August 6, 2025Aug 6 For anyone who is truly concerned about having a secure server, there is one point of entry that is exposed by LimeTech to allow guest access to user files on the server. This situation is discussed below.From the beginning, Unraid has been configured to enable a login to the server using a ‘guest’ account. As anyone with a security background knows, once a hacker has access inside a server, they will start to probe and test for ways to elevate the privileges of that login.To be fair, virtually all of the home NAS’s back before 2010 were using ‘guest’ logins as their default. It made it very simple for the end-users to setup a working network on their home LAN. Plus, it was just past the era of the dial-up Internet connection and there wasn’t the 24-7 online presence for most NAS users. If you wanted more security for your files and information, you were going to do some work to get there. At that time for the vast majority of Unraid users, the threats came from the folks (or the clients) who were already on the LAN!To enable guest accounts, LimeTech has changed a Samba parameter to allow them. This parameter is the ‘map to guest’ one which configured as follows in the standard Unraid install:map to guest = Bad UserThe present Samba default for this parameter is:map to guest = NeverWith this setting, a guest connection will never be permitted and you will be required to log into the server with a valid user name and password to gain any Share access even if it has a ‘Public’ share type configuration. (The figure below is a section from the smb.conf parameter table found here:https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html Edited August 6, 2025Aug 6 by Frank1940
March 5Mar 5 Shouldn't there just be a setting somewhere that could just be easily switched off. Why does something so simple have to be complicated. Who would even want guest access turned on by default???? 🤬 This is frightening. I thought Linux was supposed to be secure? This product seems the exact opposite of secure. How many more things are switched on making me a target ? I don't want anyone anytime to have access to my stuff unless I explicitly allow it with a specific user name and password.
March 5Mar 5 Not that shares are not exported by default; and when you export a share, you can choose not to allow guest access.
March 5Mar 5 yeah, its is not a problem at all.(new) shares need to be exported manuallyat export time you can (and have to) select the permissions manually tooThat guest access still an option for shares has historical reasons. Old installations need it. Removing it would break those on update.
March 5Mar 5 Author 7 hours ago, MHzTweaker said:Shouldn't there just be a setting somewhere that could just be easily switched off. Why does something so simple have to be complicated. Who would even want guest access turned on by default???? 🤬 This is frightening. I thought Linux was supposed to be secure? This product seems the exact opposite of secure. How many more things are switched on making me a target ? I don't want anyone anytime to have access to my stuff unless I explicitly allow it with a specific user name and password.In this post,https://forums.unraid.net/topic/191221-some-musings-on-smb-and-samba-and-unraid-and-windows/#findComment-1561580 there are these paragraphs:Understand that risk of having a minor security hole is relative. IF you have a modern router with up-to-date firmware, a household where you control who has access to your LAN, everyone you allow on it is trustworthy, and If all your Shared Shares are Private with a good password, your security risk factor is very low. When you start to expose yourself by allowing other people to have access to your LAN, setup access from the WAN (Using Tailscale or some other VPN service), you probably need some more protection. Blocking 'Guest' access is the last step in protection. Further, understand that 'risk tolerance' is relative. Some people think sky-diving is a fun weekend sport. Other folks won't even get in an airplane!You also have to ask yourself, am I a target really worth going after? If a three-letter bureau somewhere in the world has an interest in you, you had better be in a total paranoid mode! They will get in, if you can see this post.
March 12Mar 12 As to whether I believe an am a worthy target, I am not sure I care to live in paranoia just wondering. I prefer being proactive. My old router was a Mikrotik cloud router that pretty much required me to do everything manually. Firewall rules had to be programmed manually one by one via the command line or by running a script to do so. It was miserable for me. During the learning curve between the time it took for me to turn it on and realize there was no default active firewall, I watched a continuous stream of attempted logins to this router, I mean like every second at least 1 attempt from many IP addresses all over the planet. Scary $hit. I switched to one of these last December: https://store.ui.com/us/en/category/cloud-gateways-large-scale/products/udm-pro-maxOn 3/5/2026 at 2:43 AM, JorgeB said:Not that shares are not exported by default; and when you export a share, you can choose not to allow guest access.How would I do this?All my shares are private but I don't recall any setting to disable guest access.thanks
March 12Mar 12 21 minutes ago, MHzTweaker said:How would I do this?All my shares are private but I don't recall any setting to disable guest access.You have already done this.Selecting "Private" means: "only known people allowed, guests forbidden".And yeah, I agree, Mikrotik is not for the simple user, it is hardcore. But almost every other brand has defaults for firewalls that are set to "nobody is allowed to be in from the internet". You have to enable access one by one manually.So forget your paranoia, unless you open "DMZ access to machine..." or "allow anybody in" in your firewall, you are safe.It does not need UNRAID then too to filter, the router will keep any baddy outside already.
March 12Mar 12 @MAM59 thanks, I just needed some reassurances. The devil is in the details. I'm only allowing 2 close friends of 5 decades read access to my hoard shares (tailscale) and a small read-write share if either has something interesting they want to leave for me to check out. I don't plan on turning on DMZ for it. I guess if I get super duper paranoid, I can investigate the UniFi CyberSecure Intrusion Detection System yearly subscription that can be added to the Gateway for $99 a year.The Mikrotik seemed like a good idea but I soon realized it's "router OS" while powerful just did not equate to the amount of time I wanted to spend learning it. I replaced the Mikrotik with the Ubiquiti because it couldn't handle my new fiber bandwidth. No way was I leaving 2/3 of my new fiber transfer speed on the table. Don't get me wrong, I never had issues with the CloudRouter. It ran from Dec 2018 to December 2025 with no issues. I should probably sell it or something. It wasn't exactly cheap: https://www.amazon.com/dp/B08437WT3Q?ref_=ppx_hzsearch_conn_dt_b_fed_asin_title_23
March 13Mar 13 I have almost the same Mikrotik (just with 24 ports only, and 2 SFP+), but I am running it just as a switch. I've got some more Mikrotiks, but none of them runs as a router here. Too complicated and, most important, cannot handle IPV6 with dynamic prefixes. This is a no-go in Germany...(Hmm, maybe it NOW can handle it? dunno, but does not matter anymore...)
March 25Mar 25 On 3/12/2026 at 3:39 PM, MHzTweaker said:@MAM59 thanks, I just needed some reassurances. The devil is in the details. I'm only allowing 2 close friends of 5 decades read access to my hoard shares (tailscale) and a small read-write share if either has something interesting they want to leave for me to check out. I don't plan on turning on DMZ for it.I guess if I get super duper paranoid, I can investigate the UniFi CyberSecure Intrusion Detection System yearly subscription that can be added to the Gateway for $99 a year.The Mikrotik seemed like a good idea but I soon realized it's "router OS" while powerful just did not equate to the amount of time I wanted to spend learning it. I replaced the Mikrotik with the Ubiquiti because it couldn't handle my new fiber bandwidth. No way was I leaving 2/3 of my new fiber transfer speed on the table. Don't get me wrong, I never had issues with the CloudRouter. It ran from Dec 2018 to December 2025 with no issues. I should probably sell it or something. It wasn't exactly cheap: https://www.amazon.com/dp/B08437WT3Q?ref_=ppx_hzsearch_conn_dt_b_fed_asin_title_23I added the docker xml into unraid.?what issues are you having?
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.