NP, let us know your outcome, we’re all here to help each other.
p.s. I’m on static IP
Hi Nazar, I finally have the things set up and working, but I am still a little worried. What I have done:
- added a new root user and delete login permissions for root.
- installed the ‘anti-brute force script’.
- changed /etc/rsyncd.conf to allow only 1 ip and only 1 user with a password to use rsync.
- opened port 22 in my router for ssh access (is it possible to change it?)
- opened port 873 for rsync access.
I think this is it.
Now I read your post again telling that rsync is not encrypted. How to improve my security, given the steps above? Thanks for your advise!
Can you gain back root access after this step? sudo I assumed?
Yes possible, couple of ways:- 1. If your router doesn’t support PAT, change the listening port via SSHD config then restart the daemon, 2. Use PAT (port address translation) instead, open your port of choice in the router i.e. port 2222, then forward it internally to port 22 of MyCloud. Option 2 is recommended so you don’t have to edit the SSHD config or expose the common port 22. With option 2, you can continue to access ssh locally using port 22 without specifying the port while trying to connect i.e. ssh -p 2222 user@wdmycloud. Also you don’t need the rsyncd to be running or the port 873 to be opened.
If you need to secure rsync, don’t use rsyncd as there’s no encryption. Instead rsync over ssh. To speed up rsync over ssh, use compression with lighter Ciphers like arcfour i.e. rsync --progress -ahvze"ssh -TCcarcfour" source/* user@wdmycloud:2222:~/destination see rsync --help for more details. Also you don’t need the rsyncd to be running or the port 873 to be opened.
Yes, I can gain back root access with the other user.
I will try if my (parent’s) router supports PAT. It’s a TP-Link, but don’t know the exact type…
rsyncing over ssh looks like a good option, for being able to close the extra router port and for the encryption.
A small question about that: I tried something like this before, but I secured my device with an auth file that I saved in my Putty client. I once managed to save this file in my source WD device, but after a reboot it disappeared. How to use this kind of authentication without entering a password every time?
Are there other steps, beside the steps mentioned in my previous post, to gain security?
(Edit: typo)
Which device/firmware you’re using? For the Gen1 v4 firmware anything you placed in the rootfs should be retained after reboot. By default ssh looks for rsa/dsa(private) authorized_keys(public) keys in the ~/.ssh path or you can configure it to look elsewhere within the ~/.ssh/config file (create a new file) i.e.:
Host *
User username
IdentityFile ~/.ssh/key.rsa
Not sure about the Gen2. In any case you can place the key elsewhere then point the key to the process e.g. rsync --progress -ahvze"ssh -i/path-to-my-keys/key.rsa -TCcarcfour" source/* user@wdmycloud:2222:~/destination but the public key on the source still needs to reside on ~/.ssh/authorized_keys unless you change the default AuthorizedKeysFile in /etc/ssh/sshd_config.
Restrict root, use alternate ports, strong password or only allow the use of key pair exchange (prevent password auth), that should be it.
I am doing my backups to a WD MyCloud 2TB from a MC Mirror 8TB. The MC Mirror seems to forget the keys. If I remember correctly, I saved these files in ~/.ssh
I will try it again and if it doesn’t work, I will place them in a custom destination.
Thanks again!
Yes, it works now! The MC Mirror seems to forget the keys after a reboot indeed. Furtunately I copied them to another directory so I can refer to the id_rsa file in my rsync-over-ssh command. Thanks!
Yup, most of the ‘custom Linux’ NAS seems to do this. They overwrite the rootfs upon boot. Glad it works for you…
