Skip to content

Opencanary and Samba

Jump to bottom
JayJB edited this page Sep 14, 2021 · 10 revisions

Setting up Opencanary with Samba (File Share)

Please note that there are many different versions of Samba and many different versions of OS on which Samba runs (differently).

So we'll go through setting it up on Ubuntu 20.04, but will add debugging steps that could be applied generally.

Architecture Overview

Samba and Opencanary work together by:

  1. adding audit events to Samba file share accesses (on file open only)
  2. logging these audit events to rsyslog
  3. writing Samba specific audit event logs to a file
  4. Opencanary monitoring that file and parsing the information

The above points are each points that we need to ensure are working when setting up our smb for Opencanary (and debugging it).

Useful commands before we start

When setting this all up, we will be getting a few services to work together (Samba, rsyslog, Opencanary). Below are some commands to use to restart the services once you have changed some configuration files:

# Restart Rsyslog/Syslog
sudo systemctl restart rsyslog
sudo systemctl restart syslog

# Restart Samba
sudo smbcontrol all reload-config
sudo systemctl restart smbd
sudo systemctl restart nmbd

Get Samba ready

Lets get your Samba setup right first; check that it is working as expected, then move on.

For this example, ill use the following (please note you can change these as you feel fit):

  • /home/ubuntu/samba -> folder that will be visible on the network.
  • NBDocs -> Server string
  • SRV01 -> NetBios named used

Please customise these as you see fit.

  1. create directory: mkdir /home/ubuntu/samba and set correct permissions: chown ubuntu:ubuntu /home/ubuntu/samba.
  2. create a file inside: touch /home/ubuntu/samba/testing.txt
  3. edit your default smb.conf file (found in /etc/samba/smb.conf on Ubuntu) to match ours:
[global]
   workgroup = WORKGROUP
   server string = NBDocs
   netbios name = SRV01
   dns proxy = no
   log file = /var/log/samba/log.all
   log level = 0
   max log size = 100
   panic action = /usr/share/samba/panic-action %d
   #samba 4
   server role = standalone server
   #samba 3
   #security = user
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = no
   map to guest = bad user
   usershare allow guests = yes
   load printers = no
   vfs object = full_audit
   full_audit:prefix = %U|%I|%i|%m|%S|%L|%R|%a|%T|%D
   full_audit:success = pread_recv pread_send
   full_audit:failure = none
   full_audit:facility = local7
   full_audit:priority = notice
[myshare]
   comment = All the stuff!
   path = /home/ubuntu/samba
   guest ok = yes
   read only = yes
   browseable = yes
  1. Restart Samba and ensure you can browse to your Samba share.

Configuring rsyslogd

  1. edit rsyslogd configuration: vi /etc/rsyslog.conf and add the line local7.* /var/log/samba-audit.log
  2. create that audit log: touch /var/log/samba-audit.log
  3. change permissions for the log: chown syslog:adm /var/log/samba-audit.log
  4. restart rsyslogd/syslog

Tying it all together with Opencanary

  1. enable Samba monitoring by editing your /etc/opencanaryd/opencanary.conf (or whichever conf file you are using) and editing "smb.enabed": true.
  2. ensure that your smb service is pointing at the correct log file: "smb.auditfile": "/var/log/samba-audit.log",
  3. start your Opencanary: opencanaryd --start

Testing it all.

  1. Make sure you have setup logging or alerting for your Opencanary. We are going to want to make sure that information is coming through.
  2. Navigate to your Samba File Share and open a file inside.
  3. Check that that file open share event comes through.

Debugging Samba and Opencanary

So you went through the above steps, and you got nothing! Lets attack this step by step.

I can't access the Samba share

Straight away this is a Samba issue before anything else. Opencanary will only report on accessed files on your Samba share. So we need to make sure that the Samba File Share is accessible.

Double check these:

  • Samba is running: $ ps aux | grep smbd or $ systemctl status smbd. In both cases you should be able to clearly see they are running/active.
  • Ensure network connectivity from the workstation you trying to access the file share from: $ ping <ip of opencanary server>. If you are running this in the cloud, please ensure you have allowed traffic to port 139 and 445 (for Samba File Share).

I can access Samba File Share but I dont see Opencanary reporting it

This is a broader problem space. Lets try narrow it down.

So lets access a file in our Samba and then check the following:

  • check /var/log/samba-audit.log; you should see a couple log lines like:
Sep 14 08:13:13 OpenSourceDevMachine smbd_audit: guest|<ATTACKER IP>|<OPENCANARY IP>|<ATTACK MACHINE NAME>|myshare|srv01|SMB3_11|OSX|2021/09/14 08:13:13|SRV01|pread_send|ok|/home/ubuntu/samba/README.md
Sep 14 08:13:13 OpenSourceDevMachine smbd_audit: guest|<ATTACK IP>|<OPENCANARY IP>|<ATTACK MACHINE NAME>|myshare|srv01|SMB3_11|OSX|2021/09/14 08:13:13|SRV01|pread_recv|ok|/home/ubuntu/samba/README.md
Clone this wiki locally