WD My Cloud as distant backup

I want to use WD My Cloud only as distant backup unit, running RSYNC over SSH. Additionally only WEB console (over HTTPS) must be available. All other services and ports must be closed. The unit will be connected directly to Internet in distant location in other city. So my WD will have public IP address without router between WD and Internet.
How can I disable all services and ports except 22 (SSH) and 443 (HTTPS) ? Part of them (like Time Machine), can be disabled from WEB interface but not all of them. So haw can I do it?

Why not simply put the My Cloud behind a router at the remote location and enable port forwarding? How is the My Cloud obtaining a “public” IP address, and what would the My Cloud be connected too?

By using a router and port forwarding you can block access to the My Cloud except for ports 22 and 443. Otherwise you’ll probably have to muck around using SSH to tun off devices within the My Cloud or configure specific ports.

Use the forum search feature, magnifying glass icon upper right, if you haven’t already. There is much past discussion on using Rsync, SSH, SFTP and backing up to a remote My Cloud. Here are just a few past discussions:

https://community.wd.com/t/howto-securing-ssh-with-private-encryption-key-and-passphrasec-for-remote-connection/95780

https://community.wd.com/t/sshd-user-access-is-denied-trying-to-setup-remote-nas-backup-from-ex2100-to-2tb-my-cloud/165072

https://community.wd.com/t/how-to-setup-sftp-on-my-cloud/152297

https://community.wd.com/t/my-cloud-replication-over-the-internet/95670

https://community.wd.com/t/backup-to-mycloud-from-another-network/165307

https://community.wd.com/t/remote-backup-issues-help/164458

https://community.wd.com/t/remote-access-and-backup/161471

https://community.wd.com/t/help-new-customer-keeping-the-drive-at-another-location/161354

https://community.wd.com/t/back-up-devices-to-a-remote-my-cloud/155950

The cost of router with GB Ethernet WAN port if more than half a price of WD My Cloud itself. I planned to connect WD Cloud to Juniper unit (8 x GB Eth ports) connected to Internet over 2,5 GB fibre link. This unit has 4 free public IP address so WD will have static, public IP address.
There is no problem for me to run RSYNC over SSH (I use it in many installations) so the only problem is to disable all unnecessary for me services/ports.
SSH can be run from WEB console of WD, RSYNCD - too (with a little help of SSH console). I tested it in lab and everything works perfectly.
So I have to mention my problem once more. Disabling all unnecessary services/ports.

Not true, ie: https://www.amazon.com/D-Link-DIR-860L-802-11ac-Wireless-Router/dp/B00CCIL9NU. The mycloud gen2 device has no iptables and no firewall support in kernel( it’s actually has, but the modules are not in the firmware). So direct connection to internet it’s a no-no thing on my opinion.

Salud.

I’ve bought secondhand UK routers from £1 (technicolour tg582n), £5 (BT homehub3) to £10 (Belkin n300+300). You just have to shop around.

How are you going to log in to an ISP service? Or does your ‘Jupiter’ unit do that?

You say you’ve tested it in your lab and it all works perfectly. Does that include getting internet access via the Jupiter unit?

Juniper is second (just after Cisco) producer of TELCO high and middle range equipment. The unit I will use, belongs to ISP provider and (as I wrote) is equipped in 8 GB Ethernet ports. I have no access to internal configuration of Juniper. Just I have access to Ethernet ports and ISP configured on it 8 public IP address. Of course one of them is gateway IP (on the second end if fibre), 2 others are in use so I can use another one free.
I know that there is no iptables support in WD, Because of that, I want to turn off all unnecessary services. Because as the first rule of network security is:
“The best way to be save from attack to particular service is to have no such service at all”.

Ah; that’s the bit of information I was missing.

You’d have to establish what services are running on the MyCloud that will potentially listen to internet traffic. You can then prevent them from running, either by stopping them from being started in the first place (edit the startup script via SSH), or disable them after they’ve been started. You’ll need to make sure these changes are replicated at reboot.

You might also consider uninstalling the relevant packages, to ensure the services can never be started (which may cause problems with dependencies with other packages).

All this will be difficult with a Gen 2/v2 firmware model, since it reloads the entire OS at reboot. Gen1.v4 firmware at least survives reboots, and is only re-loaded if you updgrate the firmware.

A penetration tester might show you what ports are open and responding on the MyCloud.

An alternative might be to replace the entire MyCloud OS with a clean Debian install (search the forum for threads on this subject), then you will have full control of what is running on it; use an alternative NAS system (OpenMediaVault?), and a firewall.

Beyond those suggestions, I’m afraid you’re on your own.

Yep. I think that installing clean Debian is the best idea.