Original Message:
Sent: 06-19-2023 11:56
From: Andrew Romero
Subject: Why does HNAS need SMB-Client-Barring whereas other products in Market do not seem to have a need of the same functionality?
Hi Al, Hi Patrick
Thanks for putting together and posting the document about the auto-barring feature.
We have a set of multi-user terminal-servers that are getting clobbered by auto-barring.
Auto-barring is itself acting like a DOS attack service. The common scenario (several times per week ) is a user with a session on terminal server X will , in a session on Laptop Y, change his / her password. The user's session on terminal server X will not posses the new credentials and will , in interactions with EVS E, start generating bad passwords. EVS E will then bar terminal server X. All users, not just the absent minded user, with sessions on terminal server X are denied CIFS/SMB service by EVS E.
I have attempted / considered these solutions:
A. Declare that users must never be absent minded. Before changing your password (from your laptop) , log-off of all terminal server sessions , then change your password , then start another terminal server session. Or change your password from your terminal server session. This obviously isn't going to work. ( for the same reason that it is impossible to herd kittens )
B. Have the terminal-server sys-admin kill all detached terminal server sessions. This is not possible, as users are running long runtime processes.
C. Monitor HNAS logs, identify culprits, kill their terminal-server sessions and un-bar the barred terminal server. This is what I am doing now, and it is not effective and it consumes lots of admin time throughout the day. And its reactive, it does not prevent bars.
D. Turn off auto-barring . This could cause HNAS to get barred by AD domain controllers; thus, is not a good option
IMPORTANT QUESTION:
User's definitely use Kerberos when logging on to the Terminal Servers. However, based on the barring behavior , Kerberos is likely not being used for CIFS/SMB operations. The document Patrick created appears to imply that if all UNC path references, used by users, were of the form
\\server.corp.com\sharename ( rather than \\server\sharename ) , then Kerberos auth would be used for CIFS/SMB operations and ( to make a long story short) bad credentials used for these CIFS/SMB operations won't cause the computer ( that the user's session is running on ) to be barred by the HNAS. Please go to the mountain and ask the guru: "Will using exclusively FQDN UNC paths eliminate my terminal-server auto-barring woes ?"
Thanks
Andy
------------------------------
Andrew Romero
Storage Administrator
Fermi National Accelerator Laboratory
Original Message:
Sent: 06-19-2023 10:34
From: Albert Hagopian
Subject: Why does HNAS need SMB-Client-Barring whereas other products in Market do not seem to have a need of the same functionality?
Abhishek, HNAS Product Manager (Patrick Allaire) spent some time on this request and has provided the attached document for your consumption.
We hope this helps.
------------------------------
Albert Hagopian
Software Development Engineer - Specialist
Hitachi Vantara
Original Message:
Sent: 05-16-2023 16:44
From: Abhishek Saxena
Subject: Why does HNAS need SMB-Client-Barring whereas other products in Market do not seem to have a need of the same functionality?
Also HNAS seems to be the only NAS solution out there implementing this. We have several DELL EMC NAS, along with few NetApps and Nasuni NAS. None of them seems to have this feature.
I understand there could be technical reasons behind this implementation with HNAS, but other systems seem to be handing this with a better implementation. Not sure how though?
------------------------------
Abhishek Saxena
Systems Engineer
S&P Global Market Intelligence
Original Message:
Sent: 05-16-2023 16:36
From: Andrew Romero
Subject: Why does HNAS need SMB-Client-Barring whereas other products in Market do not seem to have a need of the same functionality?
Hi
I have the same question. Why is this really needed ? ( security ? , performance ?... maybe some sites
have so much bad pw activity that it consumes resources and saps performance ? )
Last month I wasted a day battling a "mystery problem" where all users on an important host
( a large Terminal server ) were un-able to access the NAS.
The cause of the "mystery problem" ( partial service outage ) was the new on-by-default "auto barring" feature.
Most of the auto-bars I have seen have been legit ( broken clients ...etc ) ;however,
it appears that multi-user terminal servers are frequent accidental ( not legit ) auto-bars.
Currently, I believe that the trigger for barring is:
"If , from a given IP Address, there are 21 bad logon attempts within 2 seconds,
THEN, that IP Address will be barred. "
The thresholds of this can be tuned ; however, this can be problematic since
de-sensitizing "auto-barring" to prevent non-legit auto-bars also
prevents legit "auto-bars".
The "auto-bar" feature needs a "do not bar" list .
It should be possible to add the following to the "do not bar" list
- IP Addresses
-IP Address ranges ( 142.205.0.0/16 .... etc )
- host names
The "auto-bar" feature also needs an auto-clear feature so that when the client-side issue is
resolved the bar is removed after N hours. ( the NAS admin should not have to babysit
this feature and be forced to manually remove the "bars" )
There may be an actual good reason for implementing this feature; however,
having it active-by-default was probably not a good idea since it results
in , partial, service outages. As currently implemented the feature causes some disruption
and causes some extra work for NAS admins.
Thanks
Andy
>
Original Message-----
> From: Abhishek Saxena via Hitachi Vantara <mail@connectedcommunity.org>
>
> HNAS 13.9 introduced SMB-client-barring, a list where clients are automatically added if they generated enough unauthenticated
> requests to HNAS. Why is this functionality needed?
>
> Other NAS products out there do not seem to have a need of similar blocking in place.
>
>