Cool Solution - Ransomware protection with Fail2Ban

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

This article desribes how to setup thorough Samba logging and Fail2Ban log analysis to detect and prevent ransomware attacks on Samba shares. We use a logging called “full_audit”, which logs write and rename operations on files along with the user, machine and file of each operation. In this setup the log is continously analysed by Fail2Ban. It uses a list of known bad files and extensions used by ransomwares to detect and ban infected hosts from accessing shares.

Activate full_audit logging for Samba shares

To configure full_audit logging, execute the following UCR command.

ucr set 'samba/global/options/full_audit:failure=none' \
 'samba/global/options/full_audit:success=pwrite write rename' \
 'samba/global/options/full_audit:prefix=IP=%I|USER=%u|MACHINE=%m|VOLUME=%S' \
 'samba/global/options/full_audit:facility=local7' \

Now that full_audit is configured, you can either configure it manually for every share or use the following command to activate it for every share on the current host:

for i in $(udm shares/share list --filter=host=$(hostname -f) | grep DN: | sed 's/DN: //'); do udm shares/share modify "$@" --dn "$i" --set sambaVFSObjects="full_audit" || die; done

If you want to manually add the option to a share, here’s how to do it: Open the UMC, click the tab “Domain” and open “Shares”. Select and open the share you want to create a full_audit log for and open the “Samba” options on the left. On the bottom of that page you will find a text field called “VFS objects”. Type “full_audit” in here and “Save” the share.

A rename operation on a file called “test.txt” to “test.crypted” laying on a share called “share1” on server “master” made by a user “john.doe” on machine “win7-pc” with IP “” would look like this in the log now that full_audit is active:

Jun 27 10:29:47 master smbd_audit: IP=|USER=UCS+john.doe|MACHINE=win7-pc|VOLUME=share1|rename|ok|test.txt|test.crypted

These can now be used by Fail2Ban to ban hosts if certain files or file endings are detected.

Installing and configuring Fail2Ban

Activate the “unmaintained” repository:

ucr set repository/online/unmaintained=yes

Install fail2ban

univention-install fail2ban

By default the “SSH” jail is active. You can deactivate this as it’s not necessary for the function of this article, if you don’t want it. To deactivate the SSH jail open the file /etc/fail2ban/jail.conf with an editor and change this passage:

enabled  = true

to this

enabled  = false

To configure a Samba jail with a list of file extensions known to be used by ransomwares, you can install the following package from the cool solution repository. This package configures a Samba jail, with a filter list located at /etc/fail2ban/filter.d/samba.conf and a mailing service to send mails for each banned IP. The jail bans clients for a week after one occurrence of a match on one of the regular expressions in the filter list is found in /var/log/syslog.

DO NOT FORGET! Protection is only as good as the filter list! Since new ransomwares using new file extensions are released rather frequent these days the list at /etc/fail2ban/filter.d/samba.conf should be updated regularly!

univention-install univention-fail2ban-config-ransomware

After the package is installed and configuration is finished, restart Fail2Ban.

service fail2ban-server restart

Adding new regular expressions to the filter list

To add a new regular expression to the filter list, simply append it to the “failregex” paragraph.

You can test if the regular expression works by using the “fail2ban-regex” tool. This tool can be used to see which regexes match how often on a given log. It does not ban or unban anything, it’s more like a so called “dry run”.

It works as follows:

fail2ban-regex <LOG FILE> <FILTER LIST>

So if you want to test the samba filter list, that comes with the above package on syslog, the command would look as follows:

fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/samba.conf
1 Like

This topic was automatically closed after 24 hours. New replies are no longer allowed.