Squid Posted May 21, 2017 Author Share Posted May 21, 2017 1 hour ago, squirrellydw said: should all the squidbait shares be public or is it better to have them as Secure? Better as public. You want to make them as accessible as possible 1 hour ago, squirrellydw said: My Disk shares say Read Only Mode, is that correct? If not how do I fix it? Thanks I had a typo that was preventing the disk shares / comments from being properly restored. Updating the plugin corrects the typo, and will also remove the existing comments (if you had done multiple test trips). However, a reboot may be required after installing the update for unRaid to pickup the comment changes... Quote Link to comment
squirrellydw Posted May 21, 2017 Share Posted May 21, 2017 @Squid Thanks update and reboot fixed it. Cache drive still says Read Only Mode. Quote Link to comment
Squid Posted May 21, 2017 Author Share Posted May 21, 2017 3 hours ago, squirrellydw said: @Squid Thanks update and reboot fixed it. Cache drive still says Read Only Mode. oops. Go to Main, Cache Devices, Click on Cache, and you can manually edit the comment out... Quote Link to comment
Darksurf Posted May 24, 2017 Share Posted May 24, 2017 On 5/18/2017 at 6:46 PM, Squid said: It's tailored to unRaid, and takes the approach of waiting for an attack to happen against certain files and when that happens stops all smb write access regardless of how inconvenient that may be to you. IE: It's your absolutely last line of defense, and should never be your first and/or only... https://github.com/Squidly271/ransomware.bait/ Have you ever though of making it a CLI tool and portable to other Linux distros? I know this is last line of defense material, but its lightweight and excellent for what it does. I can easily see this becoming a tool businesses would love in their arsenal. Seriously man, you've got a winner here. I love unraid, but small medium business and corporate uses other distro's. This could be a big deal! Quote Link to comment
BRiT Posted May 24, 2017 Share Posted May 24, 2017 @Darksurf How would you transition the shares to Read-Only mode on other Linux variants? Or do you mean to make it a passive-only that monitors then when it gets tripped to send a Notification? I suppose it could just have hook-files to be executed on tripped, then leave it up to others to get the nitty-gritty for their specific situations. Quote Link to comment
Darksurf Posted May 24, 2017 Share Posted May 24, 2017 48 minutes ago, BRiT said: @Darksurf How would you transition the shares to Read-Only mode on other Linux variants? Or do you mean to make it a passive-only that monitors then when it gets tripped to send a Notification? I suppose it could just have hook-files to be executed on tripped, then leave it up to others to get the nitty-gritty for their specific situations. It would boil down to either editing the samba.conf file or even better, just stop the samba service 'systemctl stop samba.service' and send notifications and log problems. Quote Link to comment
cpluse Posted May 28, 2017 Share Posted May 28, 2017 I just had to chime in. I'm loving this program. I'v had two alarms. Seem false thou. something deleted Time Of Attack:Sat, 27 May 2017 14:07:42 -0500Attacked File: /mnt/user/YaBills\home2-conquered/ & Time Of Attack:Sat, 27 May 2017 23:57:06 -0500Attacked File: /mnt/user/crashed-Fame/.SquidBait-DO_NOT_DELETE.docx Locked files:Pid Uid DenyMode Access R/W Oplock SharePath Name Time--------------------------------------------------------------------------------------------------23926 1000 DENY_NONE 0x20081 RDONLY NONE /mnt/user/crashed-Fame SquidBait-DO_NOT_DELETE.jpg Sat May 27 23:56:54 201723926 1000 DENY_NONE 0x100081 RDONLY NONE /mnt/user/crashed-Fame . Sat May 27 23:56:53 2017 Even thou it might be false. I still love the fact it there. Plus it help me learn how to protect myself and not get comfortable. Backup are our friends. Thank you again for this plug-in and adding to unRaid Quote Link to comment
ceyo14 Posted June 13, 2017 Share Posted June 13, 2017 (edited) I've installed this plugin but seem to keep having false positives, I'm not using any shares (they exist but nobody is using anything able to see the shares or accessing them) I'm just setting up the actual unRaid and keep getting notifications about bait files triggered.... Edited June 13, 2017 by ceyo14 Quote Link to comment
