Solved How to synchronize samba server?

B

bxbzq

Hi,
In our small office lan, there is a samba file server running on a Windows server. We recently were attacked by a ransomeware. To protect the data on the samba server, I’m thinking to set up uanother FreeBSD machine to synchronize the data on the samba server, on daily basis, say 12 oclock midnight. I don’t want the sync server to be exposed to any other users, only open a few ports - one to the samba server, ssh, not sure what else. Would be better if the samba server won’t see the sync server, at least not easily, so in case the samba server is hacked, the damage won’t spread to the sync server.
Not looking for rocky solid fancy professional solution. We are a very small business. I’m not from IT, but am the on guy who may be capable of doing this IT stuff. So something simple and affordable(in money and time) is what I’m looking for.
 
Use combination of rsync, ssh, and UFS or ZFS snapshots (optional).
Backup server can sync directory tree from 'master-server' using rsync, rsyncd, or rsync over ssh.
You should not run samba on backup server if you don't need it right now.
You can configure backup server to have no opened ports for LISTENING, if backup server will originate conection to master.

Also:
Backup server should have a possibility restore few previous versions of your files, so I advice you to have enabled and tuned one of:
* snapshots
* rsync's backup directories
* hardlinked destination directory (time machine on hardlinks with rsync).
 
Thanks. Just checked the man page of rsync. It's long. Looks very challenging to my knowledge level. I'll look into it when I have time.
Just a simple question at the moment, does the rsync work like cloud server, only the changes on the file server will be sync'd?
 
bxbzq said:
Hi,
In our small office lan, there is a samba file server running on a Windows server. We recently were attacked by a ransomeware. To protect the data on the samba server, I’m thinking to set up uanother FreeBSD machine to synchronize the data on the samba server, on daily basis, say 12 oclock midnight. I don’t want the sync server to be exposed to any other users, only open a few ports - one to the samba server, ssh, not sure what else. Would be better if the samba server won’t see the sync server, at least not easily, so in case the samba server is hacked, the damage won’t spread to the sync server.
Not looking for rocky solid fancy professional solution. We are a very small business. I’m not from IT, but am the on guy who may be capable of doing this IT stuff. So something simple and affordable(in money and time) is what I’m looking for.
Click to expand...
Be carefull with that!

Simply duplicating everything on a second single server will not help you.
If you don't know you have been hit, any ransomware is simply duplicated on the 'backup' sever and no longer usefull.

You need a real backup system with some form of version/generation backup so you can return the status to something like "two days ago".

If your windows/samba server was running Freebsd or linux I would suggest something like borgbackup.
 
zfs snapshots + rsync are probably your best bet
also set a honeypot document on each of the shares and check it's sha256 from cron every half an hour or so
if it does not match block everything / ring the alarm
also audit file writes so you can tell from where the malware has come in the first place
 
that is what we do:
*) make a zfs snapshot every 10 minutes using zfsnap2 with a time-to-live of 7 days. sync all snapshots to a failover system which is providing the same shares but with read-only option.
*) samba audit log is activated, and followed by a process who scans for well-known crypto file extensions: in case a file is created the IP address is locked. Also: if more than 100 files changed within 2 snapshots an emergency alert is sent to opsec team.
*) in the evening when noone is in the office the snapshots older than 7 days are deleted

zrepl is also a nice tool to evaluate for a similar solution.
 
My suggestion: nuke the Windows server (at least for fileshares) and use samba (in a jail) on FreeBSD /w ZFS as a backing storage.

We are snapshotting all samba shared datasets every 10 minutes and afterwards a script compares the "WRITTEN" size of the latest and previous snapshot (i.e. the amount of changed blocks between those two points in time) and if this value exceeds a given limit (5GB for most of our datasets/shares), it triggers an alert and remounts the given dataset read-only.
In essence, this catches if some crypto-ransomware is rewriting (or if someone/-thing is deleteing a lot of) data on those shares and stops it in its tracks. After identifying and removing the responsible client from the network (and running AV full-scans on all others), just roll back to the last 'known good' snapshot and call it a day.

