Blocking FTP access to USB Drive - Security Flaw

I have two MyCloud 4Tb drives, both first generation, and recently I had to do a quick restore on them both. This preserved the data on the drive, so I was able to do some finer tuning on the share access.

One drive is used for FTP access only, I created all my user accounts and went about granting various Deny, Read-Only and Full-Access to the shares for each user, which was when I noticed something unusual.

I keep a directory within the share directory in which I keep maintenance scripts. This had never been a share before as it was created via SSH, but the reset caused it to appear. This wasn’t an issue as I was able to open the directory up to one of the FTP accounts so I could access the scripts remotely for editting and copying purposes, and SSH for executing them.

However the USB drive is also appearing as a share with full access from every FTP account. The problem here is that it is used solely as a backup drive to the MyCloud drive; every share is backed up via crontab and rsync commands. As a result, each FTP account had access to backup files on the USB drive that it was not supposed to have, worse still, they had full access.

I tried (what I thought) were two obvious solutions.

1: On the dashboard, turn the Public Access Off and set all accounts to No Access. But when I connected remotely via FTP it had made no ifference, the dashboard was telling me I shouldn’t have access with that account, yet I still had full access remotely via FTP with the supposedly restricted account.

2: I connected via SSH and renamed the share name/folder using the mv command. I thought that if it had a different name than the dashboard it might disappear (not too sure exactly what I was thinking would happen, but it had no effect).

As a result I am left with having to keep the USB drive physically unplugged from the MyCloud drive fror the largest part, and once a month I have to ensure that I plug it back in, run my backups, and then eject and detach it - which is a right pain in the backside.

Is there any way I can hide the USB drive from FTP accounts, or restrict it so no one can get into it! And setting the USB Content Availability to OFF doesn’t work either.

Hopefully someone out there can help me with a solution.

Update: 24/11/2018
I thought I’d found a solution to this which I hadn’t, but it left me with more confusion.

I connected to the drive via SSH and deleted the symlink mapping which was pointing to /var/media/… I presumed that removing the symlink would cause the shares to disappear, however this wasn’t the case. When I connected via FTP I could stil see the USB drive listed, worse stil I could still read all the contents of the drive.

I rebootefd the drive hoping that this might be a caching issue, which it wasn’t, and to my surprise the symlink to the USB drive had been recreated during the boot process.

So now I have three questions.
1: How can prevent FTP access to the backup drive. This is a massive security hole for me as all the shares are backed up from the MyCloiud drive onto this, and whilst they are protected by user permissions on the MyCloud, they are fully acessible to al connections on the USB Drive.

2: How is the FTP connection reading the directory listing of the shares so that the USB drive is still visible and accessible even though the symlink for the USB drive has been deleted.

3: How can I prevent the system recreating the symlink in the shares directory?

mount /var/media /media chmod 0455 /media

cat /etc/hosts.deny ALL;21

edit /etc/passwd ftp:x:103:106:ftp daemon,:/srv/ftp:/bin/false

Thanks for the reply. Will try it out as soon as I get chance. Don’t suppose you could explain what this is doing?


Update: 20/11/2018
Doesn’t work, all I get is an error when executing the cat command.
As I’m not that well up on linux commands to fully understand what is happening Im going to continue keeping the USB drive disconected except when running backups manually.

Hi - this is a serious security flaw. Is there no solution to this?

service vsftpd status

vsftpd is not running.

Run that command post your output

Hi Branonb… I get my cloud device this week. How exactly do I run this command when I get it? This topic on security caught my attention and I want to make sure I set my cloud up right. Thank you.

Both cloud drives I use and have been set up for FTP access and are happily serving up FTP content, respond with the same error when running vsftpd

500 OOPS: could not bind listening IPv4 socket