Network Place (Samba) Share on LAN only

[mtrains]

Thanks. I will give it another go this evening.

 

[mtrains]

Enable it, set the option underneath to erase its content, and reboot the router.

The next reboot might take longer than usual, give it a good 5 minutes to be safe. If it's still not accessible, reboot a second time (for some reason this is sometime necessary).

Thanks Merlin. That worked. I ran the code. My ISP is blocking port 445 on the WAN. So ShieldsUp always says 445 is stealth. How do I tell from the router whether the smb settings are right after running the code?

 

[RMerlin]

Thanks Merlin. That worked. I ran the code. My ISP is blocking port 445 on the WAN. So ShieldsUp always says 445 is stealth. How do I tell from the router whether the smb settings are right after running the code?

Check /etc/smb.conf, see if "bind interfaces only" is set to "yes".

Note that you don't really need this fix if your ISP is already taking care of dropping traffic to port 445 however.

 

[mtrains]

Check /etc/smb.conf, see if "bind interfaces only" is set to "yes".

Note that you don't really need this fix if your ISP is already taking care of dropping traffic to port 445 however.

Thanks. I see the line in smb.conf.

I am being overly paranoid I don't like depending on the ISP to block the port right. I will never know if for some reason they decide to not block the port.

 

[RMerlin]

Thanks. I see the line in smb.conf.

I am being overly paranoid I don't like depending on the ISP to block the port right. I will never know if for some reason they decide to not block the port.

It certainly doesn't hurt when you take your security into your own hands rather than rely on the ISP.

 

[jlake]

It certainly doesn't hurt when you take your security into your own hands rather than rely on the ISP.

Personally, I don't think the ISP should be blocking ports for security. That's what the router/firewall is supposed to do. By your logic, the ISP should be blocking all IPv6 too.

On a residential AT&T DSL account, AT&T only blocks TCP port 25 and UDP slammer port. On a business account, they don't even block port 25. They provide residential customers with a gateway device with firewall that blocks outbound 139, 445 etc.. by default. If you call and request, they will unblock port 25.

The internet is supposed to be open by design. Consumers must then choose a router/firewall, computer that protects them.

In the case of Asus, the router should be at least giving you a big red pop up warning that you are opening port 445 to the world.

I'm not aware of any other consumer router that opens port 445 on the NAT. There should at least be some warnings all over the box, GUI, and manual if that is their new trend setting design.

 

[L&LD]

jlake, I can see that this port 445 issue is very important to you.

I also think I see you misunderstanding what RMerlin said.

I'm sure that Asus just tripped up with this and it will be fixed in the next round of firmware - I agree that there is no reason for this to be 'the new trend' for Asus routers.

Honestly, I think for 99% of the users out there you're over reacting, but as I've mentioned before; I don't use any of these 'exotic' features anyways - so my exposure to this risk is exactly nil.

 

[RMerlin]

By your logic, the ISP should be blocking all IPv6 too.

What logic? I never said I agreed with this. Merely pointed out that it was the case for his specific situation.

In the case of Asus, the router should be at least giving you a big red pop up warning that you are opening port 445 to the world.

I'm not aware of any other consumer router that opens port 445 on the NAT. There should at least be some warnings all over the box, GUI, and manual if that is their new trend setting design.

It's obviously a bug, not a design feature.

 

[jlake]

What logic? I never said I agreed with this. Merely pointed out that it was the case for his specific situation.



It's obviously a bug, not a design feature.

Oh ok. My bad. How severe of a bug would you consider this to be? It's been around since at least November. L&LD has stated in the past that it's "no biggie". Is that the general consensus? Maybe I'm ignorant or misinformed to the significance of port 445.

Did you get any feedback from asus about it?

I tried the new n66u Beta firmware and did a port scan after I flashed it. I rarely do port scans. But now I'm a little paranoid as it has obviously shaken my confidence in asus a little bit (AiCloud previous bug and no ipv6 firewall on top of this). No doubt they'll fix it. But since it's been around since November, you have to wonder what damage has been done to consumers unknowingly having port 445 open? AC68u is one of the top selling routers on amazon, so I have to believe there's a lot of non SNB forum members out there that own the router.


https://www.grc.com/port_445.htm

 

[RMerlin]

Oh ok. My bad. How severe of a bug would you consider this to be? It's been around since at least November. L&LD has stated in the past that it's "no biggie". Is that the general consensus? Maybe I'm ignorant or misinformed to the significance of port 445.

