Displaying 1 result from an estimated 1 matches for "dir_installer".
2016 Mar 10
0
[ISC Crosspost] Novel method for slowing down Locky on Samba server using fail2ban
...VOLUME =% S
full_audit: facility = local7
full_audit: priority = NOTICE
and to be monitored at every [Volume]
vfs objects = full_audit
This leads to such a line in the log:
2016-02-29T11:07:36.162528+01:00 hort
smbd_audit:IP=1.2.3.4|USER=dha|MACHINE=win7dha|VOLUME=dha|pwrite|ok|bla/Q-Dir_Installer.zip
2016-02-29T11:08:43.945654+01:00 hort
smbd_audit:IP=1.2.3.4|USER=dha|MACHINE=win7dha|VOLUME=dha|pwrite|ok|bla/ganzböserverschlüsselungstrojaner.locky
apt-get install fail2ban
with filter definitions in /etc/fail2ban/filter.d/samba.conf as
[Definition]
failregex = smbd.*\:\ IP=<...