Disable SMBv1 following WannaCry(pt0r) attacks?

kleptonite

By kleptonite
in Security

Recommended Posts

ezhik Enthusiast

ezhik

Posted
Posted
5 minutes ago, wgstarks said:

What about on the server (unRAID) side? Any changes I need to make there?


You can apply the following:

 

Minimum:
min protocol = SMB2
 

Optimal:
guest ok = no
null passwords = no
lanman auth = no
restrict anonymous = 2
encrypt passwords = yes
server signing = mandatory
ntlm auth = no

 

  • Upvote 1
Link to comment
  • Replies 76
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

NAS
NAS

I would like to move beyond talking about Wannacary as it is too narrow a focus. Happy to fork the thread although all the right people are monitoring this one so if we can stay it would be better.

limetech
limetech

Guys, please correct me if wrong... why are you doing any of this?  the "wannacry" vulnerability affects Windows only, and Microsoft has released a patch quite a while ago now.  If all your Win machin

NAS
NAS

Will do once we debate it out here first.... unless I nailed it on first try?   Also http://www.theregister.co.uk/2017/06/22/latest_windows_10_build_kills_exploited_smb1/

zoggy Enthusiast

zoggy

Posted
Posted
16 hours ago, ezhik said:

Good call. So I checked it out and LibreELEC 8.x uses SAMBA 3.6.25 (yes outdated), which is limited to SMB2 on a max protocol level.

 

So all you need to do is define min and max to be the same version - smb2 :)


Can you give it a shot?

 

You'd have to create it in the user's .smb/smb.conf file. For example if your user is kodi it would be in: /home/kodi/.smb/smb.conf

 

[global]
    client min protocol = SMB2
    client max protocol = SMB2
 

 

PS. I tested it on a full blown linux distro -> ubuntu 16.04 with actual kodi (from the official xbmc repo).

 

Cheers.

 

http://forum.kodi.tv/showthread.php?tid=314350&pid=2590709#pid2590709

See PR:12110. NT1 is the Samba default client max protocol. There is nothing you can configure in your server that will change default Kodi NT1 behaviour. You only need to add "client max protocol = SMB3" in the smb.conf used by Kodi and Samba will begin negotiating connections starting with SMB3 instead of NT1. However you need at least Samba 4.1.0 on the client in order for SMB2/SMB3 protocols to be supported. Setting "client min protocol" is known to cause compatibility issues so don't specify it. Also, Kodi is the client not the server so there's no point specifying server settings in the client smb.conf.

 

pretty much only LE9 w/ Kodi 18a1 are able to do this.. everyone else has to wait for the PR and an updated release.

Link to comment
ezhik Enthusiast

ezhik

Posted
Posted (edited)
3 hours ago, zoggy said:

 

http://forum.kodi.tv/showthread.php?tid=314350&pid=2590709#pid2590709

See PR:12110. NT1 is the Samba default client max protocol. There is nothing you can configure in your server that will change default Kodi NT1 behaviour. You only need to add "client max protocol = SMB3" in the smb.conf used by Kodi and Samba will begin negotiating connections starting with SMB3 instead of NT1. However you need at least Samba 4.1.0 on the client in order for SMB2/SMB3 protocols to be supported. Setting "client min protocol" is known to cause compatibility issues so don't specify it. Also, Kodi is the client not the server so there's no point specifying server settings in the client smb.conf.

 

pretty much only LE9 w/ Kodi 18a1 are able to do this.. everyone else has to wait for the PR and an updated release.

 

 

According to the samba documentation, smb2 is supported by the version LE8 is shipped with which is SAMBA 3.6.25.

 

So defining min and max to be the same protocol on the client side should work.


in your ~/.smb/smb.conf:


[global]
    client min protocol = SMB2
    client max protocol = SMB2

Edited by ezhik
Link to comment
wgstarks Experienced

wgstarks

Posted
Posted
22 hours ago, ezhik said:

Good call. So I checked it out and LibreELEC 8.x uses SAMBA 3.6.25 (yes outdated), which is limited to SMB2 on a max protocol level.

 

So all you need to do is define min and max to be the same version - smb2 :)


Can you give it a shot?

 

You'd have to create it in the user's .smb/smb.conf file. For example if your user is kodi it would be in: /home/kodi/.smb/smb.conf

 

[global]
    client min protocol = SMB2
    client max protocol = SMB2
 

 

PS. I tested it on a full blown linux distro -> ubuntu 16.04 with actual kodi (from the official xbmc repo).

 

Cheers.

