I just purchased a 2TB MyBook Live, and I am trying to access it from outside my local network without using wd2go. I put the NAS in the DMZ for my router, and set up a domain name I own (example.com) to forward to my IP address.
I have two issues with this:
First, when I go to example.com, I get this error message:
Forbidden
You don't have permission to access /UI on this server.
Of course, the UI works fine from within my local network.
My other issue is that I have set up some shares as private, yet they are now accessible to the outside world. e.g., I have a private share called “Media”, and I can access files on it by going to http://www.example.com/Media/whatever.mp3. This is bad.
I have set up SSH access and have been messing around with the permissions but nothing seems to work. Does anyone have any other suggestions?
That’s because the MBL’s web server’s been tweaked not to allow any access from any IP address outside of the local area network’s subnet.
Elaborate on “My other issue is that I have set up some shares as private, yet they are now accessible to the outside world.” This maybe a serious but that needs to be reported to Western Digital support.
No need to elaborate… I’ve verified the bug and securility vulnarability you’ve described on the latest version of the MyBook Live firmware.
I think the issue lies with with W.D. implementation of WebDAV. If you look at /etc/apache2/sites-enabled/000-Apollo3G then you’ll find at the end of the configutration file…
############################
# WebDav Extension
############################
Include /etc/nas/apache2/auth/alias.inc
Alias /shares /shares
<Location /shares>
Dav On
Order Deny,Allow
Deny from all
Allow from all
AuthName DeviceUser
AuthType Digest
AuthDigestDomain /shares
AuthDigestProvider file
AuthUserFile /etc/nas/apache2/auth/htpasswd
AuthGroupFile /etc/nas/apache2/auth/htgroup
#AuthzGroupFileAuthoritative Off
</Location>
Include /etc/nas/apache2/auth/require.inc
/etc/nas/apache2/auth/require.inc contains a load of rules pointing to all the defined shares.
I think if WebDAV is disabled by commenting out the lines I’ve listed above then this security vunarability will be shut off but then WebDAV functionality will also be disabled.
So, why does this WebDAV functionality exist?
It looks like /etc/nas/apache2/auth/htpasswd is not been correctly written.
I’ve turned off WebDAV and the files are no longer accessible as you suggested, though the Public folder is no longer accessible either. (It would be nice to keep that enabled, but not necessary).
As for my other issue, how can I tell MyBook that it’s ok to access from outside the subnet?
If you make any changed within the Web UI the configuration files might be re-written and WebDAV reenabled. I’ve not checked this out. For sure /etc/nas/apache2/auth/require.inc is re-created every time a change is done to a user or share. though the Web UI.
What you may be able to so is copy the entry for the Public folder from /etc/nas/apache2/auth/require.inc into /etc/apache2/sites-enabled/000-Apollo3G and comment out the line Include /etc/nas/apache2/auth/require.inc. you 'll need to do the same thing on /etc/apache2/sites-enabled/000-Apollo3G-ssl
The Web UI and associated scripts will still re-write /etc/nas/apache2/auth/require.inc but because Include /etc/nas/apache2/auth/require.inc is now # Include /etc/nas/apache2/auth/require.inc in both /etc/apache2/sites-enabled/000-Apollo3Gand /etc/apache2/sites-enabled/000-Apollo3G-ssl all the other shares desired as private will be inaccessible to WebDAV. Ine point to remember… WD2GO may also not have access to those shares omitted from WedDAV and I read something about Windows 7 accessing shares through WebDAV and not Samba’s SMB so maybe there may be issues with Windows 7’s ability to access files. I’ve not moved to Windows 7 yet because XP does everything I need it to do (why upgrade/fix when it ain’t broke?) so can’t prove or disprove the latter.
Point of note is to journal all your changes so when there is a desire to apply a official firmware update you can put back the original configuration BEFORE applying a future official firmware update.
So, the “before” would be . . .
############################
# WebDav Extension
############################
Include /etc/nas/apache2/auth/alias.inc
Alias /shares /shares
<Location /shares>
Dav On
Order Deny,Allow
Deny from all
Allow from all
AuthName DeviceUser
AuthType Digest
AuthDigestDomain /shares
AuthDigestProvider file
AuthUserFile /etc/nas/apache2/auth/htpasswd
AuthGroupFile /etc/nas/apache2/auth/htgroup
#AuthzGroupFileAuthoritative Off
</Location>
Include /etc/nas/apache2/auth/require.inc
#############################
… and after the change it should look like …
############################
# WebDav Extension
############################
# Include /etc/nas/apache2/auth/alias.inc
Alias /shares /shares
Alias /Public /shares/Public
<Location /shares>
Dav On
Order Deny,Allow
Deny from all
Allow from all
AuthName DeviceUser
AuthType Digest
AuthDigestDomain /shares
AuthDigestProvider file
AuthUserFile /etc/nas/apache2/auth/htpasswd
AuthGroupFile /etc/nas/apache2/auth/htgroup
#AuthzGroupFileAuthoritative Off
</Location>
# Include /etc/nas/apache2/auth/require.inc
<Directory /shares/Public/>
Dav on
Allow from all
AuthName DeviceUser
AuthType Digest
AuthDigestDomain /shares/ /shares/Public/ /Public/
AuthDigestProvider file
AuthUserFile /etc/nas/apache2/auth/htpasswd
AuthGroupFile /etc/nas/apache2/auth/htgroup
<Limit PROPFIND>
Require valid-user
</Limit>
</Directory>
#############################
Try that. If you’re not using WebDAV then it should plug this security issue and still keep the Public folder accessible to WebDAV, any changed to on the Web UI won’t change the WebDAV configuration and also should not break the Web UI.
If that’s the case then Western Digital software engineers need to take notice and fix this issue. Even though there may be protection from intrusiion from the wide area network then the security from anywhere within the local area network has been compromised.
OK, so I think I will take your suggestion, and just stop using WD2Go (and use SSH instead).
Here’s a summary of my problem and solution
Problem–
I have put my NAS in the DMZ of my router so that I can assign it a domain name and access it via SSH. This has caused problems because a) my private shares are now accessible via HTTP without a password and b) my private media is accessible via HTTP as well (via Twonky, port 9000).
Resolution–
Modify the files as instructed by Myron, which keeps Public accessible via HTTP but hides private shares. Unfortunately, this breaks WD2Go, but I can still access the shares via SSH or FTP, and mount them using Macfusion. I can turn off Twonky altogether, and simply use the Network share to access media (on my WD TV Live). My NAS is now accessible via my domain name and my files are secure… I think.
Still haven’t been able to resolve my initial issue (“Permission denied to /UI”), but I guess I can live with that. Thanks Myron!
Jeffz, why have you put your MBL one the DMZ!!! Open up just the ports you need to the MBL. I would never dream to put my MyBook Live on the router’s DMZ… Only port that’s open is the FTP one.
I’m guessing that the WD2go service was rushed. I believe that the MBL established a encrypted VPN PPTP connection to WG2go’s servers so it lessens this vulnarability but I’m unhappy that in the LAN, security is compromised.
Open TCP Port: 21 ftp
Open TCP Port: 22 ssh
Open TCP Port: 80 http
Open TCP Port: 111 sunrpc
Open TCP Port: 139 netbios-ssn
Open TCP Port: 443 https
Open TCP Port: 445 microsoft-ds
Open TCP Port: 548 afpovertcp
Open TCP Port: 2049 nfsd
Open TCP Port: 3689 daap
Open TCP Port: 12548
Open TCP Port: 40324
Open TCP Port: 46027
Open TCP Port: 49153
Open TCP Port: 51763