I tested this with some file-based encryption tool on a dummy dataset and it worked as expected - the only times this actually triggered in production, was someone fat-fingering the deletion of some file and trying to wipe the whole share instead (TWICE!).


With zfs on the main samba server you can easily zfs send|recv the incremental snapshots at relatively short intervals (we're doing something between 1 and 6h depending on the actual importance and/or amount of changing data). And on top of send|recv'ing to your backup server(s), you can as well send those incrementals to a hot-standby samba server/jail, which you spin up or start its samba daemon if the primary one has any issues (or is being updated). If you don't have 24/7 constant IO to that SMB shares, this can be easily managed manually without anyone noticing...
 
i have an excel file as honeypot; the "cool" thing is that if someone opens it and closes it without modifying it, excel still changes it but PRESERVES file mtime
had some false alarms because of it
 
bxbzq said:
Thanks. Just checked the man page of rsync. It's long. Looks very challenging to my knowledge level. I'll look into it when I have time.
Just a simple question at the moment, does the rsync work like cloud server, only the changes on the file server will be sync'd?
Click to expand...

Rsync really is one of the best tools for a cross-platform / cross-filesystem repeated replication process. The man page is long, but that's because it has so many features you can tweak just how you want, but a simple "make sure everything new in src is now updated in dst" boils down to rsync -a src dst (-a == "Archive": turns on the most common flags). Do take the time to figure out your command, use the --dry-run option to make sure it is doing what you want. Be sure to read the paragraph that starts with "A trailing slash" to avoid one common point of confusion.

Other options you will likely want include --delete (remove files in dst no longer on src.), and -v (verbose). If you mount your windows share (note the samba version in ports has progressed to samba416) to use as src on the FreeBSD "backup system", you won't need to install anything on Windows.

If your dst is a ZFS filesystem, use auto-snapshotting (I like sysutils/zfstools, but there are other options), to provide a history of your filesystems that aren't modifiable from userspace (anything can be corrupted by a user with root access) -- this way even if your src gets encrypted/otherwise corrupted by an attacker, the original versions are safe in your snapshots, even when your nightly rsync overwrites/updates them with the bad versions in the mounted filesystem (Murphy says this would happen before you notice the attack.)

As others have mentioned, if you were to replace your windows server with FreeBSD + ZFS + SAMBA, then you could do zfs send/recv, which is wonderful for this task, but if you've never run a FreeBSD SAMBA server, that's a much larger undertaking than simply mounting the share and figuring out the rsync command line.
 
In addition to `rsync -a` you should generally use -H (hardlinks) and -S (sparse) to replicated Unix to Unix file trees. Of course they don't matter if one of the sides is SMB.
 
bxbzq said:
samba file server running on a Windows server
Click to expand...
Please explain more about your current configuration.
Do you use FreeBSD with samba as a virtual machine on Windows server?
So just enable UFS or ZFS snapshots on FreeBSD. It may be a 1st level of protection for your files.
After that try to build&sync second backup server. Rsync is really easy to use for your task.
 
It's samba is running on a Windows 2008 server, not virtual machine on any other system.

im said:
Please explain more about your current configuration.
Do you use FreeBSD with samba as a virtual machine on Windows server?
So just enable UFS or ZFS snapshots on FreeBSD. It may be a 1st level of protection for your files.
After that try to build&sync second backup server. Rsync is really easy to use for your task.
Click to expand...
 
Thanks to all for the valueable replies.

The more I think of this case, the more I figure I need to do. The big plan could be (I'm just thinking it outloud):
File server - replace it with pure FreeBSD system. Most likely ZFS. To share in the LAN, NFS or samba? I suppose the data volume won't be more than 2T in 5 year. Which RAID?
Firewall - right now it is weak. I could use an old machine and install FreeBSD with PF or IPFW. Can a properly configured firewall protect the office LAN from network attacks like ransomeware? Would using services like RDP from outside be safe? We have VPN as we have two other offices in different towns. Would tweaking firewall for VPN be a challenge?
Backup server - If I'm to install it, I would sync not only the fire server, but also some important workstations (Windows) in the LAN.

Also need to consider, would maintanence be easy? What if I leave this place and nobody knows anything about FreeBSD?

