# vi /etc/samba/smb.conf
[global]
full_audit:failure = none
full_audit:success = pwrite write rename
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local7
full_audit:priority = NOTICE
[<share>]
vfs objects = full_audit
2020-02-29T11:07:36.162528+01:00 hort
smbd_audit:IP=1.2.3.4|USER=dha|MACHINE=win7dha|VOLUME=dha|pwrite|ok|bla/Installer.zip
2020-02-29T11:08:43.945654+01:00 hort
smbd_audit:IP=1.2.3.4|USER=dha|MACHINE=win7dha|VOLUME=dha|pwrite|ok|bla/trojaner.locky
# apt-get install fail2ban
# vi /etc/fail2ban/filter.d/samba.conf wie
[Definition]
failregex = smbd.*\:\ IP=<HOST>\|.*\.locky$
smbd.*\:\ IP=<HOST>\|.*_Locky_recover_instructions\.txt$
ignoreregex =
# vi /etc/fail2ban/jail.d/
[samba]
filter = samba
enabled = true
action = iptables-multiport[name=samba, port=“135,139,445,137,138″, protocol=tcp]
mail[name=samba, dest=admin@MYDOMAIN.DE]
logpath = /var/log/syslog
maxretry = 1 #Schon der erste Versuch ist strafbar
findtime = 600 #Schaut sich immer die letzen 10 Minuten an
bantime = 86400 #Ban für einen ganzen Tag
This entry was posted on Montag, September 14th, 2020 at 20:28 and is filed under Administration, Security Solution. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.