Squid Posted June 14, 2017 Author Share Posted June 14, 2017 On 6/12/2017 at 11:57 PM, ceyo14 said: I've installed this plugin but seem to keep having false positives, I'm not using any shares (they exist but nobody is using anything able to see the shares or accessing them) I'm just setting up the actual unRaid and keep getting notifications about bait files triggered.... Hard to say. Generally, something is modifying / deleting the file(s). Quote Link to comment
kjoconis Posted July 2, 2017 Share Posted July 2, 2017 (edited) Hey Squid, Been reading a little about this and it sounds awesome. You are a very gifted person to design and implement something like this. I do have a few questions and don't think they have been asked but if they have please forgive me. 1) Is it better to have bait files or bait shares. I have about 15 shares SMB/NFS. 2) Will NFS be implemented on this? I have about 6 NFS shares. 3) Being i have NFS Shares would the bait files or bait shares be created for those shares as at this time NFS is implemented. 4) I automatic backups going on for systems in my house. Would this trigger a false alarm? 5) What are the most secure way to implement this, using bait files or bait shares? 6) what are the odds of someone reading this and implementing ransomware to ignore your bait files or shares and go after every other file instead? 7) Does this tell you the file or shares where items would be deleted? So sorry for so many questions and if they have been asked before i am sorry. Thanks for any help in advance and this does sound like an awesome plugin. Edited July 2, 2017 by kjoconis Quote Link to comment
Squid Posted July 2, 2017 Author Share Posted July 2, 2017 (edited) 1 hour ago, kjoconis said: You are a very gifted person to design and implement something like this @RobJ's ideas 1 hour ago, kjoconis said: Is it better to have bait files or bait shares. I have about 15 shares SMB/NFS. Bait Files are more secure, but more prone to inadvertent trips. Bait Shares are more convenient and less prone to inadvertent trips 1 hour ago, kjoconis said: Will NFS be implemented on this? I have about 6 NFS shares. Your #1 attack vector by far is via SMB. NFS, a while ago I had asked for help on how to make a NFS share read-only in unRaid's implementation, but nobody could / would answer the question (short of modifying the permissions on the files which I don't want to do) 1 hour ago, kjoconis said: I automatic backups going on for systems in my house. Would this trigger a false alarm? If the automatic backups delete any files in the destination share that doesn't exist on the source, and those files are bait files, then yes. An attack is an attack. 1 hour ago, kjoconis said: What are the most secure way to implement this, using bait files or bait shares? Bait Files in all directories and Bait Shares. Unless you're in 100% control of the files on the server though, Bait Files in the root only with Bait Shares. If you don't have 100% control (other users regularly accessing / deleting their own files from folders, etc, Bait Shares only are your best bet). My self, I use 20 Bait Shares (containing ~1,000,000 bait files) and bait files within root of shares only. 1 hour ago, kjoconis said: what are the odds of someone reading this and implementing ransomware to ignore your bait files or shares and go after every other file instead? If a malware author was going to try and work around this implementation, it would be nothing for them to ignore the default naming of the Bait Files. But, you can change those how you wish to avoid that problem. But, you have the option to create and use your own Bait Files. Bait Shares. Anything is possible, but the file names are all randomized, and are named in a variety of different ways that IMHO simulate the naming of files that would be present in somebody's work computer. Would any of the authors go through the trouble of trying to get around this plugin? Doubt it, but you never know. 1 hour ago, kjoconis said: Does this tell you the file or shares where items would be deleted? On an attack, there is an attack log that does specify which particular file was attacked. Best that I can say is that of the 2 users that I know of in this forum that have been hit with a ransomware attack (wannacry), neither one of them were running this plugin. I wish they were. Edited July 2, 2017 by Squid Quote Link to comment