 

Did a little testing as requested. Basically just testing to see if my Chromebox running LE8 could connect to the server.

This does work when set on the client- 

[global]
client min protocol = SMB2
client max protocol = SMB2

Full smb.conf settings- 

[global]
	preferred master = no
	local master = no
	domain master = no
	client lanman auth = yes
	lanman auth = yes
	socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
	lock directory = /storage/.smb/
	name resolve order = bcast host
#ezhik changes start
[global]
    client min protocol = SMB2
    client max protocol = SMB2
#ezhik changes end

This breaks connectivity when set on the server- 

[global]
min protocol = SMB2

Had to delete it to be able to connect.

Link to comment
ezhik Enthusiast

ezhik

Posted
Posted
34 minutes ago, wgstarks said:

 

Did a little testing as requested. Basically just testing to see if my Chromebox running LE8 could connect to the server.

This does work when set on the client- 


[global]
client min protocol = SMB2
client max protocol = SMB2

Full smb.conf settings- 


[global]
	preferred master = no
	local master = no
	domain master = no
	client lanman auth = yes
	lanman auth = yes
	socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
	lock directory = /storage/.smb/
	name resolve order = bcast host
#ezhik changes start
[global]
    client min protocol = SMB2
    client max protocol = SMB2
#ezhik changes end

This breaks connectivity when set on the server- 


[global]
min protocol = SMB2

Had to delete it to be able to connect.

 

I think I see where the problem is.

 

In your ~/.smb/smb.conf keep only and remove the rest:

 

[global]
    client min protocol = SMB2
    client max protocol = SMB2
 

(Obviously make a backup of the smb.conf to smb.conf.bak)

Link to comment
wgstarks Experienced

wgstarks

Posted
Posted
2 minutes ago, ezhik said:

 

I think I see where the problem is.

 

In your ~/.smb/smb.conf keep only and remove the rest:

 

[global]
    client min protocol = SMB2
    client max protocol = SMB2
 

(Obviously make a backup of the smb.conf to smb.conf.bak)

Not sure what you're wanting to accomplish? Those two settings are already working.

Link to comment
ezhik Enthusiast

ezhik

Posted
Posted (edited)

If you set on the server:

 

settings -> smb -> Samba extra configuration:

 

min protocol = SMB2

 

---

 

Click Apply.

 

Try to open a share with LE8.

 

ssh to your unraid host and run "smbstatus".

 

You should get a response like:

 

Samba version 4.5.10
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing              
----------------------------------------------------------------------------------------------------------------------------------------
12019   kodi         users        10.10.172.5 (ipv4:10.10.172.5:40130)      SMB3_00           -                    HMAC-SHA256

Except in your case it would be SMB2_00

Edited by ezhik
Link to comment
wgstarks Experienced

wgstarks

Posted
Posted
10 minutes ago, ezhik said:

ssh to your unraid host and run "smbstatus". 

root@Brunnhilde:~# smbstatus

Samba version 4.5.10
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing              
----------------------------------------------------------------------------------------------------------------------------------------

Service      pid     Machine       Connected at                     Encryption   Signing     
---------------------------------------------------------------------------------------------

No locked files

Don't think that worked.

 

 

 

Client smb.conf- 

#[global]
#	preferred master = no
#	local master = no
#	domain master = no
#	client lanman auth = yes
#	lanman auth = yes
#	socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
#	lock directory = /storage/.smb/
#	name resolve order = bcast host
#ezhik changes start
[global]
    client min protocol = SMB2
    client max protocol = SMB2
#ezhik changes end

 

Server smb.conf- 

#smb local master configuration
[global]
	domain master = yes
  	preferred master = yes
   	os level = 255
#smb local master configuration end
#exclude_Apple_DS_files_start
veto files = /._*/.DS_Store/
#exclude_Apple_DS_files_end
#vfs_recycle_start
#Recycle bin configuration
[global]
   syslog only = No
   log level = 0 vfs:0
#vfs_recycle_end
#ezhik changes start
[global]
   min protocol = SMB2
#ezhik changes end

 

Link to comment
ezhik Enthusiast

ezhik

Posted
Posted
21 minutes ago, wgstarks said: 

root@Brunnhilde:~# smbstatus

Samba version 4.5.10
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing              
----------------------------------------------------------------------------------------------------------------------------------------

Service      pid     Machine       Connected at                     Encryption   Signing     
---------------------------------------------------------------------------------------------

No locked files

Don't think that worked.

