thing to remember, if a crypto hits you, it always hits the "recently
openend" first.
So a "samba honeypot", well, i just dont like it, since that wil
hardly work.

But above is just how "I" like my setups.


Greetz, 

Louis 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> David Disseldorp via samba
> Verzonden: woensdag 28 juni 2017 14:42
> Aan: mj via samba
> Onderwerp: Re: [Samba] ransomware etc
> 
> Hi,
> 
> On Wed, 28 Jun 2017 11:08:11 +0200, mj via samba wrote:
> 
> > Hi all,
> > 
> > Just out of curiosity: is there anything we can do, on the 
> samba side, 
> > to counter the recent ransomware attacks? (or limit the damage done)
> > 
> > I'm thinking like: limit the number of files per second a client
> > (workstation) is allowed to edit, or some other smart tricks..?
> > 
> > It would be nice if samba could be an extra layer of defense.
> > 
> > Something perhaps a vfs module could help with..?
> > 
> > Anyone with tips, trics, ideas?
> 
> Although not bullet proof, I'd suggest taking periodic 
> snapshots of the Samba share using Btrfs, LVM, ZFS, etc. This 
> will give you a read-only restore point, should clients start 
> misbehaving.
> 
> With Btrfs you could use the Snapper VFS module to expose the 
> read-only snapshots to clients via the Windows Previous Versions UI.
> 
> Cheers, David
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, Jun 28, 2017 at 11:53:30AM +0200, mj via samba
wrote:
> 
> 
> On 06/28/2017 11:08 AM, mj via samba wrote:
> >Anyone with tips, trics, ideas?
> 
> I am now looking into this:
> 
> https://github.com/CanaryTek/ransomware-samba-tools
> 
> Interesting approach with full_audit and fail2ban.
Thanks for posting that - very interesting approach !

If anyone comes up with a great idea I'm willing
to help out coding something up as a VFS module.

Jeremy.

On Wed, Jun 28, 2017 at 8:42 AM, David Disseldorp via samba
<samba at lists.samba.org> wrote:
> Hi,
>
> On Wed, 28 Jun 2017 11:08:11 +0200, mj via samba wrote:
>
>> Hi all,
>>
>> Just out of curiosity: is there anything we can do, on the samba side,
>> to counter the recent ransomware attacks? (or limit the damage done)
>>
>> I'm thinking like: limit the number of files per second a client
>> (workstation) is allowed to edit, or some other smart tricks..?
>>
>> It would be nice if samba could be an extra layer of defense.
>>
>> Something perhaps a vfs module could help with..?
>>
>> Anyone with tips, trics, ideas?
>
> Although not bullet proof, I'd suggest taking periodic snapshots of the
> Samba share using Btrfs, LVM, ZFS, etc. This will give you a read-only
> restore point, should clients start misbehaving.
>
> With Btrfs you could use the Snapper VFS module to expose the read-only
> snapshots to clients via the Windows Previous Versions UI.
Or, for oldsters like myself, rsnapshot reading from the current
filesystem. It's often much, much simpler to implement and lends
itself fell to finer tuning and restoration of old content than a
filesystem based backup.

