Securing unRAID against a ransom trojan attack

[tazman]

Hi,

 

The recent surge of ransom trojan attacks made me worried about loosing all my unRAID data. Ie. a trojan infects any machine that is in my network (which could be a friend/guest), finds the unRAID shares and encrypts them.

 

So I have ventured into locking down my array to:

• Grant only read access to the data needed by everybody
  
• Use a dedicated account for write-access
  

 

I started with this security overview article from limetech: http://lime-technology.com/forum/index.php?topic=7047.0

 

I am kindly seeking your advice on the approach I have taken and the issues I face.

 

This is for Windows/Android access. Only SMB access is used. NFS is disabled.

 

Approach taken:

• Add a new user "backup" for write-access
  
• Set SMB.Security="Secure" for all user shares and set User Access for the user "backup" to "Read/Write"
  
• Media shares are exported with "Yes", others that do not require public access like shares used for backup are exported with "Yes (hidden)"
  
• Add a new share "Public" with security = Public to have a place for file sharing between users
  
• For each of the "disk*" shares: set Export=No so they are not accessible from outside
  
• Create a new user "backup" with the same password as on unRAID on my Windows machine that I use to perform work requiring write-access
  

 

This seems to work: No old user can write data, the disks are not exposed and only the Backup can write.

 

There is one issue: Some directories in my backup folders cannot be accessed even by the backup user. They have the right 0700 while other directories have 0777.The media folders do not seem to have that problem and seem to be consistently 0777.

 

Questions:

[*]How would you modify the above approach to safe-guard against accidental/malware modification of the files?

[*]777 directories are not writeable by other users. This is as I wanted it, but doesn't the last "7" indicate that they should be? Limetech indicated in the article linked above that  "SMB samba details: create mask = 770,  directory mask = 770"

[*]Even with a 0 (as in 700) the directories are visible by all users. What is the difference then between a 0 and a 4 (=read)?

[*]Could it be that rights from the Windows source of the backed-up files/folders are carried over to unRAID? However, if so, I still don't understand as the rights under Windows are different than on the unRAID backup folder equivalents. E.g. one folder that has 0700 in unRAID (and cannot be accessed) seems to have the same security settings in Windows as a folder that can be accessed in unRAID (0777).

[*]What can I do to set all files and folders to the correct settings so they are accessible?

[*]What needs to be done to ensure that this continues to work in the future (rather than having to "patch" the files each time a backup is performed)?

[*]Is it sufficient to set Export=No for the disks or is it required/recommended to set Security=Secure as well?

[*]I haven't tried it yet but assume that a newly added disk would be added as Export=Yes, Security=Public so I will need to remember to lock it down with Export=No. Is there a way to change default for a disk?

 

Thanks so much for your advice.

 

Tom

[Squid]

Already an existing discussion going on over here : http://lime-technology.com/forum/index.php?topic=47961.0