HNAS SMB Auto-Barring and Barred-Client Commands

Content

Warning

If SMB Barring is disabled globally, the entire HNAS can get blocked by the DCs if there are too many incorrect login attempts from a single user. This new feature allows the HNAS to block incorrect NTLM requests and not pass them on to the DC(s) for authentication if there are too many failed login attempts and allows all other SMB clients to continue access to the HNAS if they have valid login credentials.

Objective

Starting with Hitachi NAS code version 13.9.6918.02, HNAS Engineering introduced a new feature called smb-auto-barring, along with some other SMB barring commands (which are used for manual SMB client barring):

smb-barred-client-add
smb-barred-client-remove
smb-barred-client-clear
smb-barred-client-list

SMB Client Barring

Provides a facility that maintains a list (per security context) of client IP addresses barred from SMB/SMB2.x/SMB3 access to the HNAS. Clients that cause SMB NTLM authentication failures by providing an incorrect password are automatically added to the client's list if the failure rate is sufficient.
By default, SMB clients that attempt to login into the HNAS use NTLM (authentication protocol) to check the client's user credentials with a DC. If the DC reports back to the HNAS saying the password is incorrect, the HNAS must reconnect to the DC on the subsequent client credentials request.
Repeated incorrect password authentication failures can cause the DC(s) to have a temporary connection refusal to the HNAS.

SMB Auto-Barring

Works on an EVS Security context basis when used with Multi-Tenancy.
Enabling smb-auto-barring allows the HNAS to automatically continue accepting client NTLM requests with valid credentials and any client with repeated invalid credentials gets blocked by the HNAS and the HNAS won't pass on the credentials to the DC(s).
Automatic Barring of clients is enabled by default, and a (paced) event is generated when a client is barred.

You should expect NTLM usage under the following circumstances:

The client connects using an IP address.
The Kerberos CIFS Service Principal Name is missing in AD for the SMB server.
The credential used for the SMB server is a local user account.

Environment

VSP One File 30 Series
- VSP One File 32
- VSP One File 34
- VSP One File 38
Hitachi NAS Gateway Platform
- Hitachi NAS Platform 5300 (HNAS 5300)
- Hitachi NAS Platform 5200 (HNAS 5200)
- Hitachi NAS Platform 4100 (HNAS 4100)
- Hitachi NAS Platform 4080 (HNAS 4080)
- Hitachi NAS Platform 4060 (HNAS 4060)

Procedure

Initial Configuration

No initial configuration of the feature is required.

Managing the barred clients' list is done using the following commands; check the man pages for more details on each command.

smb-barred-client-add (add a client to the SMB barred client list)

smb-barred-client-remove (remove a client from the SMB barred client list)

smb-barred-clients-list (display the SMB barred clients list)

smb-barred-clients-clear (clear the SMB barred client list)

Clients are barred based on their IP address, so each IPv4 and IPv6 (if configured) address will need to be considered a separate entry. Once a client is barred, that client can't connect over SMB regardless of the credentials used – manual removal from the 'barred' list is required. A maximum of 512 client IP addresses per security context can be barred.
The output from the smb-barred-clients-list is included in the showall.txt log file in the HNAS diags.

A workaround (where SMB Barring does not apply) is for a client to use Kerberos. It will communicate directly to the DC(s) for authentication, not through the HNAS.

To View the Current Settings

Use the following commands to view the current setting values

for-each-evs set-smb-auto-barring-mean-interval-threshold-in-seconds
for-each-evs set-smb-auto-barring-sample-size

4080:$ for-each-evs set-smb-auto-barring-mean-interval-threshold-in-seconds
EVS 1 (4080-EVS01):
smb-auto-barring-mean-interval-threshold-in-seconds = '0x2'(2)
EVS 2 (4080-EVS02):
smb-auto-barring-mean-interval-threshold-in-seconds = '0x2'(2)
EVS 3 (4080-EVS03):
smb-auto-barring-mean-interval-threshold-in-seconds = '0x2'(2)
EVS 4 (4080-EVS04):
smb-auto-barring-mean-interval-threshold-in-seconds = '0x2'(2)

4080:$ for-each-evs set-smb-auto-barring-sample-size
EVS 1 (4080-EVS01):
smb-auto-barring-sample-size = '0x15'(21)
EVS 2 (4080-EVS02):
smb-auto-barring-sample-size = '0x15'(21)
EVS 3 (4080-EVS03):
smb-auto-barring-sample-size = '0x15'(21)
EVS 4 (4080-EVS04):

Tuning the auto-barring parameters

Before disabling auto-barring, the customer may choose to tune the command parameters.

• set-smb-auto-barring-mean-interval-threshold-in-seconds - This commands sets the SMB
client auto-barring mean interval threshold - a given client attempting connections with an
incorrect password more frequently than this will be barred.

Default value: 2 (seconds)
Configurable range: 1 to 120 seconds in 1 second intervals

• set-smb-auto-barring-sample-size - This command sets the SMB client auto- barring
sample size - i.e., the number of instances a client can fail to connect with an
incorrect password before being evaluated against the above interval for banning.

Default value: 21
Configurable range 21 to 512

How do these parameters affect auto-barring?

At the default values, if a client IP address attempts to connect with an incorrect password 21 times it will then be considered a candidate for auto-barring. If the mean rate that it is attempting to login in is faster than once per 2 second interval it will be added to the barred clients list.

Varying set-smb-auto-barring-sample-size allows you to change how many bad connection attempts can be made before a client is considered for auto-barring. For example,

$ set-smb-auto-barring-sample-size 42

would allow 42 connection attempts before the client was considered for auto-barring.

Varying set-smb-auto-barring-mean-interval-threshold-in-seconds allows you to change the frequency at which a client can attempt to connect before being barred. For example,

$ set-smb-auto-barring-mean-interval-threshold-in-seconds 4

would not add a client to the barred list unless it was attempting to connect more frequently than once every 4 seconds (on average).

The default values were carefully selected to avoid clients being auto-barred unnecessarily. If you choose to vary them, it is suggested starting with small adjustments and observing the results. Setting too large a threshold or sample size can reduce the auto-barring feature's effectiveness.

Procedure to Disable HNAS SMB Auto-Barring

This procedure allows disabling SMB auto-barring on the Hitachi NAS platforms.

Warning:

If Barring is disabled globally, the entire HNAS can get denied access to the DC(s) if there are too many wrong login attempts from a single user.
Blocking the client from which the 'bad' user comes prevents this and allows all other clients to continue access.

NOTE:

If Multi-Tenancy is disabled (regardless of the Security Context of the EVS), use the Global SMB Barring setting to disable SMB Barring.
If Multi-Tenancy is enabled, use SMB Barring at the Individual EVS Security Context (again, this only works IF Multi-Tenancy is enabled).

From the CLI

Use the following procedure to enable SMB Barring on an Individual EVS Context if Multi-Tenancy is enabled.

Establish an ssh session with the vSMU.
Login as manager; provide the current password.
In the menu, type the number of the system to be configured.
Run the command: evs-security list

<evs-security list for admin vnode>

EVS id Per EVS security status
------ ------'----------'-----
1 global
2 global
3 global
4 global
5 global
6 global
8 global
10 ' global
11 global
12 global
13 individual <---Global disable will not turn off this 'individual' EVS Security Context
15 global

Note: The system may or may not have EVS(s) designated in a particular security context.
To disable the SMB barring functionality on the 'global' context, run this command:
$ set smb-auto-barring false
To enable the SMB barring functionality on the 'individual' EVS, run this command:
$ vn <EVS ID>
$ set-for-evs smb-auto-barring -a true
Note: If an EVS in an Individual Context.
To disable the SMB barring functionality on the 'individual' EVS, run this command:
$ vn <EVS ID>
$ set-for-evs smb-auto-barring -a false
Note: If an EVS in an Individual Context.

Citrix/Multi-Tenancy Environment

In a Citrix environment and Multi-Tenancy is Enabled, instead of disabling auto-barring for the entire environment, the EVS(s) serving the Citrix Servers could be placed into Individual Security Groups and then use the above command to disable auto-barring only the EVS(s) that is serving data to the Citrix Servers.

The process would be, from a high level:

Obtain a Windows"Security License, if not already installed (billable license).
Disable the EVS.
Change the security model to individual.
Register the EVS with the A/D domain.
Enable the EVS.
Select the Citrix EVS: vn <EVS ID>
Issue the command: set-for-evs smb-auto-barring -a false
Perform this for each EVS(s) servicing a Citrix Server.

Procedure to Identify SMB Barred Clients or 'Bad Actors" when smb-auto-barring is disabled.

The two sections below, one manual and one automated, help to identify which client IP address is repeatedly using the wrong login credentials, thus invoking the "smb-auto-barring" feature OR in the case where smb-auto-barring is disabled may cause the EVS to be denied access to the DC.

This client/user, if not barred, can cause a performance impact on the HNAS and a denial of access to the DC(s). This behavior can impact all users on a particular node, not just the client using an incorrect password or user name. It takes many failed attempts before the NAS gets temporarily barred from the DC(s), and that exact number is unknown.

Manual Search for 'Bad Actor(s)

Here are some steps to identify the 'bad actor(s).

Connect to the System Management Unit using the Putty application:
Login as: manager
Password: <enter the current manager password>
The server menu appears

Available servers:
==================
1) 10.0.2.210 HNASDEMO
Please choose a server, or type 'q' to exit to a bash Shell.
Select the appropriate Cluster/Server: 1
Type the following commands:
nolog for-each-evs smb-barred-clients-list (Displays the list of client addresses barred from SMB access.)
nolog pn all dblog | grep "10.123.xx.xx" (Check the dblog for the IP(s) found in step 1 that are of interest.)
nolog pn all logtrace dump paced-event-logger | grep "10.123.xx.xx (The paced-event-logger gives the recent output of events that spam the dblog.)
nolog pn all dblog | grep "10.123.xx.xx" | grep "failed to logon" (Check for failed logons.)
nolog pn all logtrace dump paced-event-logger | grep "10.123.xx.xx" | grep “failed to logon”

There are several words and phrases to key on when grepping the dblog and paced-event-logger - here are a few more common ones:

NT_STATUS_WRONG_PASSWORD
NT_STATUS_ACCOUNT_LOCKED_OUT
NT_STATUS_NO_SUCH_USER
NT_STATUS_PASSWORD_EXPIRED
NT_STATUS_ACCESS_DENIED

PowerShell script to search the current_dblog for the events above.

Open a Diagnostic file from the customer
Extract the <Node>-current_dblog.txt to a folder on the laptop
Open PowerShell command prompt
Change focus to the directory using the cd command
Run the following script

$failed_login=@('NT_STATUS_WRONG_PASSWORD','NT_STATUS_PASSWORD_EXPIRED','NT_STATUS_ACCOUNT_LOCKED_OUT','NT_STATUS_NO_SUCH_USER')
try{$failed_login.foreach({"Checking files for $_"})
Get-Content *current_dblog* | Out-String -Stream | Select-String -Pattern $failed_login -SimpleMatch
}catch{$_.Exception.Message
}finally {"End of program"
}

Automated Procedure for Customers to collect diagnostics and search for the events above from the downloaded diagnostics.

In the vSMU GUI, verify that the system has been configured to send emails.
1. Navigate to Home > Status & Monitoring > Email Alerts Setup
  Check that an SMTP Server and the From Address have been configured to send emails.
Create a cron job on one of the nodes in the cluster to download daily node diagnostics, using the following example.
crontab add "00 08 * * *" "pn all diagemail <customer email address>"
Download and copy the attached PowerShell script to a directory on a Windows machine.
FAILED-LOGIN_v4
Copy the diagnostics into the same directory.
Run the following PowerShell scripts: (You need 7zip installed on your PC).
1. FAILED-LOGIN_v4
This script produces two .txt files
1. failed-login.txt to get the user name and IP address of the users with failed logins.
2. wrong-login-per-day.txt to see the trend of the failed logins per day of both nodes.

Additional Notes

Release_Notes (13.9.6918.02)
Hitachi_NAS_Platform_13.9.6918.02_Release_Notes
For more, visit the Hitachi Vantara Product Documentation Portal.

Attachments

Attachment: 7374_20240807162421_240417000248988.ps1

CXOne Metadata

Tags: hnas,SMB,Domain Controller,automatic,Citrix,NTLM,auto-barring,smb-auto-barring,Barred,SMB client,Banned,Blacklist,DC

PageID: 156251

Solution Properties

Keywords

https://knowledge.hitachivantara.com/Knowledge/Storage/Network_Attached_Storage/Hitachi_NAS_Platform/HNAS_SMB_Auto-Barring_and_Barred-Client_Commands raexternalrequest

Solution ID

240403060156251

Last Modified Date

09/07/2024 10:56:50 PM

Attributes

Page Privacy and Permission Assignment

Page Privacy: Private
Page Level Permissions: Employee; Service Partner; Customer; Knowledge Author; Knowledge Editor; IT; eServices; Knowledge Draft
Article: howto
Pagetype: knowledgearticle

Taxonomy

Storage > Network Attached Storage > Hitachi NAS Platform

Collections

Customer

Views