Securing WDMyCloud SSH & FTP Remote Access

hostsdeny.pl
hostsdeny.pl – Self Unlock

This guide consists of two parts related to securing your WDMyCloud NAS, first is to harden your root account and second is to prevent unauthorized access using my universal “hostsdeny.pl” Perl script which can also be used on other platforms. To use this “hostsdeny.pl” Perl script on platforms other than WDMyCloud, please refer to the script comments itself. I’ve tried to put it as simple as possible especially for beginners who’s new to WDMyCloud.

Disclaimer: As I’m frequently updating the original guides and installers here on TeaNazaR.com, I will not be responsible for any brick issues if you were to follow my obsolete guides copied elsewhere. Thus subscribe to this post to get latest updates. Modifying any part of a device may void its warranty.

1) Hardening root account
First part, ok so now you have open up SSH (port 22) and FTP (port 21) in your router to allow incoming access to the WDMyCloud from the internet. Many have overlooked the security issues when you do this. It will allow possible brute force bots attacks from anywhere in the world. If you were to monitor the incoming request especially to the SSH port 22 alone, you’ll be shocked to see lots of invalid logins from  tail -f /var/log/sshd.log some of which were excessively just over a short period. If you have a weak root password (e.g. the default WDMyCloud root password), then it could be compromised in no time.

hostsdeny.pl - FTP Blocked
hostsdeny.pl – FTP Blocked

Possible ways to secure your root access

Don’t forget to change the WDMyCloud default root password! Login as root@wdmycloud using i.e. PuTTY, then change the password:

Disable root login with password! This will prevent the common password dictionary attacks. First and uttermost importantly, create a new admin user or use any preferred existing user in the WDMyCloud Dashboard, set the user to admin group if it’s not already an admin usermod -aG administrators username with a password-less sudo access echo "username ALL=(ALL) NOPASSWD: ALL">>/etc/sudoers. This admin user serve as a backup account to gain super user access incase you lose your RSA/DSA key thus losing the root access. Before you proceed further, please confirm that this admin account works. SSH login using this admin account and switch to root sudo su. If it’s good, then disable the root login using password in nano /etc/ssh/sshd_config:

After saving the file (“CTRL+x” to exit and “y” to save), reload SSHD service service ssh reload.

Only allow root login with RSA/DSA key! Create a root RSA/DSA private/public key pairs to login without password (leave passphrase empty):

Copy the generated private key /root/.ssh/id_rsa to your PC or mobile device. You’ll need this key to login as root without password as you can no longer login remotely as root with password. To login remotely using this key from a normal CLI, ssh -i/path/id_rsa root@wdmycloud.your.isp.ip.or.domain. How to remember your dynamic ISP address? Checkout the first part of my post in WebHosting on WDMyCloud V4 Firmwares. You can also convert this key to a PuTTY Private Key Files (*.ppk) and load it into the PuTTY connection options “Connection->SSH->AUTH”.

2) Prevent Unauthorized Access
Second part, ok so you have secured your root access, what about the rest of the SSH/FTP accounts? What I’m presenting here was actually used long time ago when I was running SSHD on Windows via Cygwin before I had the WDMyCloud NAS. Similar issues I had with Cygwin (POSIX limitation), WDMyCloud doesn’t allow the use of iptables (WD didn’t include in the kernel) which with it you can then install some ready made daemons such as Fail2ban. So I had to resort to use the built-in Windows Firewall back then and here in this case, the tcp-wrapper access control from the /etc/hosts.deny file. To make this access control automated, I’ve modified my old Perl script to work with both Cygwin and WDMyCloud. In fact it should work with any standard Linux/Cygwin distribution.

The setup is fairly simple. Copy the “hostsdeny.pl” Perl script found at the bottom of this post to any path on your WDMyCloud, give it an executable permission chmod 755 /shares/scripts/hostsdeny.pl. Add below to a new line in your crontab to run at boot crontab -e:

Then “CTRL+x” to exit and “y” to save. You can change the nice priority accordingly, nice -n19 as the lowest and nice -n-20 as the highest (not recommended) or just omit the nice command to run at normal priority.

Now run the script manually once, issue /shares/scripts/hostsdeny.pl and it will re-launch itself and run in background . If you’ve made changes to the script, just re-run it again and the previous process will get terminated. To stop the script manually, issue killall hostsdeny.pl.

If you want the script to protect your FTP access as well, you’ll need to modify the vsftpd configuration to allow tcp-wrapper usage . Issue echo "tcp_wrappers=YES">>/etc/vsftpd.conf then reload the vsftpd service service vsftpd reload.

