× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Re: SMB access versus Ransomware

Digital999
Luminary

SMB access versus Ransomware

So far I have received three different answers from the Netgear CSR folks. 

 

I would appreciate some views from this forum.

 

We have a variety of information that is located on a very large static data share – think encyclopedia size or larger and full of regulations and static data.  The share has SMB access but is read-only for all but the admin user.

 

Backing up the information periodically is not practical – too much data and too little time.  We have the original source but restoration will take  10 to 20 hours

 

Since workstation clients have no write access is the data secure from Ransomware? 

 

 

Model: RN626X|ReadyNAS 626X – 6 Bays with Intel® Xeon® Quad-Core Server Processor
Message 1 of 6

Accepted Solutions
Digital999
Luminary

Re: SMB access versus Ransomware

Thanks StephenB for taking the time to respond. Your view is always appreciated.

 

I failed to  elucide the fact all other data has snapshots for the express purpose of data protection. 

 

As we develop our new plan the idea of non-SMB access apealed to me. 

 

A brute force attack from a local intranet source is a posibility -- I complained about this over six years ago and offered possible suggestions but Netgear refuses to allow the deletion of the admin account.  That said, we have disabled the "admin" account on all systems and are using much stronger usernames and passwords -- essentially expotentially increasing the time required for a brute force attack.  I would be nice to have a  timeout period after 10 or so rejected logons to slow the brute force attack to an impossibly long timeframe.  Hint, hint --  possible suggestion?

You mentioned that the Ransomware could reach through the admin's PC -- how would that work?

 

"If you were hit with ransomware, you'd be dealing with a lot of other issues"  is an understatement.  I was just wondering about the static information since it did not seem useful to bother to try and reconstruct from a backup -- we would sendout another drive to the site.

View solution in original post

Message 3 of 6

All Replies
StephenB
Guru

Re: SMB access versus Ransomware


@Digital999 wrote:

The share has SMB access but is read-only for all but the admin user.

 

Since workstation clients have no write access is the data secure from Ransomware? 

 


 There is always some risk, so I wouldn't ever say that data on your network is 100% secure from ransomware.  Some possible threats include:

  • The ransomware could have code that attacks vulnerabilities in linux machines (for instance the NAS SAMBA server).
  • The NAS could be hacked and ransomware installed directly on it.
  • Ransomware could reach the NAS through the admin's PC.
  • Ransomware on any PC might succeed in doing a brute-force attack on the admin password.
  • Ransomware encrypting other shares could result in completely filling the data volume, which sometimes can cause data corruption.

@Digital999 wrote:

Backing up the information periodically is not practical – too much data and too little time.  We have the original source but restoration will take  10 to 20 hours

 


If the data is organized as files (as opposed to an integrated database), then incremental backups wouldn't normally take very long. Of course restoring it might.  Though I think if you were hit with ransomware, you'd be dealing with a lot of other issues while the data is being restored.

 

If you have enough free space (e.g., volume less than 45% full) then you could use snapshots to help protect the data.  Then if everything in the main shares were encrypted, the original files should be in the snapshot(s).  The volume would end up ~90% full, which should still be safe.  If the snapshot is intact, you could simply roll back to it.

 

 

Message 2 of 6
Digital999
Luminary

Re: SMB access versus Ransomware

Thanks StephenB for taking the time to respond. Your view is always appreciated.

 

I failed to  elucide the fact all other data has snapshots for the express purpose of data protection. 

 

As we develop our new plan the idea of non-SMB access apealed to me. 

 

A brute force attack from a local intranet source is a posibility -- I complained about this over six years ago and offered possible suggestions but Netgear refuses to allow the deletion of the admin account.  That said, we have disabled the "admin" account on all systems and are using much stronger usernames and passwords -- essentially expotentially increasing the time required for a brute force attack.  I would be nice to have a  timeout period after 10 or so rejected logons to slow the brute force attack to an impossibly long timeframe.  Hint, hint --  possible suggestion?

You mentioned that the Ransomware could reach through the admin's PC -- how would that work?

 

"If you were hit with ransomware, you'd be dealing with a lot of other issues"  is an understatement.  I was just wondering about the static information since it did not seem useful to bother to try and reconstruct from a backup -- we would sendout another drive to the site.

Message 3 of 6
StephenB
Guru

Re: SMB access versus Ransomware


@Digital999 wrote:

You mentioned that the Ransomware could reach through the admin's PC -- how would that work?

If the admin browsed to the NAS share using the admin account credentials, then the PC would have write access to the share.  Of course if Windows saved the password, then that access would be persistent.  Ransomware on that PC would have full access to the share.

 


@Digital999 wrote:

It would be nice to have a  timeout period after 10 or so rejected logons to slow the brute force attack to an impossibly long timeframe. 


Seems to me that you suggested that a couple of years ago here: https://community.netgear.com/t5/ReadyNAS-Idea-Exchange/Security-Flaw-a-recommendation-for-some-reli...

 

I voted for that idea btw.

 

 

Message 4 of 6
mdgm
Virtuoso

Re: SMB access versus Ransomware


@Digital999 wrote:

I would be nice to have a  timeout period after 10 or so rejected logons to slow the brute force attack to an impossibly long timeframe. 


# pdbedit -P "bad lockout attempt" -C 10

Try the above command.

I ran this and rebooted my unit and the change appeared to stick. Didn't test to see if the lockout worked.

You can also change the lockout duration which is set to 30 by default.

# pdbedit -P "lockout duration" -C 30
Message 5 of 6
mdgm
Virtuoso

Re: SMB access versus Ransomware

Please note the pdbedit command only applies to SMB. So it won't have any impact on other protocols e.g. AFP, FTP, NFS etc.

Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 1082 views
  • 0 kudos
  • 3 in conversation
Announcements