03fc35ss Posted January 28, 2022 Share Posted January 28, 2022 Hi folks, after spending a fair bit of time hardening my SMB configuration I figured I'd write a quick guide on what I consider the best settings for the security of an SMB server running on Unraid 6.9.2. First, before we get into SMB settings, you may also want to consider hardening the data while it is at rest by specifying an encrypted file-system type for your array (although this isn't a share specific option). For SMB, first set the SMB settings available: I've settled on this as the following block is what I consider to be a hardened SMB configuration for a standalone server that is not domain joined or using Kerberos authentication: server min protocol = SMB3_11 client ipc min protocol = SMB3_11 client signing = mandatory server signing = mandatory client ipc signing = mandatory client NTLMv2 auth = yes smb encrypt = required restrict anonymous = 2 null passwords = No raw NTLMv2 auth = no This configuration block is to be entered into the SMB extras configuration section of the SMB settings page. These settings will break compatibility with legacy clients, but when I say legacy I'm talking like Windows Server 2003/XP. Windows 10+ clients should work without issue as they all support (but are not necessarily configured to REQUIRE) these security features. These settings force the following security options: All communications must occur via SMB v3.1.1 All communications force the use of signing for communications NTLMv2 authentication is required, LanMan authentication is implicitly disabled. All communications must be encrypted Anonymous access is disabled Null session access is disabled NTLMSSP is required for all NTLMv2 authentication attempts In addition, the following security settings are configured for each available share: Also ensure that you create a non-root user to access the shares with and that all accounts use strong passwords (Ideally 12+ complex characters). Finally, a couple of things to note: If you read the release notes for Unraid 6.9.2, you'll see that Unraid uses samba: version 4.12.14. This is extremely important. If you, like me, google SMB configuration settings you'll eventually come across the documentation for the current version of SMB. But! Unraid is not running the latest version, and that's extremely important. The correct documentation to follow is for the 4.12 branch of Samba and the configuration options are significantly different, enough that a valid config for 4.15 will not work for 4.12. With "null passwords = No" you must enable Secure or Private security modes on each exported Unraid share - guest access won't work. There is currently no way to add per-share custom smb.conf settings. So either the server gets hardened or it does not. Do not apply a [share_name] tag as it will not work. It is not possible to specify `client smb3 encryption algorithms` in version 4.12.x of Samba. Kerberos authentication and domain authentication may be preferable in other circumstances, in this instance, additional hardening options may be considered. If you, like me, use VLC media player on mobile devices, you may find that SMBv3 with encryption makes the host inaccessible on IOS devices. The VLC team is aware of this and there is a fix available if you have the bleeding edge/development version of the app, but not if you download the current store version (last I checked, the fix hadn't been released). Should work fine with Android/Windows VLC. If you have any suggestions for other options that I have not included here or that you think are a mistake. Please let me know and I'd be most happy to look into them and adjust. Some other quick hardening suggestions for unraid hardening in general. Disable whatever services you don't need. In my case, that means I: Disable NFS Disable FTP Disable 'Start APC UPS daemon' If you enable Syslog, also enable NTP and configure it. Disable Docker Quick note on docker, having the services enabled allows for 'ip forwarding' which could, in theory, be used to route traffic via the host to bypass firewall rules (depending on your network toplogy obviously) Hope that helps someone else out there. Cheers! 7 5 Quote Link to comment
User4123123 Posted January 29, 2022 Share Posted January 29, 2022 thank you very much for your reasearch and the clarification about that topic. Quote Link to comment
