Hello,

I have a Vigor2960, F/W 1.3.1.

I was somewhat shocked to get a letter from my ISP advising me:

We're writing to let you know that a device connected to your home network has been identified as having a potential open NetBIOS vulnerability

Hmmm, well my firewall is pretty well locked down, deny all incoming by default, I don't even allow DNS or port forward requests without going through the firewall filters and they certainly do not include NETBIOS! So I gave a it a quick test via w3dt.com and got this (actual IP/DNS removed!)...

w3dt.net netbios scanner v1.5

---

xxx.xxx.xxx.xxx WORKGROUP\VIGOR SHARING
VIGOR <00> UNIQUE Workstation Service
VIGOR <03> UNIQUE Messenger Service<3>
VIGOR <20> UNIQUE File Server Service
..__MSBROWSE__.<01> GROUP Master Browser
WORKGROUP <1d> UNIQUE Master Browser
WORKGROUP <1e> GROUP Browser Service Elections
WORKGROUP <00> GROUP Domain Name
00:00:00:00:00:00 ETHER myexternaldns.addr

---

Well, that's obviously my Vigor2960 and I quickly noted that turning off the SAMBA server used to access content on the USB card in one of the USB slots sorted that out - not a problem as don't really use it.

The firewall is preventing connections but is advertising me!

I've not touched the SAMBA server settings for ages, well over a year, so could this be a change in firmware that has resulted in this? I've had a replacement router recently with the last good config restored to it that was backed up in March, so no changes at all in config since then The latest firmware update was since then though. This is the first and only time my ISP has alerted me.

Anyone else able to test this?

How do I use the SAMBA server without exposing it to the internet?

Thanks.

Look at the USB > General Settings > Access from Lan or Wan and Lan.

You should only allow access from Lan.

Thanks, but I don't have a USB, General Settings and I can't find a setting like that anywhere!

http://60.250.189.150:2960/ live demo of GUI ( slow to load)


Scroll down the left pane in your GUI to USB Application > Samba Server > when that page opens look at the top right corner , you will see a blue ? mark.

That opens the Help Page.

You will see the instructions and images. You need to look at USB General Settings and make sure that LAN Only is set.

1) Insert an USB drive to router's USB port, and go to USB Application >> USB Devices Status to make sure the device is detected. (See Are there any limits to the USB disk?)



2) Enable SMB Service on the router. Go to USB Application >> USB General Settings to enable SMB Service Settings and set other details. After that, router will ask to reboot for the changes to take effect.

Thanks for the reply Adrian,

You are correct in that the help file does state what you have mentioned above, however it is out of date. My device list screen looks nothing like the example in the help file and the "USB Application >> USB General Settings" simply does not exist. The demo page you linked to appears the same as mine and does not include that setting either.

This is a Vigor2960 H/W 1.0 F/W 1.3.1 Revision 7145 (2017-07-01 23:06:14) (this is the same bar Vigor model as the demo page)

Under USB Application I have these options only:

• - Disk Status
  

- No configurable options, just ability refresh, restart device and unmount a disk.
- FTP Server

- SAMBA Server

• - General Setup
  

- Ability to enable / disable and provide Name/description/workgroup.
- SAMBA folder

- Ability to add/edit/delete a folder (share) - with options to enable/make visible/comment/volume/path and user access rights.
- Printer

- Temperature Sensor

- Modem Support List

Even without a actual USB drive attached, as soon as the SAMBA server is enabled it starts exposing the name across the internet and I have no apparent way of preventing that.

Thanks

Does the telnet command line interface help? It looks like it might, on my 2860n.

Code:

> smb setting Modify SMB service settings =================== Usage =================== Enable: smb setting enable Disable: smb setting disable Show status: smb setting status Set: Workgroup: smb setting set workgroup [Workgroup name] Host: smb setting set host [Host name] Access: smb setting set access [LAN or LANWAN] --------------------------------------------- Workgroup name: Max 15 characters. Host name: Max 15 characters. LAN: Allow access from LAN only. LANWAN: Allow access from both LAN and WAN. Ex: smb setting set access LANWAN ---------------------------------------------