How to set up (and secure) a Samba media server for Chromecast usage (in 20 minutes or less!)

Over the last few months, my primary focus has been hacking. As an attacker, seeing file-sharing systems like Samba, FTP, and NFS get me excited to find loot! However, in my downtime, I love to partake in movie watching from my ever-growing DVD collection.

The problem is that I love using my Chromecast.

The solution was to combine a few different pieces of technology I had lying around to build a quick, affordable, and secure media server for my home network. For me, it allowed me to step through how to implement basic security controls onto a Samba share (as opposed to those you find in hacking labs) to protect from unauthorized access.

Overview

This process makes use of a Linux system to serve a Samba file share over your home internal network. Once the Samba share has been set up, VLC for Android can be used for accessing Samba and Chromecasting to your favorite device.

Heads up! This guide assumes you have a spare computer with Linux installed for Samba. If you prefer Windows or something else, go for it! This also assumes you have a compatable Chromecast already set up on your home network.

Another heads up — this article won’t cover how to obtain your media. Just serve it up. Keep it legal, folks.

Here’s what I used for the setup:

  1. A Raspberry Pi Model 3
  2. My favorite Android device
  3. A home network

With our pieces, it’s time to:

  1. Install Samba
  2. Set up firewall rules
  3. Configure a Samba password
  4. Configure the Samba service
  5. Serve up some media and cast!

Install Samba

To get started, we need to install Samba on our Raspberry Pi. First, let’s make sure our Pi is up to date.

sudo apt-get update
sudo apt-get upgrade -y

With the latest updates, Samba can be installed as easy as running:

sudo apt install samba

To make sure the smbd service is enabled and running, let’s run:

sudo systemctl status smbd

If we get Active in our output, we’re good to go!

Set up Firewall Rules

Since this service will only be exposed internally on my own network, this step might not be totally necessary. However, if you plan on ever exposing this service over the public internet, you’ll want to consider adding some allow rules to only allow IP address you trust accessing your Samba share. There are many ways to create IP rules, but we’re going to use ufw.

Let’s start with installing uwf if it isn’t running on our Pi:

sudo apt install ufw

Now we can add allow rules for the Samba ports (139, 445) for our ruleset:

sudo ufw allow from 192.168.1.0/24 to any port 139
sudo ufw allow from 192.168.1.0/24 to any port 445

Important: Enabling uwf will start denying any connections except for those you specify! If you need to reach your server via ssh, be sure to add additional allow rules. For example, `sudo ufw allow from 192.168.1.0/24 to any port 22` to allow SSH access from inside your network.

With rules in place, time to enable our firewall:

sudo ufw enable

Note you’ll be asked to confirm, but here you can hit y. If you modified connections for SSH, the risk here is that your connection could be dropped

To confirm your rules, run sudo ufw status

Configure a Samba password

This is an easy step, but pretty important.

sudo smbpasswd -a pi

This command adds the user pi for Samba access while prompting you to input your password. There’s definitely a lot more you can do with users and configuration, but let’s keep it simple for now.

Configure the Samba Service

We’re almost there — I promise!

First, let’s make a share we want to expose:

mkdir /home/pi/samba
sudo chown nobody:nogroup /home/pi/samba

Let’s set up a super simple configuration for our Samba share. Using your favorite text editor, nano or vim, we need to edit the /etc/samba/smb.conf file.

sudo nano /etc/samba/smb.conf

At the very bottom of the file, add a configuration like the following:

[samba_folder_name]
path = /home/pi/samba # or path to your folder you want to share
browsable = yes # allows other network devices to find the share
read only = yes

Feel free to replace `samba_folder_name` with your preferred name — this is how your Samba share will appear on the network.

Now, restart the smbd service to apply your changes.

sudo systemctl restart smbd

Let’s connect!

Set up some media and cast

First, grab your favorite mobile device and install VLC for Android (or its respective iOS counterpart).

Assuming the steps have been done correctly, you should see your server listed.

After tapping on the server and choosing your named share, enter in the username (in this case, pi) and the password you set from earlier.

Finally, select your video file and look for that familiar Chromecast icon.

Your media should magically appear on the chosen device!

Wrapping up

Can we do more with securing Samba? Sure

Can we do some neat port forwarding to make our Samba share accessible over the internet? You betcha

… but I don’t want to for now.

Either way, I hope this has been helpful. The steps in this article have been derived from the sources below so go ahead and check them out for more information on Samba and UFW.

OSCP holder, just a fan of offensive security and nerdy stuff.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store