Samba File Server Join Active Directory Dengan Ransomware Prevention and Detection
Pada kesempatan ini penulis akan membahas instalasi dan setup Samba File Server di Ubuntu Server 16.04 LTS yang join Active Directory Windows 2008 R2 Enterprise dengan tambahan fitur Ransomware Prevention and Detection. Sebenarnya Server Windows mempunyai semacam komponen atau role bernama FSRM (File System Resource Manager) yang berfungsi untuk mencegah serangan ransomware (Anti Ransomware File System Resource Manager Lists) dengan mencocokkan file di server dengan database yang berisi koleksi nama file atau extension file ransomware.
Sedangkan kelebihan metode Ransomware Prevention and Detection versi penulis dengan FSRM adalah
- Memonitor perubahan extension file honeypot
- Memonitor penghapusan file honeypot
- Memonitor perubahan extension file ke extension ransomware
- Memonitor pembuatan ransomware note
- Memonitor perubahan extension common files seperti MS Office ke extension yang tidak umum
FSRM hanya menjalankan monitoring fungsi nomor 3 dan 4.
Langkah-langkah setup Linux Ubuntu Server 16.04 LTS untuk join AD (Active Directory) diambil dari artikel Integrate Ubuntu 16.04 to AD as a Domain Member with Samba and Winbind.
Data Active Directory (AD):
- Server AD : Windows 2008 R2
- Domain : TECMINT.LAN
- IP Address : 192.168.150.57
- DNS Server: 192.168.150.57
Konfigurasi Awal
Saat instal awal linux buat 3 partisi, partisi ‘/’ (root) dan ‘/home’ dengan file system ext4 serta satu partisi swap:
# <mount_point> <type> <options>
/ ext4 noatime,nodiratime,user_xattr,errors=remount-ro
/home ext4 noatime,nodiratime,user_xattr,acl
/swap swap
Setelah reboot edit file /etc/network/interfaces untuk setup ip address static dan dns nameserver. Lalu ubah nama server menjadi adc2.
# The primary network interface
auto ens18
iface ens18 inet static
address 192.168.150.50
netmask 255.255.255.192
gateway 192.168.150.62
dns-nameservers 192.168.150.57
dns-search tecmint.lan
Edit file /etc/resolv.conf
nameserver 192.168.150.57
search tecmint.lan
Edit file /etc/hosts
127.0.0.1 localhost
192.168.150.50 adc2.tecmint.lan adc2
Edit file /etc/hostname
adc2
Jalankan update dan upgrade: apt-get update && apt-get upgrade
Cek dns
root@adc2:~# host -t A tecmint.lan
tecmint.lan has address 192.168.150.57
root@adc2:~# host -t SRV _kerberos._udp.tecmint.lan
_kerberos._udp.tecmint.lan has SRV record 0 100 88 vmw2008r2e.tecmint.lan.
root@adc2:~# host -t SRV _ldap._tcp.tecmint.lan
_ldap._tcp.tecmint.lan has SRV record 0 100 389 vmw2008r2e.tecmint.lan.
root@adc2:~# host -t A vmw2008r2e.tecmint.lan
vmw2008r2e.tecmint.lan has address 192.168.150.57
Instal Paket
apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind
Cek bahwa kerberos secara otomatis sudah setup REALM
root@adc2:~# grep TECMINT.LAN /etc/krb5.conf
default_realm = TECMINT.LAN
Test Kerberos authentication against an AD administrative account and list the ticket.
root@adc2:~# kinit administrator
Password for administrator@TECMINT.LAN:
root@adc2:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@TECMINT.LAN
Valid starting Expires Service principal
07/26/2023 15:29:12 07/27/2023 01:29:12 krbtgt/TECMINT.LAN@TECMINT.LAN
renew until 07/27/2023 15:29:05
Edit file /etc/samba/smb.conf
[global]
workgroup = TECMINT
realm = TECMINT.LAN
netbios name = ADC2
security = ADS
dns forwarder = 192.168.150.57
idmap config * : backend = tdb
idmap config * :range = 50000-1000000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
usershare path =
# for debugging
log file = /var/log/samba/%m.log
log level = 1 auth:5 winbind:5
Jalakan perintah testparm untuk melihat apakah konfigurasi smb.conf tidak mengandung kesalahan.