bjmcintosh Posted July 2, 2017 Share Posted July 2, 2017 Squid: I will chime in and give you a big 'thanks' for the plugin. Installed and seems to be working great on my rig. One thing that would be nice - I would like to get an email whenever the system detects and sets the shared to read only. I see that there is the ability to run a custom script on detection. Would you or anyone else out there be able to knock up a quick email script that would work with GMail? I do not have the Linux chops to pull this off in any reasonable time. I figured if I had to do this myself, email would be obsolete by the time I was able to make it work I figured it would be pretty trivial for someone to throw a script together. I am OK to make modifications to a script, but would like to see a sample. Cheers, Brian (fellow Canuk, by the looks of you signature) Quote Link to comment
Squid Posted July 2, 2017 Author Share Posted July 2, 2017 11 minutes ago, bjmcintosh said: One thing that would be nice - I would like to get an email whenever the system detects and sets the shared to read only. I see that there is the ability to run a custom script on detection. Admittedly, I'm not in the "right frame of mind" at the moment, but I'm sure that sure that it does that automatically without any option to disable. Assuming of course that you have set up notifications properly in unRaid. 13 minutes ago, bjmcintosh said: (fellow Canuk, by the looks of you signature) Quote Link to comment
trurl Posted July 2, 2017 Share Posted July 2, 2017 39 minutes ago, bjmcintosh said: I would like to get an email whenever the system detects Do you not have unRAID Notifications setup? You really should and for a lot more reasons than just this plugin. Quote Link to comment
bjmcintosh Posted July 2, 2017 Share Posted July 2, 2017 Trurl - thanks for the reminder. Duh - did not have notifications set up at all. I will play with a ransomware file and, when triggered, I should see a notification. Thx, Brian PS: Squid - thanks for the Canada rant! Quote Link to comment
bjmcintosh Posted July 3, 2017 Share Posted July 3, 2017 I am going to use unbalance to move some files around and make room for a new disk in my array. Would it be easiest to shut down ransomware protection, then recreate bait files as if it is a new install? Quote Link to comment
Squid Posted July 3, 2017 Author Share Posted July 3, 2017 2 hours ago, bjmcintosh said: I am going to use unbalance to move some files around and make room for a new disk in my array. Would it be easiest to shut down ransomware protection, then recreate bait files as if it is a new install? Stop the service, then delete the files, then move, then recreate Quote Link to comment
bjmcintosh Posted July 3, 2017 Share Posted July 3, 2017 Thanks - I figured this was the way to go. Thanks for the confirmation. Brian Quote Link to comment
deeks Posted July 17, 2017 Share Posted July 17, 2017 Hi all, When I stop the services I find the plugin is back on after reboot. How do I turn it off a little more permanently (other than uninstalling)? Cheers, Deeks Quote Link to comment
Squid Posted July 17, 2017 Author Share Posted July 17, 2017 Disable both the use shares and use bait files. Sent from my LG-D852 using Tapatalk Quote Link to comment
deeks Posted July 17, 2017 Share Posted July 17, 2017 Thanks for pointing this out, probably would not have found out to disable both options straight away. Quote Link to comment
Squid Posted August 7, 2017 Author Share Posted August 7, 2017 5 minutes ago, kjoconis said: Hey Guys, Finally installed this plugin and so far so great..Question..I have bait file placement in all folders and shares but i don't see the files..I even choose to not hide bait files but they are still hidden. I would rather not see them but i just wanted to know that they are their. Like i said i have bait files not hidden but they are still not showing....any thoughts...thanks guys.. Is bait files enabled? Does bait files show as running? What does it state for number of bait files being monitored? Quote Link to comment
wgstarks Posted August 7, 2017 Share Posted August 7, 2017 2 minutes ago, kjoconis said: what commands?? Sorry for newbi question.. I think you posted this in the wrong thread. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.