kleptonite Posted May 15, 2017 Share Posted May 15, 2017 Microsoft is advising: "This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks.)" - https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Suggestions for doing this on Windows machines are given here: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012 Is this possible for a network which includes unRAID? Quote Link to comment
dlandon Posted May 15, 2017 Share Posted May 15, 2017 I think you want to set this in the SMB Extras: 'client min protocol = NT1'. NT1 is the CIFS protocol. The following protocols will not be allowed: CORE, COREPLUS, LANMAN1, and LANMAN2. They are not really known as SMB1, but are the pre-SMB2 protocols. I doubt you have any computers on your network using the early protocols. Quote Link to comment
dlandon Posted May 15, 2017 Share Posted May 15, 2017 They also recommend blocking port 445 in your router. In my ASUS 5300, I can blacklist a port for all users. Quote Link to comment
NAS Posted May 15, 2017 Share Posted May 15, 2017 This obviously is a big topic and will have many foreseen issues (old kit no longer working with modern SMB2+) and unforeseen ones (e.g. Kodi may only support NT1). It needs done though and has for a while. Curious where you are seeing the port 445 recommendation, can you link me? Quote Link to comment
dlandon Posted May 15, 2017 Share Posted May 15, 2017 31 minutes ago, NAS said: This obviously is a big topic and will have many foreseen issues (old kit no longer working with modern SMB2+) and unforeseen ones (e.g. Kodi may only support NT1). It needs done though and has for a while. Curious where you are seeing the port 445 recommendation, can you link me? http://www.thewindowsclub.com/what-is-wannacrypt-ransomware Quote Link to comment
NAS Posted May 15, 2017 Share Posted May 15, 2017 I am not sure I follow that one. Disabling 445 would kill all of NetBIOS SMB so I can only assume they are talking about between zones or the interent... and if you have that open you have bigger problems to deal with Or am i reading it wrong? Edit: this actually doesn't work the way I thought it did. More reading required Quote Link to comment
dlandon Posted May 15, 2017 Share Posted May 15, 2017 I believe the recommendation is to block that port from WAN access, not the LAN. I suppose it's to keep the port to the Internet from being opened by RansonWare using say UPnP? Quote Link to comment
NAS Posted May 16, 2017 Share Posted May 16, 2017 So I looked into this some more. The whole NetBIOS/SMB 139/445 thing is way more complicated than it seems on first look but most of it would be out of scope for this thread. The important bit is that the port 445 recommendations are just badly worded as we expected. What it essentially mean is "dont trust 445 anymore on a network you dont trust". This is not new advice and no one should have been doing this for as long as I can remember. Thanks for the links. Quote Link to comment
ezhik Posted May 22, 2017 Share Posted May 22, 2017 (edited) I have the following in: Samba extra configuration: min protocol = SMB2guest ok = nonull passwords = nolanman auth = norestrict anonymous = 2encrypt passwords = yesserver signing = mandatoryntlm auth = no Edited May 24, 2017 by ezhik Quote Link to comment
NAS Posted May 22, 2017 Share Posted May 22, 2017 Have you confirmed this works as you expect it to? For instance there is a lot of information out there that ` client min protocol = SMB2 ` breaks peoples client and does not do what it appears to do on the face of it and may break the upper level some client negotiate to. Also it is not clear to me that since the extra config is simply an insert statement within the RO smb.conf adding statement like ` ntlm auth = no` is essentially like having yes and no set in the same config file. I have no idea if this works officially, coincidentally or not at all. I think given the hidden complexity of this topic and the seriousness of it we need the big guns. I will ping them now. 1 Quote Link to comment
dlandon Posted May 22, 2017 Share Posted May 22, 2017 I agree with @NAS. I would not make any changes other than possibly the "min client protocol" and SMB2 may not be the best choice. The NT1 protocol is the CIFS protocol according to the SMB documentation here and is probably needed is some circumstances. AFAIK, the smb extra is a global setting and should override the defaults, but until the heavy hitters weigh in, we should hold on making arbitrary changes. Ransomware is scary and caution is advised, but we don't need to overreact and make bad decisions that can cause other problems. Your best defense is to not click on email attachments or proceed to un-trusted website links. Quote Link to comment
JorgeB Posted May 22, 2017 Share Posted May 22, 2017 AFAIK the vulnerability it's not present in SAMBA, only Windows OSes are affected, still disabling SMB1 on unRAID can't hurt. Quote Link to comment
dlandon Posted May 22, 2017 Share Posted May 22, 2017 Microsoft has recommended turning off SMB1 on Windows servers, so it must apply to the SMB protocol on servers and hence unRAID. Quote Link to comment
JorgeB Posted May 22, 2017 Share Posted May 22, 2017 5 minutes ago, dlandon said: so it must apply to the SMB protocol on servers and hence unRAID. Don't see the connection, like I said, AFAIK SAMBA is not affected, only Windows. Quote Link to comment
NAS Posted May 22, 2017 Share Posted May 22, 2017 The OP is disable NTLM1.2 in light of the WannaCry exploit and not as a fix the WannaCry exploit. Sensible advice but it is a much bigger topic and needs more resources to tackle. Quote Link to comment
ezhik Posted May 22, 2017 Share Posted May 22, 2017 FYI: https://blog.varonis.com/the-difference-between-cifs-and-smb/ Quote Link to comment
