Protecting Data Against Malware
[Posted on: 06 August 2015]
Before I proceed any further please be warned that you will need some knowledge of Linux to understand some of the finer points. Even if you don’t you may still be able to grasp the basic ideas. Also please note that the terms ‘folder’ and ‘directory’ are used interchangeably – the former tends to be used by Windows and the latter by Linux.
In recent times we have seen a rise in malware that attacks the user’s own data. Something like Cryptolocker will encrypt files on the user’s computer and then make a ransom demand to pay for the required unlocking code. Malware has been associated with big time crime for a long time now and yet I feel there is something more sinister about this than say stealing a person’s credit card details. In the case of the latter, it tends at least to be the bank that loses out (not that I am making any excuses – even if the banking industry is far too rich, theft is still theft!). On the other hand if you are a serious computer user, then your computer data is a highly valuable asset, be it your documents, photos or music collection, and to lose it could be very costly in terms of years of work or memories.`I am going to look briefly at the idea of installing a Linux server on your network and using certain features of Linux to protect files from being attacked from within the Windows network. The server can be used to store photos and music as well as data backups from your working computers. A relatively old machine will often suffice for this purpose, though you may need to install a decent sized hard drive (e.g. 1TB).
Here are some examples of things that can be done.
- Share a directory via Samba with read-only access. This is good for the likes of photos and music that will never need to be modified once uploaded. Material can be uploaded via either FTP or a hidden symbolic link (see item 3 below).
- Some files (e.g. data backups) may need to be regularly updated from a computer, in which case full read-write access will be required. Ideally there needs to be a way of hiding the folder from someone/something idly browsing the network, while still making the folder accessible to an application that knows its path. This can be done by placing the real folder inside a hidden folder on a read-write Samba share. Any file or directory whose name starts with a period ( ‘.’) is hidden in Linux, though when sharing via Samba it will be visible by default on the Windows network. To fully hide it you will need to add the following line in the settings for the given share within the smb.conf file and restart the Samba service.
veto files = /.*/
As a result, the folder being hidden will itself become invisible to anything or anyone browsing the network, but given the full path of the sub-folder (i.e. the real folder containing your data), it is still possible to make direct access from within Windows. (N.B. You can’t browse the hidden folder itself, even given its path, but you can browse any folder under it, given the full path thereof.)
- Following on from the above, you can also put a symbolic link inside a hidden directory, pointing it to a directory that is otherwise contained within a read-only share. This provides a secret ‘back door’ route to provide read-write access to an otherwise read-only folder.
- If you want to protect individual directories and/or files within a Samba share that is otherwise read-write, you can do so using Linux file permissions. The best way is probably to set the owner to ‘root’ and then set the permissions to 644 for data files or 755 for executables and directories.
On a final note, if you are making backups via a read-write link, make sure that your backup system keeps some sort of rolling history and not just a constant overwrite of the same files – otherwise malicious damage to data could go unnoticed and be copied to the one and only backup!