• [Samba] Veto files used to allow only one extension to be written to th

    From =?UTF-8?Q?T=C3=A1cio_Andrade?= via@21:1/5 to All on Thu Mar 16 04:00:01 2017
    Good night.

    I am behind a way so that in my backup share it is possible to only write
    files in the format of the application that I use to execute the backup routines, for this I searched the internet for a solution that works like
    Allow Files, however it is Complicated to find.

    Talking on forums a user informed me that he could use the parameter to
    follow in smb.conf, however in my tests it did not work.

    veto files = /!*.doc/

    Could anyone tell me if there really is any way to do it?


    Sincerely, Tácio Andrade. IT Consultant at MultiTI.com.br
    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?T=C3=A1cio_Andrade?= via@21:1/5 to All on Sat Mar 18 11:00:02 2017
    Anyone know anything about it? I found a list with all the extensions used
    by Ransomware at the moment, but they are almost 800 and with that amount I think I will have problems using the veto files, as well as the red tape of updating them.

    Please, if anyone knows anything about it, please share.


    2017-03-15 23:51 GMT-03:00 Tácio Andrade <tacioandrade@gmail.com>:

    Good night.

    I am behind a way so that in my backup share it is possible to only write files in the format of the application that I use to execute the backup routines, for this I searched the internet for a solution that works like Allow Files, however it is Complicated to find.

    Talking on forums a user informed me that he could use the parameter to follow in smb.conf, however in my tests it did not work.

    veto files = /!*.doc/

    Could anyone tell me if there really is any way to do it?


    Sincerely, Tácio Andrade. IT Consultant at MultiTI.com.br




    --
    Att. Tácio Andrade, Consultor de TI na MultiTI.com.br
    Whatsapp - 077(9)8111-7727
    Oi - 073(9)8830-2419
    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrew Walker via samba@21:1/5 to samba@lists.samba.org on Mon Mar 20 13:40:01 2017
    What's your goal with this? Is it to prevent ransomware attacks on a samba share that hosts your backups?

    I think that trying to veto every type of ransomware file is the wrong
    approach to take. Newer versions randomize the file names and extensions. Ultimately, this approach his falls into the category of doing security by trying to 'enumerate badness'. http://www.ranum.com/security/computer_security/editorials/dumb/ Obviously, computer security has moved along quite a ways since Marcus Ranum wrote
    that (now there security puppy-mills, swanky icons, red bull?, theme songs,
    and products galore), but if something was a bad idea in 2000 it's probably still a bad idea today.

    A better approach (in very broad strokes) is probably:
    1) client hardening [prevent the attack from happening]
    2) secure server configuration [in this case, don't let users (or
    misbehaving applications) trash your backups]
    3) get the ability to detect and stop an attack [there are various products that claim to do this]
    4) backups! [these should be quick to get at and restore. ZFS is very nice
    in this regard.]

    It seems like you're wanting to do (2). I just don't see "veto files" in
    this case being the right solution. Perhaps this means adjusting how your network is designed (keep backups on a separate network segment from your client systems). Perhaps this means setting up a separate samba share that
    can only be accessed by the backup application. I believe that ransomware attacks execute with whatever privileges the user inadvertently executing
    the thing (malicious website, pe / js file, macro, cat video, etc.) has.

    TL;DR, don't let users write to the share that has your backups.

    On Sat, Mar 18, 2017 at 4:52 AM, Tácio Andrade via samba < samba@lists.samba.org> wrote:

    Anyone know anything about it? I found a list with all the extensions used
    by Ransomware at the moment, but they are almost 800 and with that amount I think I will have problems using the veto files, as well as the red tape of updating them.

    Please, if anyone knows anything about it, please share.


    2017-03-15 23:51 GMT-03:00 Tácio Andrade <tacioandrade@gmail.com>:

    Good night.

    I am behind a way so that in my backup share it is possible to only write files in the format of the application that I use to execute the backup routines, for this I searched the internet for a solution that works like Allow Files, however it is Complicated to find.

    Talking on forums a user informed me that he could use the parameter to follow in smb.conf, however in my tests it did not work.

    veto files = /!*.doc/

    Could anyone tell me if there really is any way to do it?


    Sincerely, Tácio Andrade. IT Consultant at MultiTI.com.br




    --
    Att. Tácio Andrade, Consultor de TI na MultiTI.com.br
    Whatsapp - 077(9)8111-7727
    Oi - 073(9)8830-2419
    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)