Author Topic: WZR-HP-G450H Samba Security  (Read 2472 times)

troopa55

  • Calf
  • *
  • Posts: 3
WZR-HP-G450H Samba Security
« on: January 08, 2013, 07:51:59 AM »

The default security settings for Samba are horrible. If you are using the default DD-WRT to share a usb device through your router then you might be opening yourself up to a giant security risk. Buffalo needs to modify the default smb.conf to harden the service against security and privacy related threats; especially due to the nature of Samba and the fact that this is housed on a router so it won't see frequent software updates. This means most users will be running older versions of Samba as time goes on and are opening themselves up to be exploited by nefarious third-parties across the Internet.

 

Basically my beef is as follows: Buffalo released their version of DD-WRT with a smb.conf  that goes against the security recommandations of the official developers:

 

1) It sets usershare allow guests = Yes which is a terrible idea. This should default to usershare allow guests = No

2) They do not limit access to router shares based on the local network range. It listens for all incoming connections by default, even those from across the Internet. This kind of makes no sense on a router, and goes against what most people are actually trying to achieve.

 

 

Below is a configuration template Buffalo should use to increase the overall security of their product. My number one issue is that, by default, Samba should never allow remote connections; only those from the internal network.

 

Buffalo, please consider using this as your default template: (based on my usb core support not having printers enabled. You will need to modify this to taste)

 

[global]
hosts allow = 127.0.0.1 192.168.0.0/24 #only allow local clients to access samba. Remote clients cannot.
hosts deny = 0.0.0.0/0
netbios name = Test
server string = Test
syslog = 10
encrypt passwords = true
obey pam restrictions = yes
preferred master = yes
os level = 20
security = user
mangled names = no
max stat cache size = 64
workgroup = homegroup
bind interfaces only = Yes
guest account = nobody
map to guest = Bad User
smb passwd file = /var/samba/smbpasswd
private dir = /var/samba
passdb backend = smbpasswd
log file = /var/smbd.log
max log size = 1000
socket options = TCP_NODELAY
printing = none
load printers = No
usershare allow guests = No #Disallow guest access
[Backups]
comment = Test
path = /path/to/device
read only = No
guest ok = No #no guests
valid users = user1, user2 #specify users for each share
force user = root #Lame workaround because of DD-WRT. Not much Buffalo can do.

 

 

If nothing else I think

hosts allow = 127.0.0.1 192.168.0.0/24 #only allow local clients to access samba. Remote clients cannot.
hosts deny = 0.0.0.0/0

 

Should be added to your default Samba configuration. This will protect all users who choose to use the GUI to configure Samba and their outdated versions cannot be exploited over the Internet. I say make the end-user use a custom configuration to allow silly cake like accessing Samba across the Internet, etc. Make the default GUI features safer.