neilt0 Posted May 15, 2017 Share Posted May 15, 2017 Thanks for writing this. If I delete a bait file from a disk share (not user share), this doesn't trigger. Should it? Quote Link to comment
Squid Posted May 15, 2017 Author Share Posted May 15, 2017 24 minutes ago, neilt0 said: Thanks for writing this. If I delete a bait file from a disk share (not user share), this doesn't trigger. Should it? If you're only using bait shares, then 99.999% of the bait files only exist within /mnt/user/.... since they are all hardlinks to the 4 main files. And yes, should you delete a bait file from /mnt/diskX instead of /mnt/user/... then the system will not pick it up because the fuse file system is never informed that a change happened on an individual disk. Not really a downside as there's very little reason to export disk shares over the network, and a Network attack is how ransomeware is going to attack. Quote Link to comment
kizer Posted May 15, 2017 Share Posted May 15, 2017 1 hour ago, Squid said: Myself, I only use bait shares. Setup as a prefix of zzz-Squidbait placed altogether in the list. And I don't recreate on stop / start. Exactly what I'm running. Quote Link to comment
squirrellydw Posted May 15, 2017 Share Posted May 15, 2017 1 hour ago, Squid said: Myself, I only use bait shares. Setup as a prefix of zzz-Squidbait placed altogether in the list. And I don't recreate on stop / start. thats it, leave all the other options as they are? Thanks Quote Link to comment
neilt0 Posted May 16, 2017 Share Posted May 16, 2017 10 hours ago, Squid said: If you're only using bait shares, then 99.999% of the bait files only exist within /mnt/user/.... since they are all hardlinks to the 4 main files. And yes, should you delete a bait file from /mnt/diskX instead of /mnt/user/... then the system will not pick it up because the fuse file system is never informed that a change happened on an individual disk. Not really a downside as there's very little reason to export disk shares over the network, and a Network attack is how ransomeware is going to attack. I do export disk shares over the LAN as I like to have all my (for example) Radio files on disk1. When triggering this, it has also made all the disk shares read only, including the cache share. That can't be right? How do I make at least the cache share writeable? Quote Link to comment
Squid Posted May 16, 2017 Author Share Posted May 16, 2017 Just restore smb permissions. There may still be an issue where the comment says it's not writeable but it still is.Sent from my LG-D852 using Tapatalk Quote Link to comment
Squid Posted May 16, 2017 Author Share Posted May 16, 2017 2 hours ago, neilt0 said: I do export disk shares over the LAN as I like to have all my (for example) Radio files on disk1. TBH, you're better not doing that as if the equivalent user share is also exported and you happen to mess up and copy a file from the disk share to the user share the file just got corrupted. Quote Link to comment
neilt0 Posted May 16, 2017 Share Posted May 16, 2017 56 minutes ago, Squid said: Just restore smb permissions. There may still be an issue where the comment says it's not writeable but it still is. Sent from my LG-D852 using Tapatalk How do I restore SMB permissions? The plugin didn't do it when I "OK"'d the ransom activation, My server is kinda borked now. :-) Quote Link to comment
neilt0 Posted May 16, 2017 Share Posted May 16, 2017 41 minutes ago, Squid said: TBH, you're better not doing that as if the equivalent user share is also exported and you happen to mess up and copy a file from the disk share to the user share the file just got corrupted. No, I know what I'm doing and have used disk shares since 2009. Quote Link to comment
Squid Posted May 16, 2017 Author Share Posted May 16, 2017 As soon as you go into the settings for Ransomware, there's a button that says Restore SMB permissions Quote Link to comment
neilt0 Posted May 16, 2017 Share Posted May 16, 2017 (edited) 51 minutes ago, Squid said: As soon as you go into the settings for Ransomware, there's a button that says Restore SMB permissions I know. It didn't work! It has given me a prompt to tidy up my shares, so I've done that and am exporting my SMB disk shares as hidden and secure. In theory, ransomware could find the disk shares, but I think they're reasonably protected? Edited May 16, 2017 by neilt0 Quote Link to comment
Squid Posted May 16, 2017 Author Share Posted May 16, 2017 I know. It didn't work! [emoji3] [emoji57] It has given me a prompt to tidy up my shares, so I've done that and am exporting my SMB disk shares as hidden and secure. In theory, ransomware could find the disk shares, but I think they're reasonably protected?I'd have to see the diagnostics before you reboot to try and see what went wrong. After that you can reset the permissions manually on the shares tab.Sent from my LG-D852 using Tapatalk Quote Link to comment
squirrellydw Posted May 16, 2017 Share Posted May 16, 2017 So can I ignore certain files, for example .ds_store files and all the dot Apple files? I have a plugin running that deletes them and today all my shares were read only because your plugin works to well. Quote Link to comment
Squid Posted May 16, 2017 Author Share Posted May 16, 2017 8 hours ago, squirrellydw said: So can I ignore certain files, for example .ds_store files and all the dot Apple files? I have a plugin running that deletes them and today all my shares were read only because your plugin works to well. Under bait files, there's no problem With bait shares, there's 2 issues with excluded files #1 - The memory requirements to implement a watch on every file is immense. IIRC during my testing, inotifywait did not sent an event if a linked file was deleted (ie: encrypted / re-written, and the source removed) Because of that an attack cannot be detected unless every single file is watched or the directory is simply watched for any changes. #2 - The response time for inotifywait decreases with every additional file being watched. (As an aside, I just tried it and simply creating a .ds_store file will trigger an attack because of the change in the folder) I have no clue under what circumstances Finder creates those files, but I believe I have seen in the forums here instructions on how to stop finder from creating them in the first place. I really don't know what to say beyond stop your script from deleting them from bait shares, or stop finder from creating them in the first place. But no matter what, always keep in mind that this plugin is the last emergency line of defense (for the files on the server only), and to always make the necessary precautions on all your other networked devices to prevent any ransomware attack from happening in the first place. The attack won't originate from the server, but from another networked device, and its highly probable that all the files on that particular device will be trashed no matter what. Quote Link to comment
wgstarks Posted May 16, 2017 Share Posted May 16, 2017 2 hours ago, Squid said: I have no clue under what circumstances Finder creates those files, but I believe I have seen in the forums here instructions on how to stop finder from creating them in the first place. Add this to smb extra configuration- veto files = /._*/.DS_Store/ Will stop OSX from creating ds store files via samba. 1 Quote Link to comment
squirrellydw Posted May 17, 2017 Share Posted May 17, 2017 1 hour ago, wgstarks said: Add this to smb extra configuration- veto files = /._*/.DS_Store/ Will stop OSX from creating ds store files via samba. thanks but what about all the other DOT files OS X creates? Quote Link to comment
wgstarks Posted May 17, 2017 Share Posted May 17, 2017 9 minutes ago, squirrellydw said: thanks but what about all the other DOT files OS X creates? If I understand the line correctly the "*" is a wildcard so any ._whatever file is covered. Quote Link to comment
squirrellydw Posted May 17, 2017 Share Posted May 17, 2017 (edited) 34 minutes ago, wgstarks said: If I understand the line correctly the "*" is a wildcard so any ._whatever file is covered. so I just add this to SMB not NFS or AFP? Edited May 17, 2017 by squirrellydw Quote Link to comment
wgstarks Posted May 17, 2017 Share Posted May 17, 2017 Right. Not sure how to do this with NFS or AFP. Only use SMB for my bait shares. Not using NFS at all and AFP just for TimeMachine backups. Quote Link to comment
trurl Posted May 17, 2017 Share Posted May 17, 2017 On 5/16/2017 at 9:56 AM, neilt0 said: I like to have all my (for example) Radio files on disk1. Radio share include only disk1, problem solved, no need for disk shares. Quote Link to comment
extrobe Posted May 18, 2017 Share Posted May 18, 2017 (edited) hi, I'm having a spot of trouble getting this working. I can get everything setup correctly (I've gone with a bit of file shares and a bit of files in existing shares), but as soon as I start the service, I get told I'm under attack and immediately shuts down the SMB service. It looks like one of the shares is triggering, but unsure why - I've tried a couple of times now. If I only use the file bait service, it seems to run fine. May 18 13:12:34 DEMETER root: ransomware protection:Creating bait files, root of shares only May 18 13:12:34 DEMETER root: ransomware protection:Creating Folder Structure May 18 13:12:35 DEMETER root: ransomware protection:Total bait files created: 40 May 18 13:12:35 DEMETER root: ransomware protection:Starting