Samba add-on and security

Yes, I am getting a bit paranoid - I have reluctantly closed my open port on my router - and yes I suspect this has been answered elsewhere but there is a lot of security talk at the moment and specific things are getting hard to find.

Furthermore the Samba add-on docs are woefully inadequate given the potential for network exposure, some of the config options are not even mentioned, some don’t have an explanation for what they mean and don’t get me started on the default being "guest": true. (Before you say anything, I am clearly not qualified to update the docs).

So in preparation for the Grand Port Reopening Ceremony at such a time as I can trust HA is secure:

  • My hassio Samba add-on config is as follows. Given that the default allow_hosts config specifies local network ranges Is there any extra benefit security wise in only allowing one specific IP address?

“workgroup”: “WORKGROUP”,
“name”: “hassio”,
“guest”: false,
“map”: {
“config”: true,
“addons”: true,
“ssl”: false,
“share”: true,
“backup”: true
“username”: “my_username”,
“password”: “my_password”,
“interface”: “”,
“allow_hosts”: [

No I don’t think so.
Just don’t PF the port for Samba and use a username and password.
I also use Caddy and only have 2 ports forwarded now - port 80 and a xxxxx port forwarded to 443 internally

1 Like

Thanks David but (here we go, one question begets another!)

What port does Samba use? None are specified in the config (unlike other add-ins). And why do you have two ports open? I only had one open and everything worked.

I am wondering… The one port I had open for HA which was (not) 8123, was that also effectively the Samba port? If so is that why you use Caddy? I have no idea what Caddy is but I’m off to find out. (I don’t suppose you have a Caddy guide as good as your Sonoff flashing guide do you :slight_smile: ?)

Actually I do… here…

I have 80 forwarded for LetsEncrypt certificate renewal and the other is for connection to Home Assistant. Samba uses 445 I think…

1 Like