Is it possible to hide ZFS snapshots over SMB

Madumi

Cadet
Joined
May 18, 2021
Messages
3
I am new to TrueNAS, so apologies for my ignorance.

Back three years ago, I understand one could expose ZFS snapshots over SMB & have windows restore file versions from the right-click menu using something like:
Code:
zfsacl:expose_snapdir=True


I understand that snapshots are now exposed over SMB by default... but is there a way to hide them?

My usage case is that in the case of a ransomware attack, I would prefer that there were no evidence that snapshots existed from within the windows machine... so as not to to encourage threat actors to dig deeper...
 

SweetAndLow

Sweet'NASty
Joined
Nov 6, 2013
Messages
6,421
Don't check the box to enable them.

It's called shadow copies under the share settings.
 

Borja Marcos

Contributor
Joined
Nov 24, 2014
Messages
125
My usage case is that in the case of a ransomware attack, I would prefer that there were no evidence that snapshots existed from within the windows machine... so as not to to encourage threat actors to dig deeper...
Well, it would make an interesting honeypot. If you detect access to them (except for a file recovery now and then) you certainly have a reason to dig! ;)
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
I am new to TrueNAS, so apologies for my ignorance.

Back three years ago, I understand one could expose ZFS snapshots over SMB & have windows restore file versions from the right-click menu using something like:
Code:
zfsacl:expose_snapdir=True


I understand that snapshots are now exposed over SMB by default... but is there a way to hide them?

My usage case is that in the case of a ransomware attack, I would prefer that there were no evidence that snapshots existed from within the windows machine... so as not to to encourage threat actors to dig deeper...
Parameter is old. ZFS snapshots are always accessible over the special ".zfs/snapshot" directory at the root of the ZFS dataset. This means the only recourse to entirely avoid exposing them over SMB is to create a directory (not dataset) inside the dataset you wish to share and set that as your share's path (and uncheck the "shadow copies" checkbox.
 

Madumi

Cadet
Joined
May 18, 2021
Messages
3
Thanks so much for replies.

I definitely want to use shadow copies/snapshots for file versioning/recovery... I just did not want them visible from the windows machine.

pity that TrueNAS does not have this capability--it would be a helpful line of defence against ransomware/threat actors
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,175
They're not writable and I think they can't be deleted over SMB, so I don't think you have a problem there. Of course, there's always @anodos' solution.
 

Madumi

Cadet
Joined
May 18, 2021
Messages
3
Thanks again for replies. It's nice that TrueNAS does not allow access via SMB to the snapshots. I guess it would just be nice to have an option not to see these in windows. If I were a threat actor & saw that a NAS kept snapshots of a compromised system, I would simply wait for the data retention period to expire... my 0.02c :smile:
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,175
That's correct. They're read-only and we don't expose ability to delete snapshots over SMB protocol.
Out of curiosity, does the SMB protocol support that?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
Out of curiosity, does the SMB protocol support that?
SMB protocol, no, but MS-FSRVP defines the filesystem remote VSS protocol, which allows snapshot management through an RPC endpoint (in IPC$).

I have written support / plumbing for this in our samba version, but it regressed with a recent upstream update and I need time to fix again before rebasing on samba master and upstreaming. In this case though, RPC server has to be enabled and it only manages snapshots that have name `fsrvp-%s` where %s is seconds from epoch.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
Thanks again for replies. It's nice that TrueNAS does not allow access via SMB to the snapshots. I guess it would just be nice to have an option not to see these in windows. If I were a threat actor & saw that a NAS kept snapshots of a compromised system, I would simply wait for the data retention period to expire... my 0.02c :smile:
Considering that which snapshots are presented to end-users via shadow copies is actually configurable, and they overall provide little information about snapshots available on ZFS replication targets, this is not particularly useful information to an attacker. They'd be better off using the compromised client to try to get credentials for more privileged user and attack a different way (possibly through SSH).
 

Borja Marcos

Contributor
Joined
Nov 24, 2014
Messages
125
ZFS snapshots are a really effective defense.

If you want even better security, remember that the risks are (assuming you are using the minimal set of services):

- Administration credentials for FreeNAS

- Security vulnerabilities in the FreeNAS web interface and/or ssh

- Security vulnerabilities in Samba

Now, if you set up your server with two network interfaces, so that the web UI only listens on one of them which is in a network not accessible to common users you remove the risk of admin credentials and UI vulnerabilities leaving only Samba.


If you get more paranoid you can always replicate the datasets to another server. In order to do it in a more secure way set up the replica server so that it pulls the snapshots from the production server, and the production server has no way to initiate a connection of any sort to the replica server.
 
Top