Background Monitoring Of Bait Files May 18 13:12:43 DEMETER root: ransomware protection:Creating Bait Files May 18 13:13:25 DEMETER root: ransomware protection:Bait Files Created: 54350 (1294/second) Completed: 16% May 18 13:13:59 DEMETER root: ransomware protection:Bait Files Created: 108500 (1427/second) Completed: 33% May 18 13:14:37 DEMETER root: ransomware protection:Bait Files Created: 163000 (1429/second) Completed: 50% May 18 13:15:13 DEMETER root: ransomware protection:Bait Files Created: 217250 (1448/second) Completed: 66% May 18 13:15:47 DEMETER root: ransomware protection:Bait Files Created: 271100 (1473/second) Completed: 83% May 18 13:16:25 DEMETER root: ransomware protection:Bait Files Created: 325300 (1465/second) Completed: 100% May 18 13:16:26 DEMETER root: ransomware protection:Starting Background Monitoring of Baitshares May 18 13:16:51 DEMETER root: ransomware protection:ATTRIB,ISDIR May 18 13:16:51 DEMETER root: ransomware protection:.. May 18 13:16:51 DEMETER root: ransomware protection:Possible Ransomware attack detected on file /mnt/user/xFileBater-fell/ May 18 13:16:51 DEMETER root: ransomware protection:SMB Status: May 18 13:16:51 DEMETER root: ransomware protection: May 18 13:16:51 DEMETER root: ransomware protection:Samba version 4.5.7 May 18 13:16:51 DEMETER root: ransomware protection:PID Username Group Machine Protocol Version Encryption Signing May 18 13:16:51 DEMETER root: ransomware protection:---------------------------------------------------------------------------------------------------------------------------------------- May 18 13:16:51 DEMETER root: ransomware protection:23510 extrobe users 192.168.0.93 (ipv4:192.168.0.93:50187) SMB3_11 - partial(AES-128-CMAC) May 18 13:16:51 DEMETER root: ransomware protection: May 18 13:16:51 DEMETER root: ransomware protection:Service pid Machine Connected at Encryption Signing May 18 13:16:51 DEMETER root: ransomware protection:--------------------------------------------------------------------------------------------- May 18 13:16:51 DEMETER root: ransomware protection:backups 23510 192.168.0.93 Thu May 18 13:14:53 2017 BST - - May 18 13:16:51 DEMETER root: ransomware protection: May 18 13:16:51 DEMETER root: ransomware protection:No locked files May 18 13:16:51 DEMETER root: ransomware protection: May 18 13:16:51 DEMETER root: ransomware protection:Deleting the affected shares May 18 13:16:51 DEMETER root: ransomware protection:Deleting /mnt/user/xFileBater-fell/ May 18 13:17:15 DEMETER root: ransomware protection:Starting Background Monitoring of Baitshares May 18 13:18:54 DEMETER root: ransomware protection:Resetting SMB permissions to normal per user selection May 18 13:19:52 DEMETER root: ransomware protection:Stopping the ransomware protection service (15743) Edited May 18, 2017 by extrobe Quote Link to comment
Darksurf Posted May 18, 2017 Share Posted May 18, 2017 What application are we using here? Is there a specific application this plugin is using or is this built from the ground up for Unraid? Is there a git or anything for this? Quote Link to comment
Squid Posted May 18, 2017 Author Share Posted May 18, 2017 32 minutes ago, Darksurf said: What application are we using here? Is there a specific application this plugin is using or is this built from the ground up for Unraid? Is there a git or anything for this? It's tailored to unRaid, and takes the approach of waiting for an attack to happen against certain files and when that happens stops all smb write access regardless of how inconvenient that may be to you. IE: It's your absolutely last line of defense, and should never be your first and/or only... https://github.com/Squidly271/ransomware.bait/ 2 Quote Link to comment
Squid Posted May 18, 2017 Author Share Posted May 18, 2017 11 hours ago, extrobe said: hi, I'm having a spot of trouble getting this working. I can get everything setup correctly (I've gone with a bit of file shares and a bit of files in existing shares), but as soon as I start the service, I get told I'm under attack and immediately shuts down the SMB service. It looks like one of the shares is triggering, but unsure why - I've tried a couple of times now. Give me the diagnostics for when this happens. There's 2 other lines that are logged in the syslog that aren't logged in the RP log's Quote Link to comment
squirrellydw Posted May 21, 2017 Share Posted May 21, 2017 So everything seems to be running fine now that I added this "veto files = /._*/.DS_Store/" but I have two questions. should all the squidbait shares be public or is it better to have them as Secure? My Disk shares say Read Only Mode, is that correct? If not how do I fix it? Thanks Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.