Next is optional but I would highly recommend that you have it done for the sake of convenience in the future. This is for tackling any event that you got yourself remotely locked out from the WDMyCloud when the IP from your remote location gets denied. To regain access, you need to run this “hostsdeny.pl” Perl script in a webserver hosted on the same system, in this case Apache2 which is the preinstalled webserver in WDMyCloud. This requires modifications to the WDMyCloud Apache2 webserver. But if you’re not comfortable doing this yourself, you can also perform the automated install of Nginx from my post WebHosting on WDMyCloud V4 Firmwares and then symlink the “hostsdeny.pl” Perl script to your installed Nginx’s webroot path. Symlink sample is stated at the last point. Note, if you have installed Nginx from my “WebHosting Mods” installer post link above, do not modify Apache2’s configurations as below because it’s using a different incompatible “MPM_Event” module! Instead just follow the part where it doesn’t involves Apache2 changes.

Modifications to WDMyCloud WebServer to enable Perl CGI

Open TCP port 80 on your router to the WDMyCloud, similarly you would have done for SSH port 22 and FTP port 21. This depends on your router, search online on how to do it for your specific router, if necessary. If you’re lucky, the port 80 maybe already selected and opened in the WDMyCloud Dashboard. For Nginx, note the port route stated in my guide was Router:80 -> WDMyCloud:5080.

For Apache2, create a new CGI config file nano /etc/apache2/conf.d/cgi.conf then copy & paste below:

Then “CTRL+x” to exit and “y” to save.

Enable the Apache2 CGI module, issue a2enmod cgi  then reload Apache2 server daemon, issue service apache2 reload. Remember once again to skip the above if you already have Nginx installed from my installer.

It’s recommended to hide the script from public, best password protected, path e.g. here ./private/. This method is also applicable if you had installed Nginx from my installer except the default webroot for Nginx is cd /var/www/html/ and Apache is cd /var/www/htdocs/. After changing to the appropriate webroot path above, now create a new ./private/ folder in the webroot, issue mkdir -pm755 ./private/. Then password protect the path for user e.g. “username”, issue htpasswd -c ./private/.htpasswd username and enter a “password”, enter again to confirm.

Next is to enable the access control for this path.

For Apache2, create a new “.htaccess” file,  nano /var/www/htdocs/private/.htaccess  then copy & paste below:

For Nginx, instead of “.htaccess” file, add below to your server directive config i.e. nano /etc/nginx/sites-enabled/default:

Then reload Nginx server daemon, issue service nginx reload. For either above, remember to “CTRL+x” to exit and “y” to save.

And finally, symlink the original “hostsdeny.pl” Perl script you had created earlier to the webserver’s webroot, issue ln -s /shares/scripts/hostsdeny.pl ./private/.

With the above changes made to your WDMyCloud webserver and at anytime you got yourself locked out due to wrong password entered several times, you can simply perform a self unlock by accessing your webserver e.g. http://wdmycloud.your.isp.ip.or.domain/private/hostsdeny.pl then login using the “username” and “password” you had created earlier. This will clear the ban on all your current location remote or proxy IPs. This simple text page will also display your current settings and blocked list.

You’ll be convinced that your WDMyCloud is well protected when you see lots of unique IP address masks gets blocked in just a few days.

Enjoy (-:

hostsdeny.pl

7 thoughts on “Securing WDMyCloud SSH & FTP Remote Access”

  1. Nazar,

    For password-less log in for root, this line has to be uncomment, right?

    # AllowUsers root (comment out)

    I can never get it work otherwise.

    Tony

  2. hostsdeny.pl Updated!
    v1.2 – 20151112 – Add warning during web access if hostsdeny.pl is not active.

  3. Nazar,

    Awesome job. Although a community.wd.com member for several years and following your posts ever since, I didn’t realize this site existed. It’s bookmarked NOW !!

    Thank You

    1. Hi SectorGZ,

      Thanks. I’ve seen your nick around for several years but think we didn’t get a chance to get into a discussion. WD forum is a bit hard to consolidate so I decided to put some of the write-ups here. Do subscribe to my mailing list. You will only get notified when there’s a new post or apps from me usually once in a blue moon when I have the time (-:

      1. Nazar,

        I have subscribed, so I am looking forward to your news and posts. After looking through your WordPress site I noticed you and your wifes “Lifestyle” … what a beautiful Family. I, too, use to fly RC planes … back in the day, but that got very expensive. Then I got into computing when it first started, not that is any easier on the pocket book … lol.

        I do appreciate all the work on the My Cloud and time you spend at WD …. it is very much appreciated. Especially since we are about the only support we have. 😉

        1. Hi SectorGZ,

          Thanks again for the kinds words. I used to fly RC planes too but casually as compared to RC heli and yeah those were not easy on the pocket especially maintenance after each crash haha.

Leave a Reply

Your email address will not be published.

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax