Disable SMBv1 following WannaCry(pt0r) attacks?


Recommended Posts

Microsoft is advising:

"This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks.)" - https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 

Suggestions for doing this on Windows machines are given here: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

 

Is this possible for a network which includes unRAID?

Link to comment

I think you want to set this in the SMB Extras:  'client min protocol = NT1'.  NT1 is the CIFS protocol.

 

The following protocols will not be allowed: CORE, COREPLUS, LANMAN1, and LANMAN2.  They are not really known as SMB1, but are the pre-SMB2 protocols.  I doubt you have any computers on your network using the early protocols.

Link to comment

This obviously is a big topic and will have many foreseen issues (old kit no longer working with modern SMB2+) and unforeseen ones (e.g. Kodi may only support NT1).

 

It needs done though and has for a while.

 

Curious where you are seeing the port 445 recommendation, can you link me?

Link to comment

I am not sure I follow that one. Disabling 445 would kill all of NetBIOS SMB so I can only assume they are talking about between zones or the interent... and if you have that open you have bigger problems to deal with :)

 

Or am i reading it wrong?

 

Edit: this actually doesn't work the way I thought it did. More reading required

 

Link to comment

So I looked into this some more. The whole NetBIOS/SMB 139/445 thing is way more complicated than it seems on first look but most of it would be out of scope for this thread.

 

The important bit is that the port 445 recommendations are just badly worded as we expected.

 

What it essentially mean is "dont trust 445 anymore on a network you dont trust". This is not new advice and no one should have been doing this for as long as I can remember.

 

Thanks for the links.

Link to comment

I have the following in: Samba extra configuration:

min protocol = SMB2
guest ok = no
null passwords = no
lanman auth = no
restrict anonymous = 2
encrypt passwords = yes
server signing = mandatory
ntlm auth = no

Edited by ezhik
Link to comment

Have you confirmed this works as you expect it to? For instance there is a lot of information out there that ` client min protocol = SMB2 ` breaks peoples client and does not do what it appears to do on the face of it and may break the upper level some client negotiate to.

 

Also it is not clear to me that since the extra config is simply an insert statement within the RO smb.conf adding statement like ` ntlm auth = no` is essentially like having yes and no set in the same config file. I have no idea if this works officially, coincidentally or not at all.

 

I think given the hidden complexity of this topic and the seriousness of it we need the big guns. I will ping them now.

  • Upvote 1
Link to comment

I agree with @NAS.  I would not make any changes other than possibly the "min client protocol" and SMB2 may not be the best choice.  The NT1 protocol is the CIFS protocol according to the SMB documentation here and is probably needed is some circumstances.

 

AFAIK, the smb extra is a global setting and should override the defaults, but until the heavy hitters weigh in, we should hold on making arbitrary changes.

 

Ransomware is scary and caution is advised, but we don't need to overreact and make bad decisions that can cause other problems.  Your best defense is to not click on email attachments or proceed to un-trusted website links.

Link to comment

Yeah so doesn't look like these settings are actually applied in "Samba extra configuration" section of the configuration.

 

Devs, can you actually confirm that this is the correct syntax for the settings and it doesn't have to be separated in any shape or form other than EOL?

 

---

min protocol = SMB2
guest ok = no
null passwords = no
lanman auth = no
restrict anonymous = 2
encrypt passwords = yes
server signing = mandatory
ntlm auth = no

Edited by ezhik
  • Upvote 1
Link to comment

I can confirm these settings are not being applied:

 

Server Message Block (SMB) Protocol Version 1 Enabled (uncredentialed check)

Description
The remote Windows host supports Server Message Block Protocol version 1 (SMBv1). Microsoft recommends that users discontinue the use of SMBv1 due to the lack of security features that were included in later SMB versions. Additionally, the Shadow Brokers group reportedly has an exploit that affects SMB; however, it is unknown if the exploit affects SMBv1 or another version. In response to this, US-CERT recommends that users disable SMBv1 per SMB best practices to mitigate these potential issues.
  • Upvote 1
Link to comment

