Patching some security problems in Samba

QNAP is built upon Debian, created and designed by a bunch of wise guys, constantly being improved and used around the world, sometimes in very important solutions. Thus, it is generally a safe and secured solution. On the other hand, there isn't (there never was and there never will be) any thing, done by a human, that another human wouldn't be able to breke, change, alter or destroy. So, there is always a good idea to improve security, whenever you're possible to do so. This article discusses some smaller or bigger security holes in Samba on board QNAP with a possible solution or workaround.

Warning! Don't you ever edit smb.conf file under Windows, in any program that is not supporting Linux end-of-line characters (Notepad does not!). This will convert all line ending characters in this file from CR (Carriage Return) used on Linux to CR+LF (Carriage Return + Line Feed) used on Windows, making this file (and whole Samba service) completely unusable on your QNAP! For editing QNAP files on Windows always uses editor that supports Linux line ends (like Notepad++)!

For above reason and for many more, you should always backup your file, before editing it, as incorrect content of smb.conf may render your shares inaccessible by anyone (or on contrary -- accessible by too many people).

Here are some easy to implement tricks on making your QNAP a little bit more secure than it is out-of-the box:

  1. Login to your QNAP via SSH (PuTTY?).
  2. Edit /etc/smb.conf (actually /etc/config/smb.conf, as first one is a symlink).
  3. Change or add following lines in [General] section:
    • set map to guest to Never,
    • set restrict anonymous to 2.

Warning! In many places you'll find out a suggestion to edit /etc/config/smb.conf and change line guest account = guest, so it would point to a non-existing account. This solution fails completely on TS-210. Whenever I do this and restart server I got whole bunch of warnings saying about unsuccessful attempt to restart smbd, which explicitly says that something went wrong (Re-launch process [smbd].).

This is very strange situation, as even official Samba manual says that default setting for this option is guest account = nobody. But the facts are that if under TS-210 I change line guest account = guest to guest account = nobody or to anything else (any other non-existing user), Samba fails to launch.

Other things you may consider:

  1. Login to QNAP via web-panel.
  2. Go to System Administration > Security section.
  3. Set Network Access Protection to some restrictive policy.

Usually I set, for any protocol, at least: In 1 minute, after unsuccessful attempts for 5 times, block the IP for 30 minutes". Sometimes even higher. This shouldn't affect your normal usage of QNAP and should reduce scanning of your QNAP greatly, reducing both load and possible threats.

As an addition or alternative you may consider setting Security Level to High: Allow connections from the list only and adding only IP addresses or ranges, whom you trust. This rises security of you QNAP to a very high level, but could be dangerous to yourself or other trusted peoplem as you can permanently block access to your device! Using this option is especially discouraged, if you're accessing Internet from behind NAT, using non-static IP addresses or if your IP address may change suddenly.

Leave a Reply