NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
SMB access versus Ransomware
So far I have received three different answers from the Netgear CSR folks. I would appreciate some views from this forum. We have a variety of information that is located on a very large sta...
Thanks StephenB for taking the time to respond. Your view is always appreciated.
I failed to elucide the fact all other data has snapshots for the express purpose of data protection.
As we develop our new plan the idea of non-SMB access apealed to me.
A brute force attack from a local intranet source is a posibility -- I complained about this over six years ago and offered possible suggestions but Netgear refuses to allow the deletion of the admin account. That said, we have disabled the "admin" account on all systems and are using much stronger usernames and passwords -- essentially expotentially increasing the time required for a brute force attack. I would be nice to have a timeout period after 10 or so rejected logons to slow the brute force attack to an impossibly long timeframe. Hint, hint -- possible suggestion?
You mentioned that the Ransomware could reach through the admin's PC -- how would that work?
"If you were hit with ransomware, you'd be dealing with a lot of other issues" is an understatement. I was just wondering about the static information since it did not seem useful to bother to try and reconstruct from a backup -- we would sendout another drive to the site.
Digital999 wrote:
The share has SMB access but is read-only for all but the admin user.
Since workstation clients have no write access is the data secure from Ransomware?
There is always some risk, so I wouldn't ever say that data on your network is 100% secure from ransomware. Some possible threats include:
- The ransomware could have code that attacks vulnerabilities in linux machines (for instance the NAS SAMBA server).
- The NAS could be hacked and ransomware installed directly on it.
- Ransomware could reach the NAS through the admin's PC.
- Ransomware on any PC might succeed in doing a brute-force attack on the admin password.
- Ransomware encrypting other shares could result in completely filling the data volume, which sometimes can cause data corruption.
Digital999 wrote:
Backing up the information periodically is not practical – too much data and too little time. We have the original source but restoration will take 10 to 20 hours
If the data is organized as files (as opposed to an integrated database), then incremental backups wouldn't normally take very long. Of course restoring it might. Though I think if you were hit with ransomware, you'd be dealing with a lot of other issues while the data is being restored.
If you have enough free space (e.g., volume less than 45% full) then you could use snapshots to help protect the data. Then if everything in the main shares were encrypted, the original files should be in the snapshot(s). The volume would end up ~90% full, which should still be safe. If the snapshot is intact, you could simply roll back to it.
Thanks StephenB for taking the time to respond. Your view is always appreciated.
I failed to elucide the fact all other data has snapshots for the express purpose of data protection.
As we develop our new plan the idea of non-SMB access apealed to me.
A brute force attack from a local intranet source is a posibility -- I complained about this over six years ago and offered possible suggestions but Netgear refuses to allow the deletion of the admin account. That said, we have disabled the "admin" account on all systems and are using much stronger usernames and passwords -- essentially expotentially increasing the time required for a brute force attack. I would be nice to have a timeout period after 10 or so rejected logons to slow the brute force attack to an impossibly long timeframe. Hint, hint -- possible suggestion?
You mentioned that the Ransomware could reach through the admin's PC -- how would that work?
"If you were hit with ransomware, you'd be dealing with a lot of other issues" is an understatement. I was just wondering about the static information since it did not seem useful to bother to try and reconstruct from a backup -- we would sendout another drive to the site.
Digital999 wrote:
You mentioned that the Ransomware could reach through the admin's PC -- how would that work?
If the admin browsed to the NAS share using the admin account credentials, then the PC would have write access to the share. Of course if Windows saved the password, then that access would be persistent. Ransomware on that PC would have full access to the share.
Digital999 wrote:
It would be nice to have a timeout period after 10 or so rejected logons to slow the brute force attack to an impossibly long timeframe.
Seems to me that you suggested that a couple of years ago here: https://community.netgear.com/t5/ReadyNAS-Idea-Exchange/Security-Flaw-a-recommendation-for-some-relief/idi-p/1241390
I voted for that idea btw.
Digital999 wrote:I would be nice to have a timeout period after 10 or so rejected logons to slow the brute force attack to an impossibly long timeframe.
# pdbedit -P "bad lockout attempt" -C 10
Try the above command.
I ran this and rebooted my unit and the change appeared to stick. Didn't test to see if the lockout worked.
You can also change the lockout duration which is set to 30 by default.# pdbedit -P "lockout duration" -C 30
Please note the pdbedit command only applies to SMB. So it won't have any impact on other protocols e.g. AFP, FTP, NFS etc.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
