Using fail2ban to stop brute-force attacks on Samba-server?

One of the facilities which Linux systems have, at least under Debian / Jessie and Debian / Stretch, is a package named ‘fail2ban‘, which can be configured using ‘root’ privileges on a host-machine, to protect specific services against brute-force attacks. This package relies on the ‘iptables’ command-line, but is highly adaptable to give different levels of security. If an attacker has failed too many times, to guess at the log-in credentials of a given server / user-id, that attacker is banned for a specified amount of time. And, because of that amount of time, brute-force attacks would become ineffective, at guessing the log-in.

I have fail2ban set up out-of-the-box, to protect my ‘ssh’, my ‘apache’, and my ‘vsftp’ servers. But one fact which many people have lamented, is that there is no packaged recipe, to protect Samba servers. One reason for this omission, is the mere fact that a Samba server should never be exposed to the Internet, i.e., the WAN, only to the LAN.

But just last night it happened to me, that two Android devices were running security software which had recently been updated, and that both these Android devices sounded an alarm simultaneously, indicating that my Home-WiFi had been hacked. I understood that these alarms could have been false-positives at the time, but just in case they were not, I decided to button down access to my computers, which is granted to members of my Home-LAN, even if those members appear to be authenticated into my LAN. One of the tasks which I assigned myself was, to reduce write-access to Samba shares even to authenticated members, by way of Usershares. And another measure which I undertook, was to devise my own recipe, to extend the protection that fail2ban gives, to include Samba servers.

Long story short, the two simultaneous alarms were in fact false-positives, which can be recognized by the fact that on both Android devices, the alarms became silent, as soon as a (very hurried) update was downloaded and installed, only to the security software which was giving the alarms. But now, I seem to have a recipe left over from last night, for securing my Samba server against brute-force attacks, using fail2ban…

Continue reading Using fail2ban to stop brute-force attacks on Samba-server?