 

 

 

Client smb.conf- 


#[global]
#	preferred master = no
#	local master = no
#	domain master = no
#	client lanman auth = yes
#	lanman auth = yes
#	socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
#	lock directory = /storage/.smb/
#	name resolve order = bcast host
#ezhik changes start
[global]
    client min protocol = SMB2
    client max protocol = SMB2
#ezhik changes end

 

Server smb.conf- 


#smb local master configuration
[global]
	domain master = yes
  	preferred master = yes
   	os level = 255
#smb local master configuration end
#exclude_Apple_DS_files_start
veto files = /._*/.DS_Store/
#exclude_Apple_DS_files_end
#vfs_recycle_start
#Recycle bin configuration
[global]
   syslog only = No
   log level = 0 vfs:0
#vfs_recycle_end
#ezhik changes start
[global]
   min protocol = SMB2
#ezhik changes end

 

 

Too may [global] definitions, try to consolidate it into one:

  

#smb local master configuration
[global]
	domain master = yes
  	preferred master = yes
   	os level = 255
#smb local master configuration end
#exclude_Apple_DS_files_start
veto files = /._*/.DS_Store/
#exclude_Apple_DS_files_end
#vfs_recycle_start
#Recycle bin configuration
   syslog only = No
   log level = 0 vfs:0
#vfs_recycle_end
#ezhik changes start
   min protocol = SMB2
#ezhik changes end

 

Link to comment
wgstarks Experienced

wgstarks

Posted
Posted
10 minutes ago, ezhik said:

 

Too may [global] definitions, try to consolidate it into one:

  


#smb local master configuration
[global]
	domain master = yes
  	preferred master = yes
   	os level = 255
#smb local master configuration end
#exclude_Apple_DS_files_start
veto files = /._*/.DS_Store/
#exclude_Apple_DS_files_end
#vfs_recycle_start
#Recycle bin configuration
   syslog only = No
   log level = 0 vfs:0
#vfs_recycle_end
#ezhik changes start
   min protocol = SMB2
#ezhik changes end

 

Didn't make any difference. Failed to connect to server after the reboot.

Link to comment
wgstarks Experienced

wgstarks

Posted
Posted
10 hours ago, limetech said:

Guys, please correct me if wrong... why are you doing any of this?  the "wannacry" vulnerability affects Windows only, and M$ has released a patch quite a while ago now.  If all your Win machines are up-to-date, why do you need to disable SMBv1 protocol at all?

Actually, I live in a Windows Free Exclusion Zone.B| Not really worried about wannacry.

Just doing some compatibility testing with the changes proposed by @ezhik. Looks like there are probably many systems that would be negatively effected by disabling SMBv1.

Link to comment
CHBMB Veteran

CHBMB

Posted
Posted
Guys, please correct me if wrong... why are you doing any of this?  the "wannacry" vulnerability affects Windows only, and Microsoft has released a patch quite a while ago now.  If all your Win machines are up-to-date, why do you need to disable SMBv1 protocol at all?


I was wondering this as well, but figured I'd missed something as I haven't really been following the wannacry stuff.

Sent from my LG-H815 using Tapatalk

Link to comment
limetech Veteran

limetech

Posted
Posted
On 5/29/2017 at 7:21 PM, ezhik said:


You can apply the following:

 

Minimum:
min protocol = SMB2
 

Optimal:
guest ok = no
null passwords = no
lanman auth = no
restrict anonymous = 2
encrypt passwords = yes
server signing = mandatory
ntlm auth = no

 

 

I want to caution anyone reading this topic that changes on the unRAID side for the "WannaCry" malware are not necessary and adding random stuff in "Samba extra configuration", could break unRAID SMB share services.

  • Upvote 1
Link to comment
ezhik Enthusiast

ezhik

Posted
Posted
7 hours ago, limetech said:

 

I want to caution anyone reading this topic that changes on the unRAID side for the "WannaCry" malware are not necessary and adding random stuff in "Samba extra configuration", could break unRAID SMB share services.

 

I wouldn't call this random stuff, I would however say that a bit more security should be enforced.

Link to comment
zoggy Enthusiast

zoggy

Posted
Posted (edited)
On 5/30/2017 at 8:24 PM, ezhik said:

If you set on the server:

 

settings -> smb -> Samba extra configuration:

 

min protocol = SMB2

 

---

 

Click Apply.

 

Try to open a share with LE8.

 

ssh to your unraid host and run "smbstatus".

