Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to keep NAS off the internet

Gavin_H
Joining in

on ‎13-07-2021 23:02

I have an old WD My Book Live that was recently victim of an exploit that caused it to trigger a factory reset and wiped all the data. I half expected something to go wrong as I knew it was out of support for years so it's not the end of the world in terms of data loss.

Thing is it is really handy for dropping films/TV shows onto and then watching them on the telly through DNLA.

Is there a way I can use the Hub 3 to stop it accessing the internet so that it won't be remotely factory reset again? A way that will still allow me to watch files on my telly.

0 Kudos
9 REPLIES 9

legacy1
Alessandro Volta

on ‎13-07-2021 23:06

So much for the hub firewall...

Disable UPnP in the hub
---------------------------------------------------------------

BQM, Test for outgoing ports and SSL/L2TP VPN test

0 Kudos

ravenstar68
Very Insightful Person
Very Insightful Person
In response to legacy1

on ‎14-07-2021 03:41

Nothing wrong with the hub firewall.

The problem is that by default the NAS is configured for remote access.  So log in to the Mybook and have a mooch around.  You should be able to disable remote access, and while you are at it, consider locking down the admin interface with a password.

To get in go to the Mybook's IP address in a web browser.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Andrew-G
Alessandro Volta
In response to ravenstar68

on ‎14-07-2021 07:43

If it's the latest MyBook exploit, the attacker doesn't need admin access to force a reset, so changing the password and settings may not help, although if you can disable remote access that might help, depending on how effectively that's been implemented.  

I suspect you're looking at more complex networking arrangements to properly isolate the MyBook, or admitting defeat and buying or building a more secure NAS.  There may be a few parts you could strip from the MyBook to build your own, if you have or can get a suitable PC carcase, and have the enthusiasm to do that.

WD appear to have admitted defeat themselves, because as you'll see on that first link they are offering a trade in programme with discounts off newer products that may be worth a look (as ever, subject to a list of qualifications). 

ravenstar68
Very Insightful Person
Very Insightful Person
In response to Andrew-G

on ‎14-07-2021 08:27

My main takeaway from the first link, which contained a clear explanation of what caused the vulnerability in the first place:

The My Book Live firmware is vulnerable to a remotely exploitable command injection vulnerability when the device has remote access enabled.

With remote access enabled, the device uses UPnP to automatically forward the required ports on the router.  So while disabling UPnP on the router should help, it's possible that it may break other network devices that use UPnP.

I suspect that WD are taking advantage of the exploit to make money (I'm really getting cynical in my middle age)

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Andrew-G
Alessandro Volta
In response to ravenstar68

on ‎14-07-2021 10:18

I'm sure you're right, but it is also possible to read that the two exploits are different, and it is only the first (red text below) vulnerability that is protected by disabling remote access, and the second (blue text) is still possible without login, merely if the NAS is on a LAN with interent access, and that was what I read into the concluding advice "Immediately disconnect your My Book Live and My Book Live Duo from the Internet to protect your data from ongoing attacks."

The My Book Live firmware is vulnerable to a remotely exploitable command injection vulnerability when the device has remote access enabled. This vulnerability may be exploited to run arbitrary commands with root privileges. Additionally, the My Book Live is vulnerable to an unauthenticated factory reset operation which allows an attacker to factory reset the device without authentication. The unauthenticated factory reset vulnerability been assigned CVE-2021-35941.

Givn that the MyBook is a pretty old product in both technology and chronological terms, and is now out of support, I suspect it is time for @Gavin_H to take the hint from the hackers and look at a replacement.  I had suggested stripping the MyBook for components to use again, but on reflection, reusing an old HDD is usually a risky choice.

Gavin_H
Joining in

on ‎14-07-2021 13:22

First off, thanks everyone for the replies. I'm surprised how active and knowledgeable the users are here.

I'm a bit sus that switching off remote access in the NAS itself could keep it safe, but I think some people on the WD forums were saying they weren't affected because they had remote access switched off.

I was just hoping there was a way to set up a fixed IP (you can set up a fixed IP in the NAS settings) and some kind of filter to stop it ever contacting the internet but being available on my network as a media server. 

WD are offering a crappy trade-in where I would get 40% off if I send back my old NAS, but I can get 40% off the RRP on Amazon and then I wouldn't have to pay postage to send the old one back. I'm not criticizing them too heavily because, like I said, I knew it was out of support and that that was a risk. It did go out of support 1 year after I bought it though which I wasn't too happy about. If I buy a new one then how long before that's out of support? I could build my own Raspberry Pi based NAS but that would probably require way more maintenance than it'd be worth to just have a bit of network storage for media.

 

0 Kudos

legacy1
Alessandro Volta
In response to Gavin_H

‎14-07-2021 18:48 - edited ‎14-07-2021 18:49

Yes you can give it a fixed IP if it lets you and the wrong gateway IP, that will keep it off the internet.


---------------------------------------------------------------

BQM, Test for outgoing ports and SSL/L2TP VPN test

0 Kudos

Andrew-G
Alessandro Volta
In response to legacy1

on ‎14-07-2021 19:44

If you got hit before, something got through the hub's firewall, possibly an exploit on another device. If that is how either of the two exploits was triggered/could be triggered, you're possibly still at risk if your own devices can access both the internet and the NAS, even if the NAS itself doesn't have web access.

0 Kudos

ravenstar68
Very Insightful Person
Very Insightful Person
In response to Andrew-G

on ‎14-07-2021 20:25

@Gavin_H 

Based on my readings, if remote access is on then the NAS uses UPnP to open the ports on the router.  Switch off remote access and then disable UPnP on the hub to remove any current UPnP rules, then switch it back on and check your port forwarding rules on the hub to see if they are added with Remote access turned off.

The thing you need to appreciate is that the only way devices can be accessed from the Internet is if there is a port forwarding rule set up - either manually or via UPnP. - OR if the device was placed in the hubs DMZ - which essentially forwards all unsolicited traffic that's NOT covered in an existing port forwarding rule.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Top