Edit file /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Restart samba
systemctl restart smbd nmbd winbind
Join Ubuntu machine to Active Directory Server issuing the following command. Use the name of an AD DC account with administrator privileges.
root@adc2:~# net ads join -U Administrator Enter Administrator's password: Using short domain name -- TECMINT Joined 'ADC4' to dns domain 'tecmint.lan' root@adc2:~# net ads info testjoin LDAP server: 192.168.150.57 LDAP server name: VMW2008R2E.tecmint.lan Realm: TECMINT.LAN Bind Path: dc=TECMINT,dc=ORG LDAP port: 389 Server time: Wed, 26 Jul 2023 15:53:19 WIB KDC server: 192.168.150.57 Server time offset: -11
Restart winbind
systemctl restart winbind
Check id of domain admins and other user.
root@adc2:~# id Administrator uid=50000(administrator) gid=50000(domain users) groups=50000(domain users),50001(denied rodc password replication group),50002(schema admins),50003(enterprise admins),50004(domain admins),50005(group policy creator owners) root@adc2:~# id uadc1 uid=50001(uadc1) gid=50000(domain users) groups=50000(domain users)
Configure AD Accounts Authentication
In order to test if the Ubuntu machine was successfully integrated to realm run wbinfo command to list domain accounts and groups.
root@adc2:~# wbinfo --dc-info TECMINT VMW2008R2E.tecmint.lan (192.168.150.57) root@adc2:~# wbinfo -t checking the trust secret for domain TECMINT via RPC calls succeeded root@adc2:~# wbinfo -u administrator guest krbtgt uadc1 uadc2 uadc3 uadc4 uadc5 uadc6 root@adc2:~# wbinfo -g domain computers domain controllers schema admins enterprise admins cert publishers domain admins domain users domain guests group policy creator owners ras and ias servers allowed rodc password replication group denied rodc password replication group read-only domain controllers enterprise read-only domain controllers dnsadmins dnsupdateproxy
Di Server AD (Windows 2008) buka dos prompt dan lakukan ping ke hostname adc2.tecmint.lan (server linux).
C:\Users\Administrator>ping adc2.tecmint.lan
Pinging adc2.tecmint.lan [192.168.150.50] with 32 bytes of data:
Reply from 192.168.150.50: bytes=32 time<1ms TTL=64
Reply from 192.168.150.50: bytes=32 time<1ms TTL=64
Reply from 192.168.150.50: bytes=32 time<1ms TTL=64
Reply from 192.168.150.50: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.150.50:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Konfigurasi Autentikasi Akun Active Directory
Agar user AD (user domain) bisa autentikasi di server linux, jalankan pam-auth-update. Pilih semua profile PAM yang akan aktif:
PAM profiles to enable: [*] Unix authentication [*] Winbind NT/Active Directory authentication [*] Register user sessions in the systemd control group hierarchy [*] Create home directory on login
Edit file /etc/pam.d/common-account tambahkan baris berikut agar user domain yang berhasil autentikasi otomatis akan membuat direktori home
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Untuk tes autentikasi pada server linux dengan akun AD, gunakan parameter nama pengguna domain setelah perintah su -. Jalankan perintah id untuk mendapatkan info tambahan tentang akun AD.
root@adc2:~# su - administrator
administrator@adc2:~$ id
uid=50000(administrator) gid=50004(domain users) groups=50004(domain users),50000(BUILTIN\administrators),50001(BUILTIN\users),50008(schema admins),50009(enterprise admins),50011(domain admins),50012(group policy creator owners),50015(denied rodc password replication group)
administrator@adc2:~$ pwd
/home/TECMINT/administrator
Konfigurasi Samba di Server Linux untuk file sharing
Di server linux kita buat terlebih dahulu directory untuk sambashare dan recycle bin.
mkdir /home/NAS chmod -R 775 /home/NAS chown -R root:"Domain Admins" /home/NAS mkdir /home/RECYCLE chmod -R 775 /home/RECYCLE chown -R root:"Domain Users" /home/RECYCLE
Selanjutnya edit file /etc/samba/smb.conf untuk mengaktifkan file sharing.
[global]
workgroup = TECMINT
realm = TECMINT.LAN
netbios name = ADC2
security = ADS
dns forwarder = 192.168.150.57
idmap config * : backend = tdb
idmap config * :range = 50000-1000000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = true
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Anti-ransom
full_audit:failure = none
full_audit:success = pwrite write rename unlink
full_audit:prefix = IP=%I | USER=%u | MACHINE=%m | VOLUME=%S
full_audit:facility = local5
full_audit:priority = notice
[nas]
comment = File Sharing
path = /home/NAS
read only = No
browseable = yes
# Option to enable audit for ransomware detection
#vfs object = recycle full_audit
vfs object = dfs_samba4 acl_xattr recycle full_audit
recycle:repository = /home/RECYCLE
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recylce:exclude_dir = /tmp /TMP /temp /TEMP
recycle:exclude = *.TMP *.tmp *.temp ~$* *.log *.bak
[recycle]
comment = Recycle
path = /home/RECYCLE
read only = yes
browseable = No
Jalakan perintah testparm untuk melihat apakah konfigurasi smb.conf tidak mengandung kesalahan.