 

You should get a response like:

 

Samba version 4.5.10
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing              
----------------------------------------------------------------------------------------------------------------------------------------
12019   kodi         users        10.10.172.5 (ipv4:10.10.172.5:40130)      SMB3_00           -                    HMAC-SHA256

Except in your case it would be SMB2_00

 

https://forum.kodi.tv/showthread.php?tid=314350&pid=2586814#pid2586814

kodi on linux uses a much newer samba version, which is why you get SMB3 support. The version we use for android doesn't support it.

And before you ask: samba >= 4.1 which first introduced smb2/3 client support also changed to a new build system, which makes it almost impossible to cross compile for all our platforms.

 

then next post:

LE8.0.1 is built with Samba 3.6.25 so doesn't include client support for SMB2/SMB3 - you'll need a recent LE9 test build for that (currently Samba 4.6.3).

 

can confirm this by looking at:

https://libreelec.tv/2017/05/libreelec-krypton-v8-0-2-mr/

Samba announced CVE-2017-7494 as we were about to release 8.0.2 and due to the serious vulnerability rating we postponed release to investigate. LibreELEC uses Samba 3.6.25 which is in the range of affected versions, but after Samba source code review (thanks @seo) we believe we are not vulnerable as we compile Samba without printer support, and this disables the vulnerable code path.

 

https://wiki.samba.org/index.php/Samba3/SMB2#Introduction

SMB 2.1 was introduced with Windows 7/Windows 2008R2.

  • Basic support for SMB 2.1 was added in Samba 4.0.0

SMB 3 (previously known as SMB2.2 dialect) was introduced with Windows 8 and Windows Server 2012. SMB3 dialect defines the following features:

  • Basic support for SMB3 is included in Samba 4.0.0 and later.

 

--

 

so anyways its being addressed on kodi's end in a future PR,

https://github.com/xbmc/xbmc/pull/12110

 

Edited by zoggy
Link to comment
ezhik Enthusiast

ezhik

Posted
Posted
1 hour ago, zoggy said:

 

https://forum.kodi.tv/showthread.php?tid=314350&pid=2586814#pid2586814

kodi on linux uses a much newer samba version, which is why you get SMB3 support. The version we use for android doesn't support it.

And before you ask: samba >= 4.1 which first introduced smb2/3 client support also changed to a new build system, which makes it almost impossible to cross compile for all our platforms.

 

then next post:

LE8.0.1 is built with Samba 3.6.25 so doesn't include client support for SMB2/SMB3 - you'll need a recent LE9 test build for that (currently Samba 4.6.3).

 

can confirm this by looking at:

https://libreelec.tv/2017/05/libreelec-krypton-v8-0-2-mr/

Samba announced CVE-2017-7494 as we were about to release 8.0.2 and due to the serious vulnerability rating we postponed release to investigate. LibreELEC uses Samba 3.6.25 which is in the range of affected versions, but after Samba source code review (thanks @seo) we believe we are not vulnerable as we compile Samba without printer support, and this disables the vulnerable code path.

 

https://wiki.samba.org/index.php/Samba3/SMB2#Introduction

SMB 2.1 was introduced with Windows 7/Windows 2008R2.

  • Basic support for SMB 2.1 was added in Samba 4.0.0

SMB 3 (previously known as SMB2.2 dialect) was introduced with Windows 8 and Windows Server 2012. SMB3 dialect defines the following features:

  • Basic support for SMB3 is included in Samba 4.0.0 and later.

 

--

 

so anyways its being addressed on kodi's end in a future PR,

https://github.com/xbmc/xbmc/pull/12110

 

SMB2 support was introduced in 3.6.0: https://wiki.samba.org/index.php/Samba_3.6_Features_added/changed#SMB2_support

Link to comment
  • 3 weeks later...
NAS Experienced

NAS

Posted
Posted

I would like to suggest that we make the disabling of what we are calling SMBv1 via the GUI as a checkbox. This way we can inform the users of the downsides, why it should happen and the rarer cases where it shouldnt.

 

We do need to debate what the default should be. At some point SMBv2+ should be the default but I do not think that day has come yet.

 

Regardless this should be a point and click skill-free exercise for users and not a lengthy forum read should they happen upon it.

Link to comment
bonienl Veteran

bonienl

Posted
Posted
1 minute ago, NAS said:

I would like to suggest that we make the disabling of what we are calling SMBv1 via the GUI as a checkbox. This way we can inform the users of the downsides, why it should happen and the rarer cases where it shouldnt.

 

We do need to debate what the default should be. At some point SMBv2+ should be the default but I do not think that day has come yet.

 

Regardless this should be a point and click skill-free exercise for users and not a lengthy forum read should they happen upon it.

 

I suggest you write a feature request for this, so it won't get lost/burried.

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing