.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Configuring Fail2ban for Samba-AD
  :keywords: Security, Samba-AD, documentation, fail2ban, authentication, protection

.. _samba_ad_fail2ban:

#################################
Configuring Fail2ban for Samba-AD
#################################

By default the AD environment allows to define password strategies that protect the domain by blocking accounts that have attempted multiple unauthorized accesses.

However, this may result in :abbr:`DoS (Denial of Service)` if an attacker is testing accounts with incorrect passwords.

That is why it is recommended not to *lockout* the account itself but rather a *fail2ban* on the source IP address at the origin of the unsuccessful connection attempts.

Validate that log redirection is activated in the file :file:`smb.conf`.

Please note that in the case of :abbr:`NTLM (NT Lan Manager)` authentication, it is the file server that connects to the domain controller to validate the NTLM challenge, not the host.
It is therefore necessary to configure the environment to not *blacklist* the file server itself by mistake.

.. code-block:: ini

   log level = 1 auth_json_audit:3@/var/log/samba/auth_json_audit.log

* Install the utility :program:`fail2ban`:

  .. code-block:: bash

    # RedHat8 and derived distributions
    yum install fail2ban
    # Debian
    apt-get install fail2ban

* Create the configuration file :file:`/etc/fail2ban/filter.d/samba.conf`:

  .. code-block:: bash

    [Definition]
    failregex = NT_STATUS_WRONG_PASSWORD.*remoteAddress": "ipv4:<HOST>:

* Create the configuration file :file:`/etc/fail2ban/jail.d/samba.conf`:

  .. code-block:: ini

    [samba]
    filter = samba
    enabled = true
    action = iptables-multiport[name=samba, port="88,135,389,445,464,636,3328,3329", protocol=tcp]
    #   mail[name=samba, dest=technique@mondomaine.fr]
    logpath = /var/log/samba/auth_json_audit.log
    maxretry = 5
    findtime = 600
    bantime = 600

* To exclude some IP addresses from :program:`fail2ban`, create the file :file:`/etc/fail2ban/jail.d/customisation.local`:

  .. code-block:: ini

    [DEFAULT]
    ignoreip = 192.168.154.217

* Enable fail2ban:

  .. code-block:: bash

    systemctl enable fail2ban
    systemctl start fail2ban

*****************************************
How do I unlock a machine after cleaning?
*****************************************

* To unlock an IP address:

  .. code-block:: bash

    fail2ban-client set samba unbanip <COMPUTER_IP>

* Display blocked IP addresses:

  .. code-block:: bash

    fail2ban-client status samba