Restart service samba dengan perintah
systemctl restart smbd nmbd winbind
Manage Samba Share Permissions
The process of managing permissions can be done directly from Windows Explorer using Samba4 AD account with administrative privileges. First, create some folders, FAD, GAD, ITD using Windows Explorer.
We want to create some folders permission like table below
| User AD | Folders | ||
|---|---|---|---|
| FAD | GAD | ITD | |
| uadc1 | RW | RO | X |
| uadc2 | RW | RO | X |
| uadc3 | X | RW | RO |
| uadc4 | X | RW | RO |
| uadc5 | RO | X | RW |
| uadc6 | RO | X | RW |
Login ke Windows sebagai administrator domain (Windows sudah join active directory). Buka windows explorer, klik Network lalu nama server samba (ADC2) lalu klik nama share (nas). Kemudian berturut-turut buat directory FAD, GAD dan ITD.
Sorot mouse di folder ITD, lalu klik Properties
Klik tab Security lalu klik tombol Edit.
Di kotak dialog Permissions, pilih group Everyone dan klik tombol Remove. Ulangi langkah yang sama untuk group ‘Domain Users’.
Klik tombol Apply lalu OK. Tampilan akan kembali ke ITD Properties.
Klik tombol Advanced lalu klik tombol Change Permissions
Klik tombol Add lalu masukkan user AD atau object name uadc5 lalu klik tombol Check Names, klik OK.
Di permission Full Control klik Allow lalu klik tombol OK.
Ulangi langkah yang sama untuk penambahan user AD uadc6.
Langkah selanjutnya adalah penambahan user uadc3 dan uadc4 dengan permission RO di folder ITD.
Masih di window Advanced Security Settings for ITD klik tombol Change Permission, klik tombol Add lalu masukkan nama object uadc3 klik tombol Check Names, klik OK. Setup permission read only mengikuti gambar di bawah. Setelah selesai klik tombol OK.
Ulangi langkah yang sama untuk penambahan user uadc4. Hasil akhir seperti gambar di bawah.
Lakukan hal yang sama untuk folder FAD dan GAD. Set permission masing-masing user mengikuti tabel folder permission di atas.
Mengatur permission untuk Samba Recycle Bin
Pengaturan permission untuk Recycle Bin dilakukan langsung di console dengan menggunakan aplikasi setfacl dan getfacl. Pertama buat directory FAD, GAD dan ITD di /home/RECYCLE lalu set permission dengan menyalin permission yang sudah ada.
cd /home/NAS/ mkdir /home/RECYCLE/FAD chown -R administrator:"Domain Users" /home/RECYCLE/FAD getfacl FAD | setfacl --set-file=- /home/RECYCLE/FAD mkdir /home/RECYCLE/GAD chown -R administrator:"Domain Users" /home/RECYCLE/GAD getfacl GAD | setfacl --set-file=- /home/RECYCLE/GAD mkdir /home/RECYCLE/ITD chown -R administrator:"Domain Users" /home/RECYCLE/ITD getfacl ITD | setfacl --set-file=- /home/RECYCLE/ITD
Kita bandingkan permission folder /home/NAS/ITD dengan /home/RECYCLE/ITD
root@adc2:~# getfacl /home/NAS/ITD getfacl: Removing leading '/' from absolute path names # file: home/NAS/ITD # owner: administrator # group: domain\040users user::rwx user:administrator:rwx user:uadc5:rwx user:uadc4:r-x user:uadc3:r-x user:uadc6:rwx group::--- group:domain\040users:--- mask::rwx other::--- default:user::rwx default:user:administrator:rwx default:user:uadc5:rwx default:user:uadc4:r-x default:user:uadc3:r-x default:user:uadc6:rwx default:group::--- default:group:domain\040users:--- default:mask::rwx default:other::--- root@adc2:~# getfacl /home/RECYCLE/ITD getfacl: Removing leading '/' from absolute path names # file: home/RECYCLE/ITD # owner: administrator # group: domain\040users user::rwx user:administrator:rwx user:uadc5:rwx user:uadc4:r-x user:uadc3:r-x user:uadc6:rwx group::--- group:domain\040users:--- mask::rwx other::--- default:user::rwx default:user:administrator:rwx default:user:uadc5:rwx default:user:uadc4:r-x default:user:uadc3:r-x default:user:uadc6:rwx default:group::--- default:group:domain\040users:--- default:mask::rwx default:other::---
Logoff dari mesin windows lalu login sebagai user uadc3. User ini mempunyai hak akses RW ke folder \\ADC2\nas\GAD. Buat file text baru, misal New Text Document.txt, dan simpan di folder tersebut. Lalu hapus filenya. Di server adc2 atau server samba, kita cek apakah filenya sudah masuk ke /home/RECYCLE/GAD.
root@adc2:~# ls -l /home/RECYCLE/GAD/ total 12 -rwxrwx---+ 1 uadc3 domain users 0 Oct 24 11:19 New Text Document.txt
Server Samba dengan Ransomware Detection and Prevention
Agar server samba bisa menjalankan Ransomware Detection and Prevention maka instal paket tambahan yang perlu
apt-get install sqlite3 liblogfile-rotate-perl libnet-ssh-perl libdbd-sqlite3-perl ipset libtry-tiny-perl mailutils zip unzip
Kemudian ikuti langkah-langkah di tulisan penulis sebelumnya Samba File Server Dengan Fitur Ransomware Detection and Prevention.
- Konfigurasi rsyslog
- Konfigurasi log rotate
Kemudian download source code aplikasi Ransomware Detecion and Prevention di sini. Atur penempatan file-filenya seperti di Readme.txt.
Jalankan script aplikasi melalui script init.
/usr/local/sbin/rwdetection.sh start
Cek apakah ada error saat eksekusi aplikasi dengan melihat log /var/log/RWDetection.err.log, jika isi file kosong berarti aplikasi berjalan normal. Status aplikasi bisa dilihat melalui script ini.
/usr/local/sbin/rwdetection.sh status
Jika normal maka akan tampil tulisan Ransomware Detection is running.
Lakukan simulasi serangan ransomware di shared folder seperti buat file baru dengan extension rrcc, hapus file honeypot, buat file ransomware note, dll.
Berikut contoh log /var/log/RWDetection.log hasil injeksi ransomware.
User AD TECMINT\uadc3 menghapus file honeypot A_DO_NOT_OPEN-ShahZeZ6.txt.
Nov 17 15:15:17 WARNING [honeypot deleted] TECMINT\uadc3 192.168.150.60 (192.168.150.60) deleting file 'A_DO_NOT_OPEN-ShahZeZ6.txt' at share 'GAD/honeypots/'
User AD TECMINT\uadc3 menjalankan ransomware Lockbit.
Nov 17 15:37:49 WARNING [found ransomware note] TECMINT\uadc3 192.168.150.60 (192.168.150.60) creating file 'Restore-My-Files' at share 'GAD/honeypots/'
Nov 17 15:37:49 WARNING [found ransomware extension] TECMINT\uadc3 192.168.150.60 (192.168.150.60) writing file 'A_DO_NOT_OPEN-ShahZeZ6.pdf.lockbit' at share 'GAD/honeypots/'
Nov 17 15:37:49 WARNING [extension honeypot changed] TECMINT\uadc3 192.168.150.60 (192.168.150.60) renaming file '0_DO_NOT_OPEN-ShahZeZ6.xlsx' to '0_DO_NOT_OPEN-ShahZeZ6.xlsx.lockbit' at share 'GAD/honeypots/'
Nov 17 15:37:49 WARNING [found ransomware extension] TECMINT\uadc3 192.168.150.60 (192.168.150.60) writing file 'A_DO_NOT_OPEN-ShahZeZ6.pdf.lockbit' at share 'GAD/honeypots/'
2023-11-17 15:37:49, WARNING Ban 192.168.150.60
Jalankan perintah ipset -L samba untuk menampilkan list ip yang di-ban oleh server samba.
root@adc2:~# ipset -L samba Name: samba Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 86400 comment Size in memory: 256 References: 1 Members: 192.168.150.60 timeout 7444 comment "Ban: 192.168.150.60 (TECMINT\uadc3)"
Tulisan sebelumnya
Arief Yudhawarman 
[…] Samba File Server Join Domain Active Directory dengan Ransomware Prevention and Detection […]
Samba File Server Dengan Fitur Ransomware Detection and Prevention | Arief Yudhawarman
November 20, 2023 at 8:03 am