Configuring Fail2ban for Samba-AD
By default the AD environment allows to define password strategies that protect the domain by blocking accounts that have attempted multiple unauthorized accesses.
However, this may result in DoS if an attacker is testing accounts with incorrect passwords.
That is why it is recommended not to lockout the account itself but rather a fail2ban on the source IP address at the origin of the unsuccessful connection attempts.
Validate that log redirection is activated in the file smb.conf
.
Please note that in the case of NTLM authentication, it is the file server that connects to the domain controller to validate the NTLM challenge, not the host. It is therefore necessary to configure the environment to not blacklist the file server itself by mistake.
log level = 1 auth_json_audit:3@/var/log/samba/auth_json_audit.log
Install the utility fail2ban:
# RedHat8 and derived distributions yum install fail2ban # Debian apt-get install fail2ban
Create the configuration file
/etc/fail2ban/filter.d/samba.conf
:[Definition] failregex = NT_STATUS_WRONG_PASSWORD.*remoteAddress": "ipv4:<HOST>:
Create the configuration file
/etc/fail2ban/jail.d/samba.conf
:[samba] filter = samba enabled = true action = iptables-multiport[name=samba, port="88,135,389,445,464,636,3328,3329", protocol=tcp] # mail[name=samba, dest=technique@mondomaine.fr] logpath = /var/log/samba/auth_json_audit.log maxretry = 5 findtime = 600 bantime = 600
To exclude some IP addresses from fail2ban, create the file
/etc/fail2ban/jail.d/customisation.local
:[DEFAULT] ignoreip = 192.168.154.217
Enable fail2ban:
systemctl enable fail2ban systemctl start fail2ban
How do I unlock a machine after cleaning?
To unlock an IP address:
fail2ban-client set samba unbanip <COMPUTER_IP>
Display blocked IP addresses:
fail2ban-client status samba