If you have SMB sharing enabled and don't use password-based authentication, then any shared USB disk will be accessible over WAN if you have an RT-AC56U or RT-AC68U and your ISP allows port 445 access in.

The fix I posted here will plug the hole.

Did you get any feedback from asus about it?

Not yet, but between the change in manager and the Chinese New Year, I'm not surprised.

 

[jlake]

If you have SMB sharing enabled and don't use password-based authentication, then any shared USB disk will be accessible over WAN if you have an RT-AC56U or RT-AC68U and your ISP allows port 445 access in.

The fix I posted here will plug the hole.



Not yet, but between the change in manager and the Chinese New Year, I'm not surprised.

Thanks!

Your explanation tells me this is an extremely serious bug.

It's not my intent to throw dirt on Asus, but rather to possibly help someone who doesn't fully understand the potential seriousness of this bug and consequences......or even be aware that it's open. I'm sure there's quite a few lurking padawan learner geeks (like me) out there that may not fully understand the potential seriousness and ramifications of an open 445. Especially if it's a default behavior.

Since I don't have those routers I'm not affected, but I do not use a password on samba. :cringe:

Hopefully some lurking Ac68 or ac56 owner will see this thread and your post and click on it and make sure they apply your fix and read your post, especially if their ISP does not block 445 (like the millions of AT&T users).

Edit: and to be honest, I think it's so serious that it needs a sticky thread. Just my humble opinion and two cents.

 

[L&LD]

jlake,

Now I see! (Why you're so passionate about port 445).

We're the complete opposite here; I don't use samba shares and don't care about this issue at all.

While you're using samba shares with no password.

Okay, the world is alright again.


Good night.

 

[mostou]

Shares are accessible from WAN as well for me. Port 445 is open on my AC68U when sharing is enabled. Firmware version _583. I have disabled Samba sharing for the moment. Perhaps I will try Merlin's script with his firmware or wait for the next update from Asus. Thanks JLake for pointing me to this thread!

 

[lwizard]

SAMBA on PPTP broken after fix

Is it possible that after appling this SAMBA patch, I can't see my LAN anymore over VPN (PPTP)? few minutes before the patch was there, now I am connected to VPN but can't see my PC and router HDD on network..

 

[RMerlin]

Is it possible that after appling this SAMBA patch, I can't see my LAN anymore over VPN (PPTP)? few minutes before the patch was there, now I am connected to VPN but can't see my PC and router HDD on network..

Network browsing over a PPTP tunnel will always be iffy since it relies on broadcasting. You should still be able to access computer shares through either their name or IPs however, I just tested it here and it's working properly for me.

 

[EronRackzak]

Just wanted to point out tha this issue is fixed on RMerlin's .39 firmware. (Thanks!)

When enabling the service port 445 now shows as Closed (Not Stealth) in Shields Up.

Still, for those interested, if you want to enable FTP on the LAN but block it on the WAN side, you'll need to manually do so using a script (reference to that at the top of this thread).

 

[Skidplate]

Burned by Asus!

Hey Guys,

I’m new to the forum, but this topic really interests me. Especially since I was recently affected by this very issue! I’m pretty upset right now and have no idea how badly I was compromised, so I’m looking for some advice.

First off, I (stupidly) did not use Merlin’s firmware prior to yesterday, I’ve since updated my RT-N66U with the latest version (Asuswrt-Merlin - build 374.40). Thanks for all the hard work RMerlin!

Here is what happened:

I’ve been using this router for a couple of years. I’ve disabled most of the features, including AICloud/AIDisk/FTP/uPNp/Wan admin and everything else they say to disable. Anyhow, a couple of days ago, I noticed there was an update available so I updated the firmware.

I checked to make sure AICloud was disabled and that all my settings appeared to be there. This was my first mistake, I didn’t go through every page on the router… Anyhow, about 20 hours later, I noticed that I had about 16 GB of upload!!

So I went into the USB application and noticed the following:
- Enable DLNA Media Server was on (I did not have this before)
- Network Place (Samba) was enabled WITH THE NO ACCOUNT OPTION!! (I did not have this before)
- FTP Share was enabled WITH THE NO ACCOUNT OPTION!! (I did not have this before)

Once I noticed this I immediately disabled those options and then installed Merlin’s latest firmware. However, there was almost 20 hours with this enabled.

NOTE: I did NOT have a USB drive attached to the RT-N66

So, my questions are these:
1. How bad was this? Could my attached computers have been compromised?

2. If my computer files were not hacked (I’m really praying this was the case!), what the heck was all that upload (keeping in mind I had no USB attached)? I did look at the traffic map and I noticed that the graph was pretty much pinned at about 1 GB per hour, with a couple of pauses.

3. I changed my router password (it was not the default, but I figured I should change it anyhow), but I did not reset the router to factory defaults. I just installed the Merlin firmware. Should I reset everything to be safe?

Of course, I'm kicking myself for not checking things more closely after the update, and double kicking myself for not running Merlin's firmware earlier.

Any help would be greatly appreciated.

Best Regards

EDIT: File sharing options on my computers are to specific password protected ID's, nothing public read.

 

[RMerlin]

I checked to make sure AICloud was disabled and that all my settings appeared to be there. This was my first mistake, I didn’t go through every page on the router… Anyhow, about 20 hours later, I noticed that I had about 16 GB of upload!!

Be aware that the traffic monitor isn't reliable on some network configuration (especially USB-based modems). Check with your ISP's own traffic monitoring to get more accurate values, it's quite likely that you never uploaded that much data in 20 hours (unless you were on some REALLY fast connection).

So I went into the USB application and noticed the following:
- Enable DLNA Media Server was on (I did not have this before)

This is enabled by default. DLNA is only served over the LAN, and it only serves medias found on plugged USB disks, so you're safe.

- Network Place (Samba) was enabled WITH THE NO ACCOUNT OPTION!! (I did not have this before)
- FTP Share was enabled WITH THE NO ACCOUNT OPTION!! (I did not have this before)

These also only work on plugged USB disks, so you're safe. The sharing without an account option is something Asus fixed in 374_4422 (and improved in 374_4561, where they will automatically revert to sharing with an account).

NOTE: I did NOT have a USB drive attached to the RT-N66

Due to this, only AiCloud itself could be an issue, as it's the only service that will allow access to your LAN computers. FTP, SMB and DLNA are limited to USB disks.

Any help would be greatly appreciated.

I'd say there's a strong chance that you didn't upload that much data. See if your ISP has any online meter for you to validate.

 

[Skidplate]

Be aware that the traffic monitor isn't reliable on some network configuration (especially USB-based modems). Check with your ISP's own traffic monitoring to get more accurate values, it's quite likely that you never uploaded that much data in 20 hours (unless you were on some REALLY fast connection).

Thanks, I checked my ISP's graph and it doesn't show yesterday's traffic yet, I'll check again in a day or so.

These also only work on plugged USB disks, so you're safe. The sharing without an account option is something Asus fixed in 374_4422 (and improved in 374_4561, where they will automatically revert to sharing with an account).

I'm not sure they fixed that 'sharing without an account' option. It was the default setting when I updated my firmware using the router's update option (since I was on my Ipad). What I did notice was an exclamation icon warning me that the setting was enabled, but I didn't see that on my iPad, I noticed it when I logged on from my computer the next day. The firmware I installed that enabled this was RT-N66U_3.0.0.4_374_4561. Perhaps it has something to do with the firmware I updated from? I'm not sure the version I was on though. Anyhow, I know what to watch for now, so I'll be sure to check that with each update. EDIT: Unless I always had that option turned on and just noticed now, due to the exclamation???

Due to this, only AiCloud itself could be an issue, as it's the only service that will allow access to your LAN computers. FTP, SMB and DLNA are limited to USB disks.

That's a huge relief!

I'd say there's a strong chance that you didn't upload that much data. See if your ISP has any online meter for you to validate.

I really hope that's the case. Will try to confirm.

I thought I read that with Samba enabled, the router could be used as a tunnelling point. Could that have been what happened? At least that's better than having my files compromised!

Thanks for your quick response RMerlin, I appreciate it!

Cheers

 

[RMerlin]

I thought I read that with Samba enabled, the router could be used as a tunnelling point. Could that have been what happened? At least that's better than having my files compromised!

The Samba issue only affected the RT-AC56U and RT-AC68U owners, and was resolved by Asus in 374_4561 (if my memory is correct - their first attempt at fixing it didn't work).