ezhik Posted May 22, 2017 Share Posted May 22, 2017 (edited) Yeah so doesn't look like these settings are actually applied in "Samba extra configuration" section of the configuration. Devs, can you actually confirm that this is the correct syntax for the settings and it doesn't have to be separated in any shape or form other than EOL? --- min protocol = SMB2guest ok = nonull passwords = nolanman auth = norestrict anonymous = 2encrypt passwords = yesserver signing = mandatoryntlm auth = no Edited May 24, 2017 by ezhik 1 Quote Link to comment
ezhik Posted May 22, 2017 Share Posted May 22, 2017 I can confirm these settings are not being applied: Server Message Block (SMB) Protocol Version 1 Enabled (uncredentialed check) Description The remote Windows host supports Server Message Block Protocol version 1 (SMBv1). Microsoft recommends that users discontinue the use of SMBv1 due to the lack of security features that were included in later SMB versions. Additionally, the Shadow Brokers group reportedly has an exploit that affects SMB; however, it is unknown if the exploit affects SMBv1 or another version. In response to this, US-CERT recommends that users disable SMBv1 per SMB best practices to mitigate these potential issues. 1 Quote Link to comment
ezhik Posted May 22, 2017 Share Posted May 22, 2017 I tested this with Nessus. There are a few vulnerabilities that are reported: SMB Related: --- Windows NetBIOS / SMB Remote Host Information Disclosure Server Message Block (SMB) Protocol Version 1 Enabled (uncredentialed check) Microsoft Windows SMB NativeLanManager Remote System Information Disclosure Microsoft Windows SMB Service Detection 1 Quote Link to comment
zoggy Posted May 23, 2017 Share Posted May 23, 2017 (edited) @jonp https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices ~ for those that run windows: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows-server logging into unraid via ssh, running smbstatus I can see that the protocol version is SMB2_10 (smb 2.1) for the connected win7 machines.. and on my nvidia shield with kodi running it shows NT1 (which is SMB1 basically) so I can see that nuking smb1 would break kodi for me.. looking into this I found: http://forum.kodi.tv/showthread.php?tid=314350&pid=2586470#pid2586470 in a nut shell.. disabling the 30? year old smb v1 should come out of the box then link to on the samba page with instructions on how to 'enable' the support for those that must but give a disclaimer on why they really should upgrade from windows xp/whatever legacy os. looking at: On 5/21/2017 at 7:31 PM, ezhik said: I have the following in: Samba extra configuration: client min protocol = SMB2 encrypt passwords = yes server signing = mandatory ntlm auth = no -- encrypt passwords = Yes already set under: /etc/samba/smb-names.conf per /etc/samba/smb.conf we see that # ease upgrades from Samba 3.6 acl allow execute always = Yes # permit NTLMv1 authentication ntlm auth = Yes since extra gets loaded aferwards.. it counters that... trying out those smb extra settings.. (restarted unraid). per smbstatus I now see signing is being used (wasnt before).. still seeing kodi connect as NT1 and working however... unraid smb [global] section after everything included... /etc/samba# testparm Load smb config files from /etc/samba/smb.conf WARNING: The "null passwords" option is deprecated WARNING: The "syslog" option is deprecated WARNING: The "syslog only" option is deprecated Processing section "[flash]" Processing section "[Media]" Processing section "[Movies]" Processing section "[TV]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions # Global parameters [global] server string = i'm not fat local master = No syslog = 0 syslog only = Yes disable spoolss = Yes load printers = No printcap name = /dev/null show add printer wizard = No client min protocol = SMB2 unix extensions = No map to guest = Bad User null passwords = Yes passdb backend = smbpasswd security = USER server signing = required idmap config * : backend = tdb hide dot files = No map archive = No include = /etc/samba/smb-shares.conf wide links = Yes acl allow execute always = Yes nt acl support = No create mask = 0777 directory mask = 0777 invalid users = root aio read size = 4096 aio write size = 4096 use sendfile = Yes Edited May 23, 2017 by zoggy Quote Link to comment
ezhik Posted May 24, 2017 Share Posted May 24, 2017 (edited) Yeah, the settings are not being applied. Edited May 24, 2017 by ezhik Quote Link to comment
ezhik Posted May 24, 2017 Share Posted May 24, 2017 (edited) Figured it out. Incorrect syntax. -- min protocol = SMB2 guest ok = no null passwords = no lanman auth = no restrict anonymous = 2 encrypt passwords = yes server signing = mandatory ntlm auth = no -- Edited May 24, 2017 by ezhik 1 Quote Link to comment
ezhik Posted May 24, 2017 Share Posted May 24, 2017 (edited) For those that run Kodi, create or edit the smb.conf for the user that kodi runs under: ~/.smb/smb.conf -- [global] client min protocol = SMB2 client max protocol = SMB3 client lanman auth = no client plaintext auth = no client NTLMv2 auth = yes -- Edited May 24, 2017 by ezhik 1 Quote Link to comment
ezhik Posted May 24, 2017 Share Posted May 24, 2017 Also, for anybody using /etc/fstab mounts for cifs, make sure you use vers=3.0. Example: /etc/fstab # unraid mounts on debian 8 //my-unraid-host/media/family /media/unraid/family cifs credentials=/root/.smbcredentials,iocharset=utf8,sec=ntlmsspi,vers=3.0 0 0 -- Cheers. Quote Link to comment
wgstarks Posted May 24, 2017 Share Posted May 24, 2017 42 minutes ago, ezhik said: For those that run Kodi, create or edit the smb.conf for the user that kodi runs under: ~/.smb/smb.conf Didn't work on my kodi LE box. Can't connect to unraid. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.