On 06/28/2017 07:13 AM, L.P.H. van Belle via samba
wrote:
> IMO, 
>
> First secure your entry points.. Mail webserver and proxy and the exit
points. ( your users environment in my case windows 7/10 desktops.)
>
> Im waiting until trevor has the antivirus vfs is ready for samba 4. 
> @David Disseldrop, you know the status about that, since it was you call to
get it in samba. ;-)
> (https://github.com/fumiyas/samba-virusfilter/issues/23) 
> I've seen good work but it stopped..  :( 
> I .. wannacry ..  :-)) 
https://github.com/treveradams/samba/tree/testing is actually where to
look, I believe it is current for 4.6.x (be warned you may have to reset
to past versions from time to time as the code base is git push -f to
keep the changelog short and as simple patches for merging). I am
waiting on reviews for the last patch set. I am watching Samba 4.7/5.0
cycle. It appears there will be some changes needed. The discussions
went off list, but it should be ready for review. If there is an rc for
4.7, I will be happy to work on rebasing for that. I like the changes I
am seeing and want to make sure it stays working.
> If you setup your mail server to respect servers setup conform RFC, your
spam wil drop at least 70%-90%
> Saving you lots of cpu time. Now i use postfix with its postscreen, clamav
with yara rules for antivirus.
> (https://virustotal.github.io/yara/) 
Thank you. I was unaware of this project (yara). I use postscreen on
mail systems I administer as well. Mix it with something like amavisd,
dspam, and clamav and you can have a very low spam rate (most of it on
any system I work with actually comes from an old account I have that I
use fetchmail to pull into that system).
>
> And a postfix with postscreen setup, something like this. 
> postscreen_access_list>     permit_mynetworks,
>     cidr:/etc/postfix/cidr/postscreen_whitelist_access.cidr,
>     # https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre
>     pcre:/etc/postfix/pcre/fqrdns-max.pcre,
>     pcre:/etc/postfix/pcre/fqrdns-plus.pcre,
>     pcre:/etc/postfix/pcre/fqrdns.pcre,
> postscreen_dnsbl_threshold=4
> postscreen_dnsbl_sites>         # blacklists. 
>         b.barracudacentral.org*4
>         bad.psky.me*4
>         zen.spamhaus.org*4
>         dnsbl.cobion.com*2
>         bl.spameatingmonkey.net*2
>         fresh.spameatingmonkey.net*2
>         cbl.anti-spam.org.cn=127.0.8.2*2
>         dnsbl.anonmails.de*2
>         dnsbl.kempt.net*1
>         dnsbl.inps.de*2
>         bl.spamcop.net*2
>         srn.surgate.net=127.0.0.2
>         spam.dnsbl.sorbs.net*2
>         rbl.rbldns.ru*2
>         psbl.surriel.com*2
>         bl.mailspike.net*2
>         rep.mailspike.net=127.0.0.[13;14]*1
>         bl.suomispam.net*2
>         bl.blocklist.de*2
>         ix.dnsbl.manitu.net*2
>         dnsbl-2.uceprotect.net
>         dnsbl.justspam.org=127.0.0.2*2
>         all.s5h.net=127.0.0.2*2
>         hostkarma.junkemailfilter.com=127.0.0.3
>         hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
>         # whitelists
>         swl.spamhaus.org*-4
>         list.dnswl.org=127.0.[0..255].[2;3]*-1
>         rep.mailspike.net=127.0.0.[17;18]*-1
>         rep.mailspike.net=127.0.0.[19;20]*-2
>         hostkarma.junkemailfilter.com=127.0.0.1*-1
>
> So it counts how often a ip is listed rbls. 
> *4 means gets 4 points. So listed in barracude psky or spamhaus.. =>
drop. Pickup by fail2ban > in firewall.
> This is reasonable optimized. 
> Untill today i have not seen 1 .. Wannacry or (how is the new one called.)
email.
> Same for the proxy, added icap voor scanning with yara rules. 
>
> For my pc's. 
> Adobe, disable opening thing from the internet, and disable javascript in
adobe.
> MS Office, disable macros, vbs.. Aka all scripting you can disable. 
> If a user needs it, open only that for that user ( but use groups to setup
)
> Most users open documentes from within browsers or mail apps, protect these
locations.
> article here :
http://www.computerworld.com/article/2485214/microsoft-windows/cryptolocker-how-to-avoid-getting-infected-and-what-to-do-if-you-are.html
> Set you antvirus heuristic scanning to high, yes you lose a bit speed, but
you choose what you want. Security or extra work later..
> And user may NEVER EVER work with Administrative rights. 
> Supporting a home user, setup, explain, and tell if they change the rights,
you wont fix next time.
> Result, 90% less call for support from home users and 10% is in trouble
but, im not fixing it .. Again..
>
> And what i did for samba, only upgrade to 4.5.10 or 4.6.5 and make my daily
backups.
> Just go with the flow and dont use old, older and to old programs.. 
>
> ! Thing to remember, if a crypto hits you, it always hits the
"recently openend" first.
> So a "samba honeypot", well, i just dont like it, since that wil
hardly work.
>
> But above is just how "I" like my setups.
>
>
> Greetz, 
>
> Louis 
Thank you for what you do here with your postfix server. I learned a few
things that will help make mine better.

Trever
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>> David Disseldorp via samba
>> Verzonden: woensdag 28 juni 2017 14:42
>> Aan: mj via samba
>> Onderwerp: Re: [Samba] ransomware etc
>>
>> Hi,
>>
>> On Wed, 28 Jun 2017 11:08:11 +0200, mj via samba wrote:
>>
>>> Hi all,
>>>
>>> Just out of curiosity: is there anything we can do, on the 
>> samba side, 
>>> to counter the recent ransomware attacks? (or limit the damage
done)
>>>
>>> I'm thinking like: limit the number of files per second a
client
>>> (workstation) is allowed to edit, or some other smart tricks..?
>>>
>>> It would be nice if samba could be an extra layer of defense.
>>>
>>> Something perhaps a vfs module could help with..?
>>>
>>> Anyone with tips, trics, ideas?
>> Although not bullet proof, I'd suggest taking periodic 
>> snapshots of the Samba share using Btrfs, LVM, ZFS, etc. This 
>> will give you a read-only restore point, should clients start 
>> misbehaving.
>>
>> With Btrfs you could use the Snapper VFS module to expose the 
>> read-only snapshots to clients via the Windows Previous Versions UI.
>>
>> Cheers, David
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 886 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20170628/51962a75/signature.sig>

Hi all,

Thanks very much to everyone who responded in this thread.

I learned some new tricks :-)

Best,
MJ