[Release] Asuswrt-Merlin 384.10 is now available

[SNBForums User]

if you click on the exclamation mark, it should say there's a new version available, at least that's what the exclamation mark says here. It has nothing to do with anonymoys FTP as far as I know.

In tools / other options there's an option (new version check Y / N) where you can switch checking of newer firmware off.

Thanks for your reply, but this particular notice has nothing whatsoever to do with a new firmware version (I'm on 384.10_2). Again, if I click on the the warning, it brings up a box cautioning against anonymous FTP, which if I disable, does, indeed, do away with the warning. As I mentioned, I allow anonymous FTP only within my LAN. Here's a shot of the actual warning box itself (which, in hindsight, I should have included in my initial post):

 

[Dabombber]

I allow anonymous FTP within my LAN, which causes a perpetual flashing warning when in the GUI. Is there a way to disable this warning other than by disabling anonymous FTP access itself?

View attachment 16975

You can modify the script I posted here a little for this. If you don't want the remote access warning to be added:

Spoiler: init-start

#!/bin/sh

NOTIFILE="/jffs/www/notification.js"

. /usr/sbin/helper.sh

# Remove any stale file
TIMESTAMP="$(date -r "/www/notification.js")"
if [ -e "$NOTIFILE" ]; then
    if ! grep -Fq "$TIMESTAMP" "$NOTIFILE"; then
        mount | grep -Fq "/www/notification.js" && umount "/www/notification.js"
        rm "$NOTIFILE"
    else
        # Up to date, nothing to do here
        unset TIMESTAMP
    fi
fi

# Make new file
if [ -n "$TIMESTAMP" ]; then
    mkdir -p "$(dirname "$NOTIFILE")"
    cp "/www/notification.js" "$NOTIFILE"

    pc_append "// Source timestamp: $TIMESTAMP" "$NOTIFILE"

    # Hide the ftp anon access warning
    pc_replace "st_ftp_mode != 2" "st_ftp_mode == -1" "$NOTIFILE"
    # Hide the samba anon access warning
    #pc_replace "st_samba_mode != 4" "st_samba_mode == -1" "$NOTIFILE"
fi

# Mount over stock file
if ! mount | grep -Fq "/www/notification.js"; then
    mount -o bind "$NOTIFILE" "/www/notification.js"
fi

And if you do:

Spoiler: init-start

Avoiding helper.sh here for the sake of anyone using it in older (pre 384.10) firmware

#!/bin/sh

NOTIFILE="/jffs/www/notification.js"
MAGICNUMBER=20

_quote() {
    printf "%s\n" "$1" | sed 's/[]\/$*.^&[]/\\&/g'
}

str_append() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i "s/$PATTERN/&$CONTENT/" "$3"
}

str_replace() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i "s/$PATTERN/$CONTENT/" "$3"
}

line_append() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i -e "/$PATTERN/a\\" -e "$CONTENT" "$3"
}

line_prepend() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i -e "/$PATTERN/i\\" -e "$CONTENT" "$3"
}

file_append() {
    printf "%s\n" "$1" >> "$2"
}

# Remove any stale file
TIMESTAMP="$(date -r "/www/notification.js")"
if [ -e "$NOTIFILE" ]; then
    if ! grep -Fq "$TIMESTAMP" "$NOTIFILE"; then
        mount | grep -Fq "/www/notification.js" && umount "/www/notification.js"
        rm "$NOTIFILE"
    else
        # Up to date, nothing to do here
        unset TIMESTAMP
    fi
fi

# Make new file
if [ -n "$TIMESTAMP" ]; then
    mkdir -p "$(dirname "$NOTIFILE")"
    cp "/www/notification.js" "$NOTIFILE"

    # Add WebUI stuff where samba stuff is
    line_append "var enable_samba" "var misc_http_x = '<% nvram_get(\"misc_http_x\"); %>';" "$NOTIFILE"
    line_append "samba: 0," "webuiwan: 0," "$NOTIFILE"
    str_append "notification.ftp ,notification.samba" " ,notification.webuiwan" "$NOTIFILE"
    str_append "&& !notification.samba" " && !notification.webuiwan" "$NOTIFILE"
    line_prepend "st_samba_force_mode == ''" "if(misc_http_x != 0){notification.array[${MAGICNUMBER}] = 'noti_webuiwan'; notification.webuiwan = 1; notification.desc[${MAGICNUMBER}] = 'Your WebUI is currently accessable from the internet. We strongly recommend that you disable [ Enable Web Access from WAN ] to avoid security risk.'; notification.action_desc[${MAGICNUMBER}] = 'Change now'; notification.clickCallBack[${MAGICNUMBER}] = \"location.href = 'Advanced_System_Content.asp';\";}else{notification.webuiwan = 0;}" "$NOTIFILE"
    str_append "|| notification.samba" " || notification.webuiwan" "$NOTIFILE"
    line_append "this.samba = 0;" "this.webuiwan = 0;" "$NOTIFILE"
    file_append "// Source timestamp: $TIMESTAMP" "$NOTIFILE"
    
    # Hide the ftp anon access warning
    str_replace "st_ftp_mode != 2" "st_ftp_mode == -1" "$NOTIFILE"
    # Hide the samba anon access warning
    #str_replace "st_samba_mode != 4" "st_samba_mode == -1" "$NOTIFILE"
fi

# Mount over stock file
if ! mount | grep -Fq "/www/notification.js"; then
    mount -o bind "$NOTIFILE" "/www/notification.js"
fi

I also included an example of how to hide the samba warning notification, which I use.

 

[RamGuy]

I'm seeing these messages nonstop in the system logs on my RT-AX88U;

Apr 10 06:32:25 kernel: nf_conntrack: expectation table full
Apr 10 06:32:25 kernel: nf_conntrack: expectation table full
Apr 10 06:32:25 kernel: nf_conntrack: expectation table full
Apr 10 06:32:25 kernel: nf_conntrack: expectation table full
Apr 10 06:32:25 kernel: nf_conntrack: expectation table full
Apr 10 06:32:25 kernel: nf_conntrack: expectation table full
Apr 10 06:32:26 kernel: nf_conntrack: expectation table full
Apr 10 06:32:26 kernel: nf_conntrack: expectation table full
Apr 10 06:32:26 kernel: nf_conntrack: expectation table full
Apr 10 06:32:26 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: net_ratelimit: 7 callbacks suppressed
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full


I did find thread;
https://www.snbforums.com/threads/nf_conntrack-expectation-table-full-and-other-log-oddities.55415/

So I tried to limit TCP Connections from the default 300000 down to 28244 as the recommended value seemed to be your ct_hashsize * 4 and the hashsize is 7061 as default on my RT-AX88U. I did also run echo 152 > /proc/sys/net/netfilter/nf_conntrack_expect_max.

The systemlogs was clear for a few hours until the same messages got back.

 

[consorts]

when (what version) of merlin already started to address these vulnerabilities;

https://www.tenable.com/blog/verizo...-routers-patched-for-multiple-vulnerabilities

Authenticated Remote Command Injection
Login Replay
Password Salt Disclosure

 

[L&LD]

when (what version) of merlin already started to address these vulnerabilities;

https://www.tenable.com/blog/verizo...-routers-patched-for-multiple-vulnerabilities

Authenticated Remote Command Injection
Login Replay
Password Salt Disclosure

RMerlin does not support Verizon routers. If these vulnerabilities were affecting RMerlin supported Asus routers, then we'd be aware of them. This is not so, to my knowledge.

There is a reason that it is repeated endlessly to 'never', turn on remote access and/or SSH on the WAN interface.

The thread over on john9527's LTS RMerlin fork even had a hint about that just recently, once again.

https://www.snbforums.com/threads/f...lts-releases-v39e1.18914/page-462#post-479731

Are there verified reports that these Verizon vulnerabilities are also affecting Asus' code too?

 

[#TY]

Anyone having issues connecting to: https://asuswrt.lostrealm.ca/download as of this posting? I am unable to connect whatsoever unless I switch to LTE. Weird. This never happened before.

 

[Zastoff]

Anyone having issues connecting to: https://asuswrt.lostrealm.ca/download as of this posting? I am unable to connect whatsoever unless I switch to LTE. Weird. This never happened before.

Works fine here..
Maybe try update blocking file for Diversion and a banmalware update on skynet

 

[L&LD]

Anyone having issues connecting to: https://asuswrt.lostrealm.ca/download as of this posting? I am unable to connect whatsoever unless I switch to LTE. Weird. This never happened before.

No issues, I have downloaded and checked the hash too, literally 1 minute ago.

 

[Hamsterkill]

So I updated from 384.10 to 384.10_2 on my AC88U and within an hour my Sony TV lost its network connection shortly after using the check connection tool after which it complained my router wasn’t responding when I checked the network again. This was the same problem I had with 384.9.
I’m hoping rebooting everything resolved this since everything was working fine on 384.10 for a week. Under 384.9 the problem showed up within 24 hours.

Something apparently changed though between 384.8 and 384.9 with respect to ip assignment since there was no reason for the router to change the IP address of the TV, though the TV shouldn’t have freaked out because of that.

For what it's worth, I've had similar problems on the same versions with my wireless bridge that has a manually assigned DHCP IP address.

 

[RMerlin]

Is there a way to edit an entry in "Rules for routing client traffic through the tunnel"?

No, they must be deleted and recreated.

I allow anonymous FTP within my LAN, which causes a perpetual flashing warning when in the GUI. Is there a way to disable this warning other than by disabling anonymous FTP access itself?

No. Since anonymous support is a major security risk, the warning makes sense.

 

[SNBForums User]

No. Since anonymous support is a major security risk, the warning makes sense.

I am quite aware of the risks of allowing anonymous FTP on my LAN, which are so minuscule as to be virtually nil, so the warning makes no sense at all. At a minimum, the warning should be toggleable.

 

[sebdepringy]

hello, no 2 sites are hosted internally on 2 vm, it is for the outside for port 80

thank

Apparently I would need the binding protocol to do what I want

 

[RMerlin]

I am quite aware of the risks of allowing anonymous FTP on my LAN, which are so minuscule as to be virtually nil, so the warning makes no sense at all. At a minimum, the warning should be toggleable.

Anoymous FTP servers are open to anyone, so it becomes the repository of malware or illegal material. Plus, I wouldn't trust the security of such an old FTP daemon to be wide open to the public.

Just ignore the warning then, it's not interfering with the functionality of the router.

 

[AntonK]

Hi,

Is there any way to know how long the time is between the release of an updated firmware from ASUS, and the ability to incorporate it into a RMerlin release? For example, the recent update to the RT-AC88U firmware below:

ASUS RT-AC88U Firmware version 3.0.0.4.384.45708
Security Fix
- Fixed CVE-2018-20334
- Fixed CVE-2018-20336
- Fixed null pointer issue. Thanks for CodeBreaker of STARLabs’ contribution.
- Fixed AiCloud buffer overflow vulnerability. Thanks for Resecurity International's contribution.

Bug Fix
- Fixed AiMesh LAN IP issue when router using IPv6 WAN.
- Fixed AIMesh connection issues.
- Fixed Network Map related issues.
- Fixed Download Master icon disappear issue.
- Fixed LAN PC cannot find router name in My Network Places when enabling Samba service.
- Fixed LAN LED not blinking problem.​

Thanks,
Anton

 

[cmkelley]

Hi,

Is there any way to know how long the time is between the release of an updated firmware from ASUS, and the ability to incorporate it into a RMerlin release? For example, the recent update to the RT-AC88U firmware below:

ASUS RT-AC88U Firmware version 3.0.0.4.384.45708
Security Fix
- Fixed CVE-2018-20334
- Fixed CVE-2018-20336
- Fixed null pointer issue. Thanks for CodeBreaker of STARLabs’ contribution.
- Fixed AiCloud buffer overflow vulnerability. Thanks for Resecurity International's contribution.

Bug Fix
- Fixed AiMesh LAN IP issue when router using IPv6 WAN.
- Fixed AIMesh connection issues.
- Fixed Network Map related issues.
- Fixed Download Master icon disappear issue.
- Fixed LAN PC cannot find router name in My Network Places when enabling Samba service.
- Fixed LAN LED not blinking problem.​

Thanks,
Anton

Since it depends on ASUS releasing the GPL and binary blobs used that incorporates those fixes, and ASUS have proven that the only thing consistent about that timeframe is that it's inconsistent, no, there is no way to know.

Note also that sometimes RMerlin fixes stuff before ASUS does. I don't know if that applies to any of the above, but ASUS has incorporated some of his stuff into their stock firmware in the past.

 

[RocketJSquirrel]

I allow anonymous FTP within my LAN, which causes a perpetual flashing warning when in the GUI. Is there a way to disable this warning other than by disabling anonymous FTP access itself?

If you never want to see the flashing exclamation point, and you're using a browser which allows User CSS (i.e., Firefox or IE), you can make it invisible with a couple lines of code. Not that I'm recommending this; it disables the mark for every possible condition which makes it appear. And I'm not certain this still works, since I stopped using it a while ago.

/* Make yellow exclamation mark go away on router. */
div#notification_status.notification_on {
    visibility: hidden !important;
}

 

[RMerlin]

Hi,

Is there any way to know how long the time is between the release of an updated firmware from ASUS, and the ability to incorporate it into a RMerlin release? For example, the recent update to the RT-AC88U firmware below:

https://www.snbforums.com/threads/faq-read-me-first-before-posting-a-question.47153/

 

[AntonK]

https://www.snbforums.com/threads/faq-read-me-first-before-posting-a-question.47153/

Thank you RMerlin. I'm going to bookmark that URL so I don't as the question a thousand more times!

 

[SNBForums User]

Anoymous FTP servers are open to anyone, so it becomes the repository of malware or illegal material. Plus, I wouldn't trust the security of such an old FTP daemon to be wide open to the public.

Just ignore the warning then, it's not interfering with the functionality of the router.

You're correct, my FTP server is, indeed, open to everyone on my LAN, not my WAN. There is no "wide open to the public." As I said, the security risk in in my particular instance is virtually nil.

 

[GHammer]

You're correct, my FTP server is, indeed, open to everyone on my LAN, not my WAN. There is no "wide open to the public." As I said, the security risk in in my particular instance is virtually nil.

Wow, so knowledgeable.
So, you want to run things the way you want to run things and also insist that others respect your choice and do as you ask.

I love it when I get a laugh on a lousy day. Thanks!