Secure SMB On Openwrt
This blogpost describes how to protect your SMB share on an openwrt-based device with user authentication, as this is not done by default. I used the GL-iNet Shadow GL-AR300M16 for this demonstration.
Installing The Software
To begin with, it is necessary to install the smb-server software on your GL-iNet router.
Simply navigate to http://192.168.8.1/#/share (or if you changed it, your new router IP) and click on install
:
Now a simple share can already be configured, although the configuration options in the web GUI are pretty limited:
It is not possible to restrict the access to the share in any way on the website (except by limiting it to the LAN).
In order to secure the share with some proper authentication, it is necessary to SSH into the router.
The default SMB config will look similar to the following:
0[global]
1 netbios name = OpenWrt
2 display charset = UTF-8
3 interfaces = lo br-lan
4 server string = OpenWrt
5 unix charset = UTF-8
6 workgroup = WORKGROUP
7 bind interfaces only = yes
8 deadtime = 30
9 enable core files = no
10 invalid users = root
11 local master = no
12 map to guest = Bad User
13 max protocol = SMB2
14 min receivefile size = 16384
15 null passwords = yes
16 passdb backend = smbpasswd
17 security = user
18 smb passwd file = /etc/samba/smbpasswd
19 use sendfile = yes
20
21[homes]
22 comment = Home Directories
23 browsable = no
24 read only = no
25 create mode = 0750
26
27[GL-Samba]
28 path = /mnt/sda1/share
29 read only = no
30 guest ok = yes
This configuration allows anyone in our LAN network to access our share without any authentication.
Creating A New User
Depending on whether you want to use the root account for the share or not it is required to add a new user first. As useradd
and adduser
is not available, you have to do it manually:
-
Add entry in /etc/passwd:
echo "nop:x:1000:1000:nop:/:/bin/false" >> /etc/passwd
-
Add entry in /etc/shadow:
- Generate password hash (MD5crypt):
mkpasswd --method=MD5
- Add the entry:
echo "nop:\$1\$q2954XMZ\$tFH8rw3nNAHw.M6EFtxB4.:0:0:99999:7:::" >> /etc/shadow
(Keep in mind that you have to escape the dollar sign.)
- Generate password hash (MD5crypt):
-
Add entry in /etc/group:
echo "nop:x:1000:" >> /etc/group
In case you are not creating a new user, you have to remove the line invalid users = root
from smb.conf.template, otherwise the root user won't be allowed to authenticate.
Finally, create an entry in the smbpasswd file: smbpasswd -a nop
Modifying The Config
If you want to take a look at the opkg-package, you can download it from GitHub and extract it using: tar -xf samba36-server.ipk
In order to modify the SMB config, you have to modify /etc/config/samba
, which looks kinda like this by default:
0config samba
1 option workgroup 'WORKGROUP'
2 option homes '1'
3 option name 'GL-AR300M'
4 option description 'GL-AR300M-d8a'
5 option interface 'loopback lan '
6
7config sambashare
8 option name 'GL-Samba'
9 option path '/mnt/sda1/share'
10 option guest_ok 'yes'
11 option read_only 'yes'
Let's disable the guest login:
0config samba
1 option name 'OpenWrt'
2 option workgroup 'WORKGROUP'
3 option description 'OpenWrt'
4 option homes '1'
5 option interface 'loopback lan '
6
7config sambashare
8 option name 'GL-Samba'
9 option guest_ok 'no'
10 option read_only 'no'
11 option path '/mnt/sda1/share'
12
Lastly, restart the service, to apply the changes: /etc/init.d/samba restart
(If you chose this way instead of modifying the shell script (/etc/init.d/samba
) directly, please do not configure your share via the web panel from now on to prevent unwanted changes.)