What's new

[Release] Asuswrt-Merlin 384.10 is now available

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

if you click on the exclamation mark, it should say there's a new version available, at least that's what the exclamation mark says here. It has nothing to do with anonymoys FTP as far as I know.

In tools / other options there's an option (new version check Y / N) where you can switch checking of newer firmware off.
Thanks for your reply, but this particular notice has nothing whatsoever to do with a new firmware version (I'm on 384.10_2). Again, if I click on the the warning, it brings up a box cautioning against anonymous FTP, which if I disable, does, indeed, do away with the warning. As I mentioned, I allow anonymous FTP only within my LAN. Here's a shot of the actual warning box itself (which, in hindsight, I should have included in my initial post):
upload_2019-4-9_23-17-42.png
 

Attachments

  • upload_2019-4-9_23-17-25.png
    upload_2019-4-9_23-17-25.png
    12.5 KB · Views: 328
Last edited:
I allow anonymous FTP within my LAN, which causes a perpetual flashing warning when in the GUI. Is there a way to disable this warning other than by disabling anonymous FTP access itself?

View attachment 16975
You can modify the script I posted here a little for this. If you don't want the remote access warning to be added:
Code:
#!/bin/sh

NOTIFILE="/jffs/www/notification.js"

. /usr/sbin/helper.sh

# Remove any stale file
TIMESTAMP="$(date -r "/www/notification.js")"
if [ -e "$NOTIFILE" ]; then
    if ! grep -Fq "$TIMESTAMP" "$NOTIFILE"; then
        mount | grep -Fq "/www/notification.js" && umount "/www/notification.js"
        rm "$NOTIFILE"
    else
        # Up to date, nothing to do here
        unset TIMESTAMP
    fi
fi

# Make new file
if [ -n "$TIMESTAMP" ]; then
    mkdir -p "$(dirname "$NOTIFILE")"
    cp "/www/notification.js" "$NOTIFILE"

    pc_append "// Source timestamp: $TIMESTAMP" "$NOTIFILE"

    # Hide the ftp anon access warning
    pc_replace "st_ftp_mode != 2" "st_ftp_mode == -1" "$NOTIFILE"
    # Hide the samba anon access warning
    #pc_replace "st_samba_mode != 4" "st_samba_mode == -1" "$NOTIFILE"
fi

# Mount over stock file
if ! mount | grep -Fq "/www/notification.js"; then
    mount -o bind "$NOTIFILE" "/www/notification.js"
fi

And if you do:
Avoiding helper.sh here for the sake of anyone using it in older (pre 384.10) firmware
Code:
#!/bin/sh

NOTIFILE="/jffs/www/notification.js"
MAGICNUMBER=20

_quote() {
    printf "%s\n" "$1" | sed 's/[]\/$*.^&[]/\\&/g'
}

str_append() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i "s/$PATTERN/&$CONTENT/" "$3"
}

str_replace() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i "s/$PATTERN/$CONTENT/" "$3"
}

line_append() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i -e "/$PATTERN/a\\" -e "$CONTENT" "$3"
}

line_prepend() {
    PATTERN="$(_quote "$1")"
    CONTENT="$(_quote "$2")"
    sed -i -e "/$PATTERN/i\\" -e "$CONTENT" "$3"
}

file_append() {
    printf "%s\n" "$1" >> "$2"
}

# Remove any stale file
TIMESTAMP="$(date -r "/www/notification.js")"
if [ -e "$NOTIFILE" ]; then
    if ! grep -Fq "$TIMESTAMP" "$NOTIFILE"; then
        mount | grep -Fq "/www/notification.js" && umount "/www/notification.js"
        rm "$NOTIFILE"
    else
        # Up to date, nothing to do here
        unset TIMESTAMP
    fi
fi

# Make new file
if [ -n "$TIMESTAMP" ]; then
    mkdir -p "$(dirname "$NOTIFILE")"
    cp "/www/notification.js" "$NOTIFILE"

