Can you remotely administer MyBookLiveDuo

As the subject suggests.  I’m wanting to know if I can access the owners console eg.  http://192.168.1.73/UI/ remotely from a machine that is not on the network?

I have set up the port forwarding etc and get the following error when I try the external IP of my router.

I type in the IP as http://81.xxx.55.xxx:8080/ and it resolves to  http://81.xxx.55.xxx:8080/UI with the follwing error message

Forbidden

You don’t have permission to access /UI on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

The MyBookLive is at my house but I will be away for a lot and need to be able to add users and perform general maintenance tasks so any help with this would be appreciated!

I can probably give a partial answer with qualifiers to this. I’m something of a noob to the mybooklive systems but I’ve been playing and reading a lot.

I believe the short answer for accessing the Admin GUI remotely is no. I have not seen any work-arounds posted as yet. However, you can definitely SSH in remotely and manage from the command line, though I believe that suggetion triggers two sets of alarm bells. ONE is opening up port 22 on your router and TWO is of course the danger of going in as root (not to mention warranty issues) if you are not VERY careful and/or experienced with unix/LINUX. 

   To improve on problem ONE you can set up a Public key authentication for access and remove any username/password login options.  It would make it quite difficult to hack your NAS, so even if someone scanned and found your drive they would not have any good reason to put that much effort into trying to get around the security. Its why we have SSH in the first place really.

   TWO is the real show stopper if you are not comfortable at the command line.  I’ve already stopped using the GUI for anything on this NAS but I am an old unix geezer and really hate GUI front ends for administration.

p.s. I am sure that there may well be a hack to get around the remote GUI admin restriction but it may be more trouble than anyone feels it is worth to figure out and it also feels very unsecure to me (caveat, I know nothing about the WD GUI internals, so I really do not know, just a guess)

Good luck,

Mark

THIS COULD OPEN YOU UP TO POTENTIAL HACKS

The file you want to edit is at

/tmp/allow.conf

To allow any IP access to the dashboard, edit the file to

<Directory /var/www/UI>
Order Allow,Deny
Allow from all</Directory

  Stop and start the apache server

MyBookLive:~# /etc/init.d/apache2 stop
8518: old priority 0, new priority 0
Stopping web server: apache2 ... waiting .
MyBookLive:~# /etc/init.d/apache2 start
8576: old priority 0, new priority 0
Starting web server: apache2.

Make sure you have a secure dashboard password set

Who knows what kinda hacks this can open you up to :wink:

For more information

http://library.linode.com/web-servers/apache/configuration/rule-based-access-control

I didn’t have any luck with the following, but you might. Obviously you would change the 22.22. to whatever the IP address of the machine you would be accessing the MBL from has. 192.168. needs to be left there for local access

<Directory /var/www/UI>
Order Deny,Allow
Deny from allAllow from 192.168.
Allow from 22.22.
</Directory>

Stop and start the apache server

MyBookLive:~# /etc/init.d/apache2 stop
8518: old priority 0, new priority 0
Stopping web server: apache2 ... waiting .
MyBookLive:~# /etc/init.d/apache2 start
8576: old priority 0, new priority 0
Starting web server: apache2.

TAKEN FROM THE ABOVE LINK

To parse this in more simple terms:

  • The “Order Deny,Allow” directive tells the web server that “Deny” rules should be processed before Allow rules.
  • The “Deny from all” directive tells the web server that all users should be denied access to the given resource. This rule is processed first.
  • The “Allow from” directive tells the web server that requests originating at the IP address “22.22.*.*” should be allowed. This is processed last, and represents an exception to the “Deny from all” rule.

In short, all hosts except for 192.168.*.* and 22.22.*.* are denied access to this resource.

