Secure SMB On Openwrt

This blogpost describes how to protect your SMB share on an openwrt-based device with user authentication, as this is not done by default. I used the GL-iNet Shadow GL-AR300M16 for this demonstration.

Installing The Software

To begin with, it is necessary to install the smb-server software on your GL-iNet router.

Simply navigate to http://192.168.8.1/#/share (or if you changed it, your new router IP) and click on install:

Now a simple share can already be configured, although the configuration options in the web GUI are pretty limited:

It is not possible to restrict the access to the share in any way on the website (except by limiting it to the LAN).

In order to secure the share with some proper authentication, it is necessary to SSH into the router.

The default SMB config will look similar to the following:

 0[global]
 1	netbios name = OpenWrt 
 2	display charset = UTF-8
 3	interfaces = lo br-lan 
 4	server string = OpenWrt
 5	unix charset = UTF-8
 6	workgroup = WORKGROUP
 7	bind interfaces only = yes
 8	deadtime = 30
 9	enable core files = no
10	invalid users = root
11	local master = no
12	map to guest = Bad User
13	max protocol = SMB2
14	min receivefile size = 16384
15	null passwords = yes
16	passdb backend = smbpasswd
17	security = user
18	smb passwd file = /etc/samba/smbpasswd
19	use sendfile = yes
20
21[homes]
22	comment     = Home Directories
23	browsable   = no
24	read only   = no
25	create mode = 0750
26
27[GL-Samba]
28	path = /mnt/sda1/share
29	read only = no
30	guest ok = yes

This configuration allows anyone in our LAN network to access our share without any authentication.

Creating A New User

Depending on whether you want to use the root account for the share or not it is required to add a new user first. As useradd and adduser is not available, you have to do it manually:

Add entry in /etc/passwd: echo "nop:x:1000:1000:nop:/:/bin/false" >> /etc/passwd
Add entry in /etc/shadow:
- Generate password hash (MD5crypt): mkpasswd --method=MD5
- Add the entry: echo "nop:\$1\$q2954XMZ\$tFH8rw3nNAHw.M6EFtxB4.:0:0:99999:7:::" >> /etc/shadow
(Keep in mind that you have to escape the dollar sign.)
Add entry in /etc/group: echo "nop:x:1000:" >> /etc/group

In case you are not creating a new user, you have to remove the line invalid users = root from smb.conf.template, otherwise the root user won't be allowed to authenticate.

Finally, create an entry in the smbpasswd file: smbpasswd -a nop

Modifying The Config

If you want to take a look at the opkg-package, you can download it from GitHub and extract it using: tar -xf samba36-server.ipk

In order to modify the SMB config, you have to modify /etc/config/samba, which looks kinda like this by default:

 0config samba
 1        option workgroup 'WORKGROUP'
 2        option homes '1'
 3        option name 'GL-AR300M'
 4        option description 'GL-AR300M-d8a'
 5        option interface 'loopback lan    '
 6
 7config sambashare
 8        option name 'GL-Samba'
 9        option path '/mnt/sda1/share'
10        option guest_ok 'yes'
11        option read_only 'yes'

Let's disable the guest login:

 0config samba
 1        option name 'OpenWrt'
 2        option workgroup 'WORKGROUP'
 3        option description 'OpenWrt'
 4        option homes '1'
 5        option interface 'loopback lan    '
 6
 7config sambashare
 8        option name 'GL-Samba'
 9        option guest_ok 'no'
10        option read_only 'no'
11        option path '/mnt/sda1/share'
12

Lastly, restart the service, to apply the changes: /etc/init.d/samba restart

(If you chose this way instead of modifying the shell script (/etc/init.d/samba) directly, please do not configure your share via the web panel from now on to prevent unwanted changes.)