Skip to content

Securing Samba against WannaCry

WannaCry is a cryptoworm, now spread to more than 150 countries, affecting end users, as well as numerous organisations by encrypting existing data on a Windows computer's hard drive, then demanding money. The demanded amount increases as the seven-day deadline approaches. When the deadline is reached, the data is deleted. WannaCry can spread through the windows SMB protocol, which is used to reach printers on a local network, or to share files between devices. Samba is a SMB server for unix-like operating systems, which one can use to easily host a home file server. In this post, I will talk about how to secure Samba against WannaCry.
Before we begin, you should have a machine with Samba installed and configured. There are numerous tutorials on how to do this, for almost every flavour of Linux on the interweb, so we will skip this step for now. (Let us know in the comments if you would like such a tutorial, and we will see what we can do in the near future.)

Once WannaCry infects a computer running Windows, it spreads through the SMB protocol, via an existing flaw in SMB1. Microsoft has released a patch, even for Windows XP, to address this issue, downloadable via the Windows Update service, where applicable. To further secure a Windows share, we need to tell Samba to accept SMB2 and above.
To do this, we need to edit the Samba configuration file. This is usually found at '/etc/samba/smb.conf' on most Linux operating systems.

In a terminal, type: 'sudo nano /etc/samba/smb.conf'. Enter your password and Nano will open. (Note, the Nano text editor comes preinstalled on many Linux flavours, but if not, replace with any existing alternative, such as vim.)

In the global section ([global]), we can add one configuration parameter to switch to the SMB2 protocol, which does not have the above mentioned flaw.

You can use ctrl+w to search. Right below [global], add: 'min protocol = SMB2'

According to the smb.conf man page, this parameter can have multiple values. SMB2 (used in Windows 7) or SMB3 (Windows 8-) will work fine, even on Windows 10, however note that not every client supports SMB3.

In particular, some clients seem to have an issue authenticating, and return a negotiation error or fail to show file shares. While 'min protocol' leaves Samba and its clients to negotiate a compatible protocol, starting from SMB2, if set, you can also enforce a specific protocol, just use: 'protocol = SMB2'

Hit ctrl+x, then 'y' to save, and enter to accept the default path and filename.

To restart Samba, you can use: 'sudo systemctl restart smbd', where systemd is used, or 'service restart smbd', where the older, initd is used. On the latest Ubuntu, Arch, etc, systemd should be the default.

On some systems, smbd is still called Samba, however this is rare.

Now, you should have a running Samba server, which uses SMB2 and above, or exclusively, depending on which path you took. WannaCry will not be able to take advantage of the SMB1 flaw to spread.

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Form options