I tested this with Nessus. There are a few vulnerabilities that are reported:

 

SMB Related:

---

Windows NetBIOS / SMB Remote Host Information Disclosure

Server Message Block (SMB) Protocol Version 1 Enabled (uncredentialed check)
Microsoft Windows SMB NativeLanManager Remote System Information Disclosure
Microsoft Windows SMB Service Detection

 

 

  • Upvote 1
Link to comment

@jonp https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices

 

~ for those that run windows: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows-server

 

logging into unraid via ssh, running smbstatus I can see that the protocol version is SMB2_10 (smb 2.1) for the connected win7 machines.. and on my nvidia shield with kodi running it shows NT1 (which is SMB1 basically)

 

so I can see that nuking smb1 would break kodi for me..  looking into this I found:

http://forum.kodi.tv/showthread.php?tid=314350&pid=2586470#pid2586470

 

in a nut shell.. disabling the 30? year old smb v1 should come out of the box then link to on the samba page with instructions on how to 'enable' the support for those that must but give a disclaimer on why they really should upgrade from windows xp/whatever legacy os.

 

 

looking at:

On 5/21/2017 at 7:31 PM, ezhik said:

I have the following in: Samba extra configuration:

client min protocol = SMB2
encrypt passwords = yes
server signing = mandatory
ntlm auth = no

 

--

encrypt passwords = Yes

already set under: /etc/samba/smb-names.conf

 

per /etc/samba/smb.conf we see that

	# ease upgrades from Samba 3.6
	acl allow execute always = Yes
       	# permit NTLMv1 authentication
        ntlm auth = Yes

 

since extra gets loaded aferwards.. it counters that...

trying out those smb extra settings.. (restarted unraid).

per smbstatus I now see signing is being used (wasnt before)..  still seeing kodi connect as NT1 and working however...

 

unraid smb [global] section after everything included...

/etc/samba# testparm
Load smb config files from /etc/samba/smb.conf
WARNING: The "null passwords" option is deprecated
WARNING: The "syslog" option is deprecated
WARNING: The "syslog only" option is deprecated
Processing section "[flash]"
Processing section "[Media]"
Processing section "[Movies]"
Processing section "[TV]"
Loaded services file OK.
Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
    server string = i'm not fat
    local master = No
    syslog = 0
    syslog only = Yes
    disable spoolss = Yes
    load printers = No
    printcap name = /dev/null
    show add printer wizard = No
    client min protocol = SMB2
    unix extensions = No
    map to guest = Bad User
    null passwords = Yes
    passdb backend = smbpasswd
    security = USER
    server signing = required
    idmap config * : backend = tdb
    hide dot files = No
    map archive = No
    include = /etc/samba/smb-shares.conf
    wide links = Yes
    acl allow execute always = Yes
    nt acl support = No
    create mask = 0777
    directory mask = 0777
    invalid users = root
    aio read size = 4096
    aio write size = 4096
    use sendfile = Yes

 

Edited by zoggy
Link to comment

Figured it out. Incorrect syntax.

 

--

min protocol = SMB2
guest ok = no
null passwords = no
lanman auth = no
restrict anonymous = 2
encrypt passwords = yes
server signing = mandatory
ntlm auth = no

--

Edited by ezhik
  • Upvote 1
Link to comment

For those that run Kodi, create or edit the smb.conf for the user that kodi runs under:

 

~/.smb/smb.conf

 

--

[global]
    client min protocol = SMB2
    client max protocol = SMB3
    client lanman auth = no
    client plaintext auth = no
    client NTLMv2 auth = yes
--

Edited by ezhik
  • Upvote 1
Link to comment

Also, for anybody using /etc/fstab mounts for cifs, make sure you use vers=3.0. Example:

 

/etc/fstab

 

# unraid mounts on debian 8

//my-unraid-host/media/family /media/unraid/family cifs credentials=/root/.smbcredentials,iocharset=utf8,sec=ntlmsspi,vers=3.0 0 0

 

--

 

Cheers.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.