All these are interesting topics. But I only have limited experience using FreeBSD as desktop. I believe each of them would take me a lot of time, and I believe I should start from spare hardware to practise the installation, configuration, tweak, tuningn etc, both of which I probably don't have at the moment.

Again, these are interesting, especially for me who plays FreeBSD as hobby, but I must think it through before taking actions.
 
bxbzq said:
It's samba is running on a Windows 2008 server, not virtual machine on any other system.
Click to expand...
Is it really samba? Are you talking about windows shared folders?
Both use the same protocol, but usually "samba" running on Unix-like systems, but not on the windows (or I am missed something).
If you want to have additional reliable backup of windows directories then you can use windows-only solutions, if it convenient for you.
Windows server 2008 has included console tool "robocopy". It can sync files and directories locally or via "windows shared folders".
Robocopy has enough options for synchronization of the files. It supports copying all file's info like NTFS permitions, ACLs, etc.
Just buy one or few USB hdds, and sync files on it. If possible to have more than one backup hdd - use next one for next backup.
Of course, you can use robocopy to sync windows directory to another windows machine, and physically disconnect target when backup completed.
 
Would FreeNAS be viable option for file server? Could it work out of box with only a few tweaks?
 
It is possible to have a fileserver on FreeBSD with samba,
but you will have more work if you are using Active Directory, and you will want to integrate samba in your existing domain Active Directory.
If you manage large network and your WS2008 licensed then use it "as is", but have external backups and check it's consistence.

If you willing to setup a fileserver on FreeBSD:
bxbzq said:
Which RAID?
Click to expand...
RAID1, of course.

bxbzq said:
Can a properly configured firewall protect the office LAN from network attacks like ransomeware?
Click to expand...
No.
Learn about enforcing "Software restrictions policies" or "AppLocker" on your's windows workstations.
When properly configured it can protect windows PCs from most popular threats, including ransomware.
It is does not replacement of antivirus solution, but strongly improve it.
bxbzq said:
Would using services like RDP from outside be safe?
Click to expand...
In my opinion - No. It is considered as not safe without VPN. There were a lot of security holes related to RDP during few years.

bxbzq said:
What if I leave this place and nobody knows anything about FreeBSD?
Click to expand...
FreeBSD will be wiped, and someone will install windows instead :)
But is you make simple reliable solution (without integration with A.D., for example) it will run as long as possible and will not make any problems at all.

bxbzq said:
who plays FreeBSD as hobby.
Click to expand...
Enjoy!
 
bxbzq said:
Yes. I use smbfs on FreeBSD to mount those share folders.
Click to expand...
This just means these are SMB shares. It doesn't mean the server is running samba. It wouldn't make any sense to run samba on Windows (because SMB is the "native" network share protocol on Windows), and I doubt it's even possible.

Your remark unfortunately is also a red flag. FreeBSD's smbfs only knows the old SMBv1 protocol, which is inherently insecure and should never be used (so, it's more or less useless nowadays). Therefore, if you can use it, your Windows server allows SMBv1, which it certainly should not.
 
I stand corrected.
zirias@ said:
This just means these are SMB shares. It doesn't mean the server is running samba. It wouldn't make any sense to run samba on Windows (because SMB is the "native" network share protocol on Windows), and I doubt it's even possible.
Click to expand...
 
rootbert said:
*) make a zfs snapshot every 10 minutes using zfsnap2 with a time-to-live of 7 days. sync all snapshots to a failover system which is providing the same shares but with read-only option.
Click to expand...
How to make these shares read-only?

rootbert said:
*) samba audit log is activated, and followed by a process who scans for well-known crypto file extensions: in case a file is created the IP address is locked.
Click to expand...
How to do this?
 
sko said:
We are snapshotting all samba shared datasets every 10 minutes and afterwards a script compares the "WRITTEN" size of the latest and previous snapshot (i.e. the amount of changed blocks between those two points in time) and if this value exceeds a given limit (5GB for most of our datasets/shares), it triggers an alert and remounts the given dataset read-only.
Click to expand...
How to trigger alert and remount read-only?
 
You must log in or register to reply here.
Back
Top