03fc35ss Posted January 29, 2022 Author Share Posted January 29, 2022 No worries. @User4123123Hope it helps! Note that the commands will be different for the next release of unraid as it appears there will be a migration to Samba version 4.15. Quote Link to comment
03fc35ss Posted February 2, 2022 Author Share Posted February 2, 2022 Just a note: In light of the current issues regarding CVE-2021-44142 I would strongly encourage SMB users to disable the 'Enhanced macOS interoperability' setting in the SMB settings page to mitigate the issues until a patch is released: As always seems to be the case in security, if you don't need a feature, disable it and reduce your attack surface. Quote Link to comment
akv66 Posted February 12, 2022 Share Posted February 12, 2022 Thanks for this great guide! Maybe a dumb question but have you found a way to block specific users to access some shares? I get the option on the share only read only or R/W. I miss the "no access" Quote Link to comment
Squid Posted February 12, 2022 Share Posted February 12, 2022 12 minutes ago, akv66 said: Thanks for this great guide! Maybe a dumb question but have you found a way to block specific users to access some shares? I get the option on the share only read only or R/W. I miss the "no access" You set the security to private 2 Quote Link to comment
akv66 Posted February 12, 2022 Share Posted February 12, 2022 8 minutes ago, Squid said: You set the security to private Thanks @Squid That was a quick and simple answer (or most probably a dumb question ) Quote Link to comment
03fc35ss Posted February 13, 2022 Author Share Posted February 13, 2022 Note that the next version of Unraid OS (currently 6.10.0-rc2) will be using samba 4.15 or higher as per these release notes: Once it is out of RC status, I'll update the guide with the 4.15 flags to achieve the same hardening setup as above. 1 1 Quote Link to comment
L0rdRaiden Posted April 9, 2022 Share Posted April 9, 2022 @limetechmaybe this setup of some of the settings should be the default or at least available in the webui Quote Link to comment
L0rdRaiden Posted May 18, 2022 Share Posted May 18, 2022 On 2/13/2022 at 11:36 AM, 03fc35ss said: Note that the next version of Unraid OS (currently 6.10.0-rc2) will be using samba 4.15 or higher as per these release notes: Once it is out of RC status, I'll update the guide with the 4.15 flags to achieve the same hardening setup as above. Unraid 6.10 is out, could you please update the hardening for samba 4.15? Thanks 6 Quote Link to comment
Howboys Posted September 19, 2022 Share Posted September 19, 2022 Just skimming https://www.samba.org/samba/docs/4.15/man-html/smb.conf.5.html, the config in OP should continue to work as in 4.12. Quote Link to comment
L0rdRaiden Posted October 27, 2022 Share Posted October 27, 2022 (edited) I have scanned the server and I got this "vulnerability" in the SMB config, it's a real issue or a FP? Is there something that can be improved? Medium SMB Signing not required Description Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct man-in-the-middle attacks against the SMB server. Solution Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft network server: Digitally sign communications (always)'. On Samba, the setting is called 'server signing'. See the 'see also' links for further details. See Also http://www.nessus.org/u?df39b8b3 http://technet.microsoft.com/en-us/library/cc731957.aspx http://www.nessus.org/u?74b80723 https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html http://www.nessus.org/u?a3cac4ea Edited October 27, 2022 by L0rdRaiden Quote Link to comment
wgstarks Posted October 27, 2022 Share Posted October 27, 2022 I know that changes were made in 6.11.1 for how smb settings for some plugins are applied. Are these settings still applied in smb-extras? Quote Link to comment
Evolze Posted February 19 Share Posted February 19 Hey all, sorry to revive an older post, but came across an issue with this configuration, at least on macOS. Is anyone else having this issue? From Windows & Linux, I'm able to connect to any Unraid SMB share without an issue. However, if I attempt to try to mount them or even connect to them on macOS, I get the following error message: From Finder >> Go >> Connect to Server... (Command + K) Attempt #1: smb://Tower/data There was a problem connecting to the server "Tower". URLs with the type "smb:" are not supported. ============ Attempt #2 smb://10.0.0.X/data There was a problem connecting to the server "10.0.0.X". URLs with the type "smb:" are not supported. I have tried both the IP address and the hostname via DNS as