    # Add WebUI stuff where samba stuff is
    line_append "var enable_samba" "var misc_http_x = '<% nvram_get(\"misc_http_x\"); %>';" "$NOTIFILE"
    line_append "samba: 0," "webuiwan: 0," "$NOTIFILE"
    str_append "notification.ftp ,notification.samba" " ,notification.webuiwan" "$NOTIFILE"
    str_append "&& !notification.samba" " && !notification.webuiwan" "$NOTIFILE"
    line_prepend "st_samba_force_mode == ''" "if(misc_http_x != 0){notification.array[${MAGICNUMBER}] = 'noti_webuiwan'; notification.webuiwan = 1; notification.desc[${MAGICNUMBER}] = 'Your WebUI is currently accessable from the internet. We strongly recommend that you disable [ Enable Web Access from WAN ] to avoid security risk.'; notification.action_desc[${MAGICNUMBER}] = 'Change now'; notification.clickCallBack[${MAGICNUMBER}] = \"location.href = 'Advanced_System_Content.asp';\";}else{notification.webuiwan = 0;}" "$NOTIFILE"
    str_append "|| notification.samba" " || notification.webuiwan" "$NOTIFILE"
    line_append "this.samba = 0;" "this.webuiwan = 0;" "$NOTIFILE"
    file_append "// Source timestamp: $TIMESTAMP" "$NOTIFILE"
    
    # Hide the ftp anon access warning
    str_replace "st_ftp_mode != 2" "st_ftp_mode == -1" "$NOTIFILE"
    # Hide the samba anon access warning
    #str_replace "st_samba_mode != 4" "st_samba_mode == -1" "$NOTIFILE"
fi

# Mount over stock file
if ! mount | grep -Fq "/www/notification.js"; then
    mount -o bind "$NOTIFILE" "/www/notification.js"
fi

I also included an example of how to hide the samba warning notification, which I use.
 
I'm seeing these messages nonstop in the system logs on my RT-AX88U;

Apr 10 06:32:25 kernel: nf_conntrack: expectation table full
Apr 10 06:32:25 kernel: nf_conntrack: expectation table full
Apr 10 06:32:25 kernel: nf_conntrack: expectation table full
Apr 10 06:32:25 kernel: nf_conntrack: expectation table full
Apr 10 06:32:25 kernel: nf_conntrack: expectation table full
Apr 10 06:32:25 kernel: nf_conntrack: expectation table full
Apr 10 06:32:26 kernel: nf_conntrack: expectation table full
Apr 10 06:32:26 kernel: nf_conntrack: expectation table full
Apr 10 06:32:26 kernel: nf_conntrack: expectation table full
Apr 10 06:32:26 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: net_ratelimit: 7 callbacks suppressed
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full
Apr 10 06:59:03 kernel: nf_conntrack: expectation table full


I did find thread;
https://www.snbforums.com/threads/nf_conntrack-expectation-table-full-and-other-log-oddities.55415/

So I tried to limit TCP Connections from the default 300000 down to 28244 as the recommended value seemed to be your ct_hashsize * 4 and the hashsize is 7061 as default on my RT-AX88U. I did also run echo 152 > /proc/sys/net/netfilter/nf_conntrack_expect_max.

The systemlogs was clear for a few hours until the same messages got back.
 
when (what version) of merlin already started to address these vulnerabilities;

https://www.tenable.com/blog/verizo...-routers-patched-for-multiple-vulnerabilities

Authenticated Remote Command Injection
Login Replay
Password Salt Disclosure

RMerlin does not support Verizon routers. If these vulnerabilities were affecting RMerlin supported Asus routers, then we'd be aware of them. This is not so, to my knowledge.

There is a reason that it is repeated endlessly to 'never', turn on remote access and/or SSH on the WAN interface.

The thread over on john9527's LTS RMerlin fork even had a hint about that just recently, once again.

https://www.snbforums.com/threads/f...lts-releases-v39e1.18914/page-462#post-479731

Are there verified reports that these Verizon vulnerabilities are also affecting Asus' code too?
 
So I updated from 384.10 to 384.10_2 on my AC88U and within an hour my Sony TV lost its network connection shortly after using the check connection tool after which it complained my router wasn’t responding when I checked the network again. This was the same problem I had with 384.9.
I’m hoping rebooting everything resolved this since everything was working fine on 384.10 for a week. Under 384.9 the problem showed up within 24 hours.

Something apparently changed though between 384.8 and 384.9 with respect to ip assignment since there was no reason for the router to change the IP address of the TV, though the TV shouldn’t have freaked out because of that.
For what it's worth, I've had similar problems on the same versions with my wireless bridge that has a manually assigned DHCP IP address.
 
Is there a way to edit an entry in "Rules for routing client traffic through the tunnel"?

No, they must be deleted and recreated.

