SOLVED - Disable access to management console from Internet

Post your questions about Web Server usage and Apache + PHP + MySQL/SQLite web applications.
Post Reply
mmoerman
New here
Posts: 8
Joined: Sat Jun 14, 2014 11:43 pm

SOLVED - Disable access to management console from Internet

Post by mmoerman » Sun Jun 15, 2014 12:21 am

Hi,

On a QNAP-469L with latest firmware I am trying to disable access to the QNAP Web Management Console without disable access to my photo album.
I have already tried the following without success:

Tried to restrict access by adding the Allow Deny directives in the respective Directory sections of /etc/config/apache/apache.conf as follows:

<Directory "/share/Web">
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from 192.168.1.0/255.255.255.0
Deny from all
</Directory>
<Directory "/usr/local/apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from 192.168.1.0/255.255.255.0
Deny from all
</Directory>

Addin a .htaccess file to the /home/httpd with same

Order allow,deny
Allow from 192.168.1.0/255.255.255.0
Deny from all

Every time when I restart the web server I can still get to console via a connection from outside of my local network, which I should not be able to do.

I also noticed there are really multiple apache processes running on the QNAP, which are respectively controlled by:
/etc/init.d/Qthttpd.sh
/etc/init.d/thttpd.sh
/etc/init.d/stunnel.sh

Not really sure which one controls what and whether I should restart all of them or just one of them when I make a change.
Anyway I restarted all and still had the same problem.

Can anyone help?

Thanks.
Last edited by mmoerman on Wed Jun 18, 2014 6:59 am, edited 1 time in total.

User avatar
pwilson
Guru
Posts: 22581
Joined: Fri Mar 06, 2009 11:20 am
Location: Victoria, BC, Canada (UTC-08:00)

Re: Disable access to management console from Internet

Post by pwilson » Sun Jun 15, 2014 12:38 am

mmoerman wrote:Hi,

On a QNAP-469L with latest firmware I am trying to disable access to the QNAP Web Management Console without disable access to my photo album.
I have already tried the following without success:

Tried to restrict access by adding the Allow Deny directives in the respective Directory sections of /etc/config/apache/apache.conf as follows:

<Directory "/share/Web">
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from 192.168.1.0/255.255.255.0
Deny from all
</Directory>
<Directory "/usr/local/apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from 192.168.1.0/255.255.255.0
Deny from all
</Directory>

Addin a .htaccess file to the /home/httpd with same

Order allow,deny
Allow from 192.168.1.0/255.255.255.0
Deny from all

Every time when I restart the web server I can still get to console via a connection from outside of my local network, which I should not be able to do.

I also noticed there are really multiple apache processes running on the QNAP, which are respectively controlled by:
/etc/init.d/Qthttpd.sh
/etc/init.d/thttpd.sh
/etc/init.d/stunnel.sh

Not really sure which one controls what and whether I should restart all of them or just one of them when I make a change.
Anyway I restarted all and still had the same problem.

Can anyone help?

Thanks.


Why do you want to prevent your users from being able to change their passwords? :roll: :roll: :roll: (Which is the only thing they can do on the Admin WebUI anyway). If you absolutely feel this is necessary (dumb idea BTW), simply don't Port Forward ports 8080 & 443 at the Router. (They can still access Photo Station, Music Station, etc on the standard ports).

They will be unable to use Download Station, File Station or the Admin WebUI if you do this. (The Admin WebUI does not use Apache, so setting up a .htacess file for the Admin WebUI will not work).

Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs

Please review: When you're asking a question, please include the following.

mmoerman
New here
Posts: 8
Joined: Sat Jun 14, 2014 11:43 pm

Re: Disable access to management console from Internet

Post by mmoerman » Sun Jun 15, 2014 3:01 am

Not sure we are talking about the same NAS here, I only port forward 1 port on my router to the NAS, but with that port I can login as admin and access the full control panel, and it is the same port that I can access Photo Station with.
Mind you, maybe that is maybe my error, is there a port on which PhotoStation listens but that the Control Panel HTTP server does not listen to? Or can I somehow have PhotoStation listen in SSL to a dedicated port?
Note, I don't really have that many users this is for home use, so I don't really mind if my users can only change their password from within my local network, but I do have a big problem with people on the internet being able to (if they can guess that admin pwd) to gain full control of the NAS.

User avatar
schumaku
Guru
Posts: 43673
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: Disable access to management console from Internet

Post by schumaku » Sun Jun 15, 2014 3:28 am

mmoerman wrote:but I do have a big problem with people on the internet being able to (if they can guess that admin pwd) to gain full control of the NAS
Guess?!? Something wrong with your admin (root) or whatever other username/passsword which is in the administrators group having the same permissions in the QTS desktop.

In Security, enable the Network Access Protection for http(s) - this will make the guesswork pretty difficult even if there are a large number of drones in the attack play.

mmoerman
New here
Posts: 8
Joined: Sat Jun 14, 2014 11:43 pm

Re: Disable access to management console from Internet

Post by mmoerman » Sun Jun 15, 2014 4:59 am

Done.
By the way, I am running my own apache web-server with proxying as well as e-mail server etc. at home on a server, so I am pretty familiar with security / apache / ... . What I can't wrap my head around is exactly how the QNAP processes work I why I can't get the above protection systems to work.
Based on what I have been able to piece together thusfar there seems to be:

stunnels.sh - an SSL proxy tunnel - maybe I can use that to proxy an SSL virtualhost just for photostation - however I am not super familiar with virtualhosts.
thttpd.sh - this seems to be the main apache server
Qthttpd.sh - this seems to handle the separate web server for your private web instance if you want to run something from /shared/QWeb - which I don't do right now.

THat being said I have played around as stated in my original post with things that are pretty standard apache, but don't seem to be able to limit access to anything else than photostation to just my internal network - which is really what I want to do.

Many thanks for your help.

mmoerman
New here
Posts: 8
Joined: Sat Jun 14, 2014 11:43 pm

Re: SOLVED - Disable access to management console from Inter

Post by mmoerman » Wed Jun 18, 2014 7:01 am

I solved my own problem...
In the /etc/default-config/apache-sys-proxy-ssl.conf.tplt I added the following lines in the default virtual host for the SSL port

Where the xxx represent my local network sub-net.

<Location />
Order deny,allow
Deny from all
Allow from xxx.xxx.xxx.0/255.255.255.0
</Location>
<Location /photo>
Order allow,deny
Allow from all
</Location>

It seems to have done the trick.

Hope this may help anyone who is looking for similar lockdown as I am.

User avatar
schumaku
Guru
Posts: 43673
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: SOLVED - Disable access to management console from Inter

Post by schumaku » Wed Jun 18, 2014 3:01 pm

Next firmware update will undo the trick.

mmoerman
New here
Posts: 8
Joined: Sat Jun 14, 2014 11:43 pm

Re: SOLVED - Disable access to management console from Inter

Post by mmoerman » Sun Jul 20, 2014 4:15 am

schumaku wrote:Next firmware update will undo the trick.


I can confirm it did - if someone can help with that I'd really appreciate it :D

Post Reply

Return to “Web Server & Applications (Apache + PHP + MySQL / SQLite)”