NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

laat's avatar
laat
Aspirant
Apr 06, 2022
Solved

ReadyNas 6.10.7

Hello and thank you for reading my question.

 

To have one and only one share available on the wan, I have enabled https access for that share.

 

Now I notice that also the admin GUI (https:..../admin) is also available from the WAN.

 

Q1: Would it be possible, for improved security, to have the administrator GUI (/admin) only available for clients in the local network, and not clients from the WAN?

 

Q2: Would it be possible, for improved security, to have the password recovery page (/password_reecovery) only available for clients in the local network, and not clients from the WAN?

 

Thank you

  • laat's avatar
    laat
    Apr 06, 2022

    Thank you,

    Since apparently there is no intended configuration setting to do this, I have entered it manually in the configuration as follows. This assumes that your LAN ip addressrange starts with 192.168., if not you can change that in the instructions below. Suggestions to make this easier are welcome.

     

    1. Create a new file /etc/apache2/conf-enabled/PasswordRecoveryLanOnly.conf containing these lines:

    <Location /password_recovery/>
    Order deny,allow
    deny from all
    allow from 192.168
    </Location>

    <Location /my_password>
    Order deny,allow
    deny from all
    allow from 192.168
    </Location>

     

    2. Edit the file /etc/frontview/apache/fv-admin.conf. In the <Location /admin> block mark two lines as comment by putting a # sign in front of it:

    # Order allow,deny
    # Allow from all

    And right below that add 3 lines:

    Order deny,allow
    deny from all
    allow from 192.168

     

    3. Restart frontview with the command:

    service apache2 restart

     

5 Replies

Replies have been turned off for this discussion
  • Sandshark's avatar
    Sandshark
    Sensei - Experienced User

    Your desires may not be the same as others'.  I suggest you look into other ways to make your files available remotely, as just making a share available over the internet is not really a particularly good idea, IMHO.  ReadyCloud is one obvious method.  A VPN is another.  I personally use ZeroTier, which is a VPN of sorts.  Depending on exactly what you are sharing, OwnCloud or NextCloud may be an option.

     

    I actually use ZeroTier for my own and my family's remote access and NextCloud as a repository for files to be shared with others, typically on a temporary basis, though I have "external" links (external from NextCloud's perspective) to a couple of shares shared more permanently with a couple friends.

    • laat's avatar
      laat
      Aspirant

      I do have my own reasons to have a particular share available by https.

      I am not in need of other solutions.

      Hence the questions remain.

       

      • Sandshark's avatar
        Sandshark
        Sensei - Experienced User

        You would have to manually edit the apache options in one of the .conf files in /etc/frontview/apache.  Just Google how to limit access by IP address on a Linux host.  Note, however, that an OS update or any changes to HTTP access from the GUI may overwrite your added restrictions.

         

        To restrict admin access, you should add to Admin_Auth.conf.  I think something of this form would work:

         

        Require host localhost
        Require ip 127.0.0.1
        Require ip 192.168

         

        I'm not sure if you can lock out the password change page without affecting others.

         

        Note that it might be best to first try it out on something other than your online system.  Temporarily creating a volume on a scratch drive would be one way to do that.  An OS re-install would probably restore it if something got messed up, but an OS restore doesn't overwrite everything, so I recommend the additional precaution.

         

         

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More