Configuring Fail2ban for Samba-AD

By default the AD environment allows to define password strategies that protect the domain by blocking accounts that have attempted multiple unauthorized accesses.

However, this may result in DoS if an attacker is testing accounts with incorrect passwords.

That is why it is recommended not to lockout the account itself but rather a fail2ban on the source IP address at the origin of the unsuccessful connection attempts.

Validate that log redirection is activated in the file smb.conf.

Please note that in the case of NTLM authentication, it is the file server that connects to the domain controller to validate the NTLM challenge, not the host. It is therefore necessary to configure the environment to not blacklist the file server itself by mistake.

log level = 1 auth_json_audit:3@/var/log/samba/auth_json_audit.log

• Install the utility fail2ban:

  # RedHat8 and derived distributions
  yum install fail2ban
  # Debian
  apt-get install fail2ban
  

• Create the configuration file /etc/fail2ban/filter.d/samba.conf:

  [Definition]
  failregex = NT_STATUS_WRONG_PASSWORD.*remoteAddress": "ipv4:<HOST>:
  

• Create the configuration file /etc/fail2ban/jail.d/samba.conf:

  [samba]
  filter = samba
  enabled = true
  action = iptables-multiport[name=samba, port="88,135,389,445,464,636,3328,3329", protocol=tcp]
  #   mail[name=samba, dest=technique@mondomaine.fr]
  logpath = /var/log/samba/auth_json_audit.log
  maxretry = 5
  findtime = 600
  bantime = 600
  

• To exclude some IP addresses from fail2ban, create the file /etc/fail2ban/jail.d/customisation.local:

  [DEFAULT]
  ignoreip = 192.168.154.217
  

• Enable fail2ban:

  systemctl enable fail2ban
  systemctl start fail2ban
  

How do I unlock a machine after cleaning?

• To unlock an IP address:

  fail2ban-client set samba unbanip <COMPUTER_IP>
  

• Display blocked IP addresses:

  fail2ban-client status samba