well - no go. I did some digging and there does not seem to be a lot of helpful info online. For reference, this is the SMB Extra configuration I am currently using: server min protocol = SMB3_11 client ipc min protocol = SMB3_11 client signing = mandatory server signing = mandatory client ipc signing = mandatory client NTLMv2 auth = yes smb encrypt = required restrict anonymous = 2 null passwords = no raw NTLMv2 auth = no I did do some troubleshooting and if I remove this 'extra' configuration from SMB, everything on macOS seems to work. I am currently running macOS Catalina 10.15.7 and since my MacBook Pro is a Mid 2012, this is the only "official" OS option I have. @wgstarks Could you possibly post or provide your SMB extra configuration file for reference? I ask as your Unraid Forum bio mentions you use an all Mac network, so it must be working for you in some way, shape, or form. 😀 Quote Link to comment
wgstarks Posted February 19 Share Posted February 19 2 hours ago, Evolze said: @wgstarks Could you possibly post or provide your SMB extra configuration file for reference? I ask as your Unraid Forum bio mentions you use an all Mac network, so it must be working for you in some way, shape, or form I’m no longer using smb extra configuration. https://forums.unraid.net/bug-reports/prereleases/macos-optimization-r2087/ 1 Quote Link to comment
Evolze Posted February 19 Share Posted February 19 8 hours ago, wgstarks said: I’m no longer using smb extra configuration. https://forums.unraid.net/bug-reports/prereleases/macos-optimization-r2087/ Thanks so much! I'll take a look and make some adjustments. 😀 Quote Link to comment
ericswpark Posted February 23 Share Posted February 23 The following two lines cause SMB to stop working on iOS devices: #server min protocol = SMB3_11 #client ipc min protocol = SMB3_11 I haven't experimented with exactly which line is causing the problem, but I guess iOS devices don't support SMBv3 yet. Tested on the latest iOS/iPadOS 16 release. All the other configuration options don't cause a problem so feel free to keep them enabled. On Files app, you get an Operation Not Supported error, and the FE File Explorer app shows a "Permission denied" error and asks to sign in again. Quote Link to comment
ericswpark Posted February 24 Share Posted February 24 After further testing, here's the config that worked for me: server min protocol = SMB3_02 client ipc min protocol = SMB3_11 So iOS/iPadOS devices running 16.3.1 seem to only support SMB as it was developed/implemented in Windows 8.1 days. (For reference: `SMB3_02` is Windows 8.1 implementation, while `SMB3_11` is Windows 10 (not 11).) The `client ipc min protocol` does not matter, so you can leave it on `SMB3_11` and it will not make a difference. This config works for both the built-in SMB provider in the Files app, and for the FE File Explorer Pro app. I can confirm even the latest stable release of iOS VLC works too on this config, which suggests to me that either the app was finally fixed or that iOS devices just don't support `SMB3_11` as a whole for the server minimum protocol. Quote Link to comment
dopeytree Posted June 20 Share Posted June 20 (edited) Thanks used this to do the opposite and FORCE client & server signing to disabled. Seems to have sped up transfers on mac. server min protocol = SMB3_11 client ipc min protocol = SMB3_11 client signing = disabled server signing = disabled smb encrypt = default null passwords = No raw NTLMv2 auth = no Edited June 20 by dopeytree Quote Link to comment
03fc35ss Posted July 25 Author Share Posted July 25 On 6/20/2023 at 6:22 PM, dopeytree said: Thanks used this to do the opposite and FORCE client & server signing to disabled. Seems to have sped up transfers on mac. The purpose of this thread is to IMPROVE the security configuration. Not reduce it. Enabling encryption and signing does cause a performance hit. These mitigations/hardening options are meant for networks where there are potentially untrusted clients (corporate networks) not really for home network setups. On 2/25/2023 at 12:14 AM, ericswpark said: After further testing, here's the config that worked for me: server min protocol = SMB3_02 client ipc min protocol = SMB3_11 So iOS/iPadOS devices running 16.3.1 seem to only support SMB as it was developed/implemented in Windows 8.1 days. (For reference: `SMB3_02` is Windows 8.1 implementation, while `SMB3_11` is Windows 10 (not 11).) The `client ipc min protocol` does not matter, so you can leave it on `SMB3_11` and it will not make a difference. This config works for both the built-in SMB provider in the Files app, and for the FE File Explorer Pro app. I can confirm even the latest stable release of iOS VLC works too on this config, which suggests to me that either the app was finally fixed or that iOS devices just don't support `SMB3_11` as a whole for the server minimum protocol. SMB3_11 is supported with the beta/Testflight versions of VLC (Currently using 3.4.7 (533)) on iOS. It's a bug I raised with them when I initially wrote this guide. Most 3rd party apps on android and iOS do not have support for a hardened version of SMB. I believe it's an app specific issue and not an OS one. I'm in the process of building another tower. I see that Samba version is now 4.17.7 so I'll be updating the config options in line with https://www.samba.org/samba/docs/4.17/man-html/smb.conf.5.html as a reference. Quote Link to comment
03fc35ss Posted July 25 Author Share Posted July 25 (edited) As expected, some of the syntax changed between versions of Samba (why would they do this for minor versions I have no idea...) This is the current config I believe works. I'll do more testing at a later time to confirm it's all applied correctly. server min protocol = SMB3_11 client ipc min protocol = SMB3_11 client signing = required server signing = mandatory client ipc signing = required client NTLMv2 auth = yes client protection = encrypt client smb encrypt = required server smb encrypt = required smb encrypt = required restrict anonymous = 2 null passwords = No raw NTLMv2 auth = no Edited July 25 by 03fc35ss 1 Quote Link to comment
dopeytree Posted July 25 Share Posted July 25 (edited) That config seems to block access from a mac to the unraid server.. You end up with a 'do not have permission' message This is a working config I use: server min protocol = SMB3_02 client ipc min protocol = SMB3_11 client signing = mandatory server signing = mandatory client ipc signing = mandatory client NTLMv2 auth = yes smb encrypt = required restrict anonymous = 2 null passwords = no raw NTLMv2 auth = no It works for windows 10 pcs & mac os ventura (13.4.1) My earlier speed tests were resolved by swapping the pcie lane. so now back to full speeds. Encryption on macs is handled by dedicated chip so no bottleneck anymore. Edited July 25 by dopeytree Quote Link to comment
03fc35ss Posted July 26 Author Share Posted July 26 The following config is confirmed working with the test devices I have: server min protocol = SMB3_11 client ipc min protocol = SMB3_11 server signing = mandatory client NTLMv2 auth = yes restrict anonymous = 2 null passwords = no raw NTLMv2 auth = no smb encrypt = required client signing = required client ipc signing = required client smb encrypt = required server smb encrypt = required Note that the line in my previous config: client protection = encrypt Breaks auth attempts. So it shouldn't be used. @dopeytree It Sounds like your issue might be a bug in MacOS Ventura. I don't have a MacOS device running Ventura to test with unfortunately. I can confirm I can access file shares with the following devices and the below config: - MacOS Monterey - Windows 11 - Windows 10 - iOS VLC (using a beta release) - Android VLC Also note that the syntax between releases of Samba has changed and 'mandatory' has become ''required" for some settings. Quote Link to comment
ericswpark Posted July 27 Share Posted July 27 (edited) @03fc35ss's config above doesn't work with iOS clients. I still have to downgrade the `server min protocol` to `SMB3_02`. Here is my config as of now: # Server hardening # SMBv3 will break VLC iOS - use prerelease version to fix! # SMB3_11 for server min protocol breaks some clients (iOS) server min protocol = SMB3_02 client ipc min protocol = SMB3_11 server signing = mandatory client NTLMv2 auth = yes restrict anonymous = 2 null passwords = no raw NTLMv2 auth = no smb encrypt = required client signing = required client ipc signing = required client smb encrypt = required server smb encrypt = required Edited July 27 by ericswpark Quote Link to comment
ccnkbm Posted August 7 Share Posted August 7 This is awesome stuff. I've been slowly setting my Unraid server up as I switched off Synology and this was a big concern of mine. Question: Does anyone know if this would work as a plugin? I see that there's an "Active Directory Extras" plugin that lets you modify extra AD settings. Just point and click. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.