I allow anonymous FTP within my LAN, which causes a perpetual flashing warning when in the GUI. Is there a way to disable this warning other than by disabling anonymous FTP access itself?

No. Since anonymous support is a major security risk, the warning makes sense.
 
No. Since anonymous support is a major security risk, the warning makes sense.
I am quite aware of the risks of allowing anonymous FTP on my LAN, which are so minuscule as to be virtually nil, so the warning makes no sense at all. At a minimum, the warning should be toggleable.
 
I am quite aware of the risks of allowing anonymous FTP on my LAN, which are so minuscule as to be virtually nil, so the warning makes no sense at all. At a minimum, the warning should be toggleable.

Anoymous FTP servers are open to anyone, so it becomes the repository of malware or illegal material. Plus, I wouldn't trust the security of such an old FTP daemon to be wide open to the public.

Just ignore the warning then, it's not interfering with the functionality of the router.
 
Hi,

Is there any way to know how long the time is between the release of an updated firmware from ASUS, and the ability to incorporate it into a RMerlin release? For example, the recent update to the RT-AC88U firmware below:

ASUS RT-AC88U Firmware version 3.0.0.4.384.45708
Security Fix
- Fixed CVE-2018-20334
- Fixed CVE-2018-20336
- Fixed null pointer issue. Thanks for CodeBreaker of STARLabs’ contribution.
- Fixed AiCloud buffer overflow vulnerability. Thanks for Resecurity International's contribution.

Bug Fix
- Fixed AiMesh LAN IP issue when router using IPv6 WAN.
- Fixed AIMesh connection issues.
- Fixed Network Map related issues.
- Fixed Download Master icon disappear issue.
- Fixed LAN PC cannot find router name in My Network Places when enabling Samba service.
- Fixed LAN LED not blinking problem.​

Thanks,
Anton
 
Hi,

Is there any way to know how long the time is between the release of an updated firmware from ASUS, and the ability to incorporate it into a RMerlin release? For example, the recent update to the RT-AC88U firmware below:

ASUS RT-AC88U Firmware version 3.0.0.4.384.45708
Security Fix
- Fixed CVE-2018-20334
- Fixed CVE-2018-20336
- Fixed null pointer issue. Thanks for CodeBreaker of STARLabs’ contribution.
- Fixed AiCloud buffer overflow vulnerability. Thanks for Resecurity International's contribution.

Bug Fix
- Fixed AiMesh LAN IP issue when router using IPv6 WAN.
- Fixed AIMesh connection issues.
- Fixed Network Map related issues.
- Fixed Download Master icon disappear issue.
- Fixed LAN PC cannot find router name in My Network Places when enabling Samba service.
- Fixed LAN LED not blinking problem.​

Thanks,
Anton
Since it depends on ASUS releasing the GPL and binary blobs used that incorporates those fixes, and ASUS have proven that the only thing consistent about that timeframe is that it's inconsistent, no, there is no way to know.

Note also that sometimes RMerlin fixes stuff before ASUS does. I don't know if that applies to any of the above, but ASUS has incorporated some of his stuff into their stock firmware in the past.
 
I allow anonymous FTP within my LAN, which causes a perpetual flashing warning when in the GUI. Is there a way to disable this warning other than by disabling anonymous FTP access itself?
If you never want to see the flashing exclamation point, and you're using a browser which allows User CSS (i.e., Firefox or IE), you can make it invisible with a couple lines of code. Not that I'm recommending this; it disables the mark for every possible condition which makes it appear. And I'm not certain this still works, since I stopped using it a while ago.

Code:
/* Make yellow exclamation mark go away on router. */
div#notification_status.notification_on {
    visibility: hidden !important;
}
 
Anoymous FTP servers are open to anyone, so it becomes the repository of malware or illegal material. Plus, I wouldn't trust the security of such an old FTP daemon to be wide open to the public.

Just ignore the warning then, it's not interfering with the functionality of the router.
You're correct, my FTP server is, indeed, open to everyone on my LAN, not my WAN. There is no "wide open to the public." As I said, the security risk in in my particular instance is virtually nil.
 
You're correct, my FTP server is, indeed, open to everyone on my LAN, not my WAN. There is no "wide open to the public." As I said, the security risk in in my particular instance is virtually nil.

Wow, so knowledgeable.
So, you want to run things the way you want to run things and also insist that others respect your choice and do as you ask.

I love it when I get a laugh on a lousy day. Thanks!
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top