Alternatively you could edit the section in red for the file wd-nas

/etc/apache2/sites-available/wd-nas

<VirtualHost *:80>
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www/

	<IfModule mod_rewrite.c>
		RewriteLog /var/log/apache2/rewrite.log
		RewriteLogLevel 0

		RewriteEngine On

		# address-only access redirected to User Interface
		# RewriteRule ^/$ /UI/ [R]

		# relocate UI

		# relocate administrative REST
		RewriteRule ^/api/1.0/rest/(.*) /Admin/webapp/htdocs/api/1.0/rest/index.php [L]
	</IfModule>

    <IfModule mod_rewrite.c>
        # configure landing page for webdav applet
        RewriteRule ^/LandingPage /Admin/webapp/htdocs/securityCheck.php [L,R]
    </IfModule>

	# additional environment variables to pass to CGI and SSI
	# any way to use DocumentRoot/DOCUMENT_ROOT???
	SetEnv __ADMIN_API_ROOT /var/www/Admin

	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>

	<Directory /var/www/>
		Options -Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>
	
    # block application folders from being served
    <Directory /var/www/Admin/webapp/config/>
            Order deny,allow
            Deny from all
    </Directory>
    <Directory /var/www/Admin/webapp/classes/>
            Order deny,allow
            Deny from all
    </Directory>
    <Directory /var/www/Admin/webapp/includes/>
            Order deny,allow
            Deny from all
    </Directory>

    <Directory "/var/www/UI/app/webroot/">
        RewriteEngine On
        RewriteBase /UI/
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule ^(.*)$ index.php?url=$1 [QSA,L]
	</Directory>

    # comment this line if remote WebUI access is needed (WAN access)
    Include /tmp/allow.conf
    
	<Directory "/var/www/UI">
        RewriteEngine on
        RewriteBase /UI/
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule ^$ app/webroot/
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule (.*) app/webroot/$1 [L]
		php_value memory_limit 1G
    </Directory>
        
	### unused at this time
	### ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	### <Directory "/usr/lib/cgi-bin">
	###	AllowOverride None
	###	Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
	###	Order allow,deny
	###	Allow from all
	### </Directory>

	ErrorLog /var/log/apache2/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	###CustomLog /var/log/apache2/access.log combined

	### not used at this time
	### Alias /doc/ "/usr/share/doc/"
	### <Directory "/usr/share/doc/">
	###	Options Indexes MultiViews FollowSymLinks
	###	AllowOverride None
	###	Order deny,allow
	###	Deny from all
	###	Allow from 127.0.0.0/255.0.0.0 ::1/128
	### </Directory>

    ############################
    # WebDav Extension
    ############################
    
    Include /etc/nas/apache2/auth/alias.inc
    Include /etc/nas/apache2/auth/require.inc

    #############################

</VirtualHost>

 Simply change it to

# comment this line if remote WebUI access is needed (WAN access)
# Include /tmp/allow.conf
1 Like

Thanks very much for the well considered replies.

I think I’ll try making the change to /etc/apache2/sites-available/wd-nas and comment the line of code.  

Here’s the next daft question, how do I go about finding and accessing this file?  I use a Macbook Pro. It would be safe to assume I’m a noob on the Macbook and am still trying to find my way around (I’ve been a PC user for as long as I can remember) and dont really know how to get to the console and naviagte myself round it.

Your help is very much appreciated.

First you need to enable SSH on your MBLD (I am using the IP address you gave for your MBLD in your 1st post)
In a web browser, http://192.168.1.73/UI/ssh
Tick the enable SSH box
Find a program called Terminal on your Macbook
In Terminal, type

ssh root@192.168.1.73

When prompted, the password is welc0me

Now in terminal type

nano /etc/apache2/sites-available/wdnas

Scroll down until you find the second line in red as shown above and comment it out

# Include /tmp/allow.conf

Hit control and o to save
Then hit enter to save the file
Now hit control x to exit

Now you want to do the following in Terminal to restart apache with the new changes

/etc/init.d/apache2 stop
/etc/init.d/apache2 start

 Test and report back

1 Like

THANK YOU THANK YOU THANK YOU

Thanks a million, that’s it working a treat and I can administer it remotely now.  Thanks so much for takig the time to post such lengthly, detailed and easy to understand instructions.