Hi folks,
I'm configuring fail2an in a way similar to what's described here:
https://www.univention.com/2016/06/protection-against-ransomware-a-subjective-overview/
The host is a file server running samba, and I'm hoping to use fail2ban
to limit the damage when a client is infected by ransomware. I have
a list of regexes corresponding to well-known file names used by
ransomware, and ask fail2ban to look at the samba audit log and ban
hosts that create a file that matches one of these patterns.
The system works, but I find that fail2ban doesn't react
fast enough. Using a test script to rename a bunch of files to
"*.crypted", I can easily rename hundreds of files before fail2ban
blocks the offending client.
Do you have any suggestions about what I can do to make
fail2ban's response faster? Thanks in advance for any advice.
Bryan
--
========================================================================
Bryan Wright |"If you take cranberries and stew them like
Physics Department | applesauce, they taste much more like prunes
University of Virginia | than rhubarb does." -- Groucho
Charlottesville, VA 22901|
(434) 924-7218 | br...@virginia.edu
========================================================================
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
