What's new

Network Place (Samba) Share on LAN only

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Actually... Did they reupload it? The original changelog didn't mention anything about a Samba security issue being resolved. I might have to redownload it and compare it with the download I tested. If anyone has recently flashed this version please let me know what a port scan shows on 445.

That's odd :confused: Can someone else verify that port 445 is closed in their test, it's showing closed in my case on .583

 
I just re-tested it, with a freshly downloaded firmware, and my port 445 was still showing up as Open.

Did you remember to re-enable Samba sharing when you tested it (in case you had disabled it for security reasons)?

One thing to note is that I tested it without CTF loaded, I didn't try with it enabled seeing that even if it was half-fixed, that's still not good enough .
 
That's odd :confused: Can someone else verify that port 445 is closed in their test, it's showing closed in my case on .583


Testing port 445 through shields-up can be misleading if your ISP blocks port 445. It will show closed. For example, my ISP blocks port 25 and it shows up as closed on shields-up test. The shields-up probe never even makes it to my router (on port 25).
 
I just re-tested it, with a freshly downloaded firmware, and my port 445 was still showing up as Open.

Did you remember to re-enable Samba sharing when you tested it (in case you had disabled it for security reasons)?

One thing to note is that I tested it without CTF loaded, I didn't try with it enabled seeing that even if it was half-fixed, that's still not good enough .

My apologies, yes my Samba sharing is disabled when I'm trying it out in the wee hours in the morning 5+AM + i was pre-occupied with some other stuff :( Now i can concur that the port 445 is showing Open when Samba sharing is enabled.

 
Just tested 374_583. ShieldsUp still shows 445 as "open" both at the LAN and WAN when enabling the service on the router (RT-AC68U).

Probably this is by design but in my opinion we need a way to limit it to the LAN.
 
Last edited:
Just tested 374_583. ShieldsUp still shows 445 as "open" both at the LAN and WAN when enabling the service on the router (RT-AC68U).

Probably this is by design but in my opinion we need a way to limit it to the LAN.

If it's by design, it's a seriously flawed design due to the security issues involved, and will definitely need to be changed.
 
An example of how an otherwise useful feature will remain unused (in my case) due to justified security concerns.

For those RT-AC68U users who are still seeing a closed WAN SMB port (in theory good) whenever the service is enabled, you should have a very good level of trust in how your ISP is managing security. Otherwise at this point i would recommend to disable SMB at all.


Enviado desde mi iPhone con Tapatalk
 
I can't imagine this is really "by design" since older firmware builds (correct me if I'm wrong) did not allow SMB access from the WAN side.
 
Any update on this? I just got my AC68U and the samba feature was one of the things I wanted to get working, but having an open port to the internet that you can't disable is ridiculous...

I saw the 'samba share fix' in the newest firmware release notes but it definitely didn't fix this issue.
 
Any update on this? I just got my AC68U and the samba feature was one of the things I wanted to get working, but having an open port to the internet that you can't disable is ridiculous...

I saw the 'samba share fix' in the newest firmware release notes but it definitely didn't fix this issue.

That fix was for a different issue, where you couldn't browse shares through the LAN, and had to directly access a share.
 
I don't know if it'd be useful, but I solved by adding this rule on smb.conf:

Code:
 bind interfaces only = yes

 
I don't know if it'd be useful, but I solved by adding this rule on smb.conf:

Code:
 bind interfaces only = yes


The odd thing is that Asus were spefically NOT inserting that config line on ARM routers, but they do on MIPS router. Maybe it was a typo and that line was supposed to be outside of the #ifndef block?

Anyone running 374.38 and newer, make sure you have JFFS enabled, and simply copy/paste the following over telnet/SSH to generate an appropriate postconf script:

Code:
cat << EOF > /jffs/scripts/smb.postconf
#!/bin/sh
CONFIG=\$1
sed -i '/\[global\]/abind interfaces only = yes' \$CONFIG
EOF
chmod a+rx /jffs/scripts/smb.postconf
service restart_nasapps

Still unsure how Samba could manage to bypass iptables entirely when it's not specifically binding to interfaces tho. Will also have to see if there is any consequence to this change.
 
Last edited:
Merlin, I just tried your script and it appears to work - and it persisted across reboots of the router. I was showing port 445 as open from Shields UP and now I see it as closed (not stealth, but closed at least).

I am running 38-2 version of your firmware.

Thanks a lot! Now to figure out how to close FTP from outside...
 
Will have to try the fix but many thanks in advance for figuring this out until we get something from Asus.

@phaelium

At the top of this thread you'll find the two IPTABLES rules that disable FTP on the WAN while enabling it on the LAN side. You'll just have to put them in a firewall startup script.



Enviado desde mi iPhone con Tapatalk
 
Anyone running 374.38 and newer, make sure you have JFFS enabled, and simply copy/paste the following over telnet/SSH to generate an appropriate postconf script:

Code:
cat << EOF > /jffs/scripts/smb.postconf
#!/bin/sh
CONFIG=\$1
sed -i '/\[global\]/abind interfaces only = yes' \$CONFIG
EOF
chmod a+rx /jffs/scripts/smb.postconf
service restart_nasapps

I am glad to see an smb.postconf script. It was not listed in the postconf scripts for 374.38_2. What would be the syntax for replacing another line also; for example in the [GLOBAL] section:

strict allocate = No

with

strict allocate = yes

It's not obvious from the sed manpage. I need obvious.
 
I am glad to see an smb.postconf script. It was not listed in the postconf scripts for 374.38_2. What would be the syntax for replacing another line also; for example in the [GLOBAL] section:

strict allocate = No

with

strict allocate = yes

It's not obvious from the sed manpage. I need obvious.

Check the example I put in the README, it shows how to replace one string with another one.

I'm considering writing a short "helper script" that would make it simpler to do basic things such as "replace xyz with abc" or "insert xyz after abc". Another item on my constantly growing list of things to do. Sigh.
 
Will have to try the fix but many thanks in advance for figuring this out until we get something from Asus.

@phaelium

At the top of this thread you'll find the two IPTABLES rules that disable FTP on the WAN while enabling it on the LAN side. You'll just have to put them in a firewall startup script.



Enviado desde mi iPhone con Tapatalk

Thank you! I knew I saw it somewhere and I couldn't figure out where, nor what to search for. Works great, I put it in the firewall-start script and all is well I think.
 
Check the example I put in the README, it shows how to replace one string with another one.

I'm considering writing a short "helper script" that would make it simpler to do basic things such as "replace xyz with abc" or "insert xyz after abc". Another item on my constantly growing list of things to do. Sigh.

Thank you. Gosh, look at the README? Who would think to do such a thing?

I feel like a luser.

Thanks again for your patience.
 
Anyone running 374.38 and newer, make sure you have JFFS enabled, and simply copy/paste the following over telnet/SSH to generate an appropriate postconf script:

To enable JFFS do I have to do anything other than turning it on on the Administration->System page? When I do that and run your code it says /jffs is write protected.
 
To enable JFFS do I have to do anything other than turning it on on the Administration->System page? When I do that and run your code it says /jffs is write protected.

Enable it, set the option underneath to erase its content, and reboot the router.

The next reboot might take longer than usual, give it a good 5 minutes to be safe. If it's still not accessible, reboot a second time (for some reason this is sometime necessary).
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top