[Plugin] Ransomware Protection - Deprecated


Squid

448 posts in this topic Last Reply

Recommended Posts

  • Replies 447
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Ransomware Protection   This plugin is a specialized type of anti-virus designed to detect if a ransomware malware attack is happening on your server, and upon detection either take the se

@Squid Fingers crossed he doesn't delete the thread to destroy the evidence..... 

The exact message is a generic "deprecated" message.   Basically, I don't use the plugin anymore, and don't believe that this is the correct approach.  A more pro-active system vs a reactive

Posted Images

24 minutes ago, neilt0 said:

Thanks for writing this. If I delete a bait file from a disk share (not user share), this doesn't trigger. Should it?

If you're only using bait shares, then 99.999% of the bait files only exist within /mnt/user/.... since they are all hardlinks to the 4 main files.   And yes, should you delete a bait file from /mnt/diskX instead of /mnt/user/... then the system will not pick it up because the fuse file system is never informed that a change happened on an individual disk.

 

Not really a downside as there's very little reason to export disk shares over the network, and a Network attack is how ransomeware is going to attack.

Link to post
1 hour ago, Squid said:

Myself, I only use bait shares.  Setup as a prefix of zzz-Squidbait placed altogether in the list.  And I don't recreate on stop / start.

 

Exactly what I'm running. 

Link to post
10 hours ago, Squid said:

If you're only using bait shares, then 99.999% of the bait files only exist within /mnt/user/.... since they are all hardlinks to the 4 main files.   And yes, should you delete a bait file from /mnt/diskX instead of /mnt/user/... then the system will not pick it up because the fuse file system is never informed that a change happened on an individual disk.

 

Not really a downside as there's very little reason to export disk shares over the network, and a Network attack is how ransomeware is going to attack.

 

I do export disk shares over the LAN as I like to have all my (for example) Radio files on disk1.

 

When triggering this, it has also made all the disk shares read only, including the cache share. That can't be right? How do I make at least the cache share writeable?

Link to post
2 hours ago, neilt0 said:

 

I do export disk shares over the LAN as I like to have all my (for example) Radio files on disk1.

TBH, you're better not doing that as if the equivalent user share is also exported and you happen to mess up and copy a file from the disk share to the user share the file just got corrupted.

Link to post
56 minutes ago, Squid said:

Just restore smb permissions. There may still be an issue where the comment says it's not writeable but it still is.

Sent from my LG-D852 using Tapatalk
 

How do I restore SMB permissions? The plugin didn't do it when I "OK"'d the ransom activation, My server is kinda borked now. :-)

Link to post
41 minutes ago, Squid said:

TBH, you're better not doing that as if the equivalent user share is also exported and you happen to mess up and copy a file from the disk share to the user share the file just got corrupted.

No, I know what I'm doing and have used disk shares since 2009. ;-)

Link to post
51 minutes ago, Squid said:

As soon as you go into the settings for Ransomware, there's a button that says Restore SMB permissions

I know. It didn't work! :D o.O

 

It has given me a prompt to tidy up my shares, so I've done that and am exporting my SMB disk shares as hidden and secure. In theory, ransomware could find the disk shares, but I think they're reasonably protected?

Edited by neilt0
Link to post
I know. It didn't work!  
 
It has given me a prompt to tidy up my shares, so I've done that and am exporting my SMB disk shares as hidden and secure. In theory, ransomware could find the disk shares, but I think they're reasonably protected?

I'd have to see the diagnostics before you reboot to try and see what went wrong. After that you can reset the permissions manually on the shares tab.

Sent from my LG-D852 using Tapatalk

Link to post
8 hours ago, squirrellydw said:

So can I ignore certain files, for example .ds_store files and all the dot Apple files?  I have a plugin running that deletes them and today all my shares were read only because your plugin works to well. :)

Under bait files, there's no problem

 

With bait shares, there's 2 issues with excluded files

 

#1 - The memory requirements to implement a watch on every file is immense.  IIRC during my testing, inotifywait did not sent an event if a linked file was deleted (ie: encrypted / re-written, and the source removed)  Because of that an attack cannot be detected unless every single file is watched or the directory is simply watched for any changes.

#2 - The response time for inotifywait decreases with every additional file being watched.

 

(As an aside, I just tried it and simply creating a .ds_store file will trigger an attack because of the change in the folder)

 

I have no clue under what circumstances Finder creates those files, but I believe I have seen in the forums here instructions on how to stop finder from creating them in the first place.

 

I really don't know what to say beyond stop your script from deleting them from bait shares, or stop finder from creating them in the first place.  But no matter what, always keep in mind that this plugin is the last emergency line of defense (for the files on the server only), and to always make the necessary precautions on all your other networked devices to prevent any ransomware attack from happening in the first place.  The attack won't originate from the server, but from another networked device, and its highly probable that all the files on that particular device will be trashed no matter what.

Link to post
2 hours ago, Squid said:

I have no clue under what circumstances Finder creates those files, but I believe I have seen in the forums here instructions on how to stop finder from creating them in the first place.

Add this to smb extra configuration-


veto files = /._*/.DS_Store/

Will stop OSX from creating ds store files via samba.

Link to post

hi, I'm having a spot of trouble getting this working.

I can get everything setup correctly (I've gone with a bit of file shares and a bit of files in existing shares), but as soon as I start the service, I get told I'm under attack and immediately shuts down the SMB service.

 

It looks like one of the shares is triggering, but unsure why - I've tried a couple of times now.

 

If I only use the file bait service, it seems to run fine.

May 18 13:12:34 DEMETER root: ransomware protection:Creating bait files, root of shares only
May 18 13:12:34 DEMETER root: ransomware protection:Creating Folder Structure
May 18 13:12:35 DEMETER root: ransomware protection:Total bait files created: 40
May 18 13:12:35 DEMETER root: ransomware protection:Starting Background Monitoring Of Bait Files
May 18 13:12:43 DEMETER root: ransomware protection:Creating Bait Files
May 18 13:13:25 DEMETER root: ransomware protection:Bait Files Created: 54350 (1294/second) Completed: 16%
May 18 13:13:59 DEMETER root: ransomware protection:Bait Files Created: 108500 (1427/second) Completed: 33%
May 18 13:14:37 DEMETER root: ransomware protection:Bait Files Created: 163000 (1429/second) Completed: 50%
May 18 13:15:13 DEMETER root: ransomware protection:Bait Files Created: 217250 (1448/second) Completed: 66%
May 18 13:15:47 DEMETER root: ransomware protection:Bait Files Created: 271100 (1473/second) Completed: 83%
May 18 13:16:25 DEMETER root: ransomware protection:Bait Files Created: 325300 (1465/second) Completed: 100%
May 18 13:16:26 DEMETER root: ransomware protection:Starting Background Monitoring of Baitshares
May 18 13:16:51 DEMETER root: ransomware protection:ATTRIB,ISDIR
May 18 13:16:51 DEMETER root: ransomware protection:..
May 18 13:16:51 DEMETER root: ransomware protection:Possible Ransomware attack detected on file /mnt/user/xFileBater-fell/
May 18 13:16:51 DEMETER root: ransomware protection:SMB Status:
May 18 13:16:51 DEMETER root: ransomware protection:
May 18 13:16:51 DEMETER root: ransomware protection:Samba version 4.5.7
May 18 13:16:51 DEMETER root: ransomware protection:PID Username Group Machine Protocol Version Encryption Signing
May 18 13:16:51 DEMETER root: ransomware protection:----------------------------------------------------------------------------------------------------------------------------------------
May 18 13:16:51 DEMETER root: ransomware protection:23510 extrobe users 192.168.0.93 (ipv4:192.168.0.93:50187) SMB3_11 - partial(AES-128-CMAC)
May 18 13:16:51 DEMETER root: ransomware protection:
May 18 13:16:51 DEMETER root: ransomware protection:Service pid Machine Connected at Encryption Signing
May 18 13:16:51 DEMETER root: ransomware protection:---------------------------------------------------------------------------------------------
May 18 13:16:51 DEMETER root: ransomware protection:backups 23510 192.168.0.93 Thu May 18 13:14:53 2017 BST - -
May 18 13:16:51 DEMETER root: ransomware protection:
May 18 13:16:51 DEMETER root: ransomware protection:No locked files
May 18 13:16:51 DEMETER root: ransomware protection:
May 18 13:16:51 DEMETER root: ransomware protection:Deleting the affected shares
May 18 13:16:51 DEMETER root: ransomware protection:Deleting /mnt/user/xFileBater-fell/
May 18 13:17:15 DEMETER root: ransomware protection:Starting Background Monitoring of Baitshares
May 18 13:18:54 DEMETER root: ransomware protection:Resetting SMB permissions to normal per user selection
May 18 13:19:52 DEMETER root: ransomware protection:Stopping the ransomware protection service (15743)

 

Edited by extrobe
Link to post
32 minutes ago, Darksurf said:

What application are we using here? Is there a specific application this plugin is using or is this built from the ground up for Unraid? Is there a git or anything for this?

It's tailored to unRaid, and takes the approach of waiting for an attack to happen against certain files and when that happens stops all smb write access regardless of how inconvenient that may be to you.  IE:  It's your absolutely last line of defense, and should never be your first and/or only...

 

https://github.com/Squidly271/ransomware.bait/

Link to post
11 hours ago, extrobe said:

hi, I'm having a spot of trouble getting this working.

I can get everything setup correctly (I've gone with a bit of file shares and a bit of files in existing shares), but as soon as I start the service, I get told I'm under attack and immediately shuts down the SMB service.

 

It looks like one of the shares is triggering, but unsure why - I've tried a couple of times now.

Give me the diagnostics for when this happens.  There's 2 other lines that are logged in the syslog that aren't logged in the RP log's

Link to post

So everything seems to be running fine now that I added this "veto files = /._*/.DS_Store/" but I have two questions.

 

should all the squidbait shares be public or is it better to have them as Secure?

 

My Disk shares say Read Only Mode, is that correct?  If not how do I fix it?  Thanks

disk.jpeg

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.