Monday, August 11, 2014

How to operate a secure Synology system...

With the current hype around the outbreak of #SynoLocker, a ransomware virus which encrypts all your files and only allows decryption after paying a ransom fee ($400), it is nice to have your Synology protected as good as possible to minimize the attack vectors (ways people can compromise the security) to a minimum without loosing any end-user usability and ease.

In the different forums you find the following advices:
* Disable the default Admin Account
* Change the default ports on the services
* Use SSL
* Don't use 3rd party applications
* etc.

Below I will describe what is in my opinion a good way to protect your Synology for attacks. I will be using 3rd party applications from the SynoCommunity repository.
Starting point is an up to date Synology system and you are logged on as an Admin user (Admin or a different user with admin-rights)

Below are the links to a series of posts to secure your Synology:
1. Make sure your synology is up to date
2. Publish the applications through HAProxy
3. More to come..

Synology : Publish through HAProxy

This is the second article in a series to secure your Synology NAS.

HAProxy enables users to access programs on their NAS without opening additional ports in the firewall. Also because the applications are not accessible on the ports which they normally run on, and you need to know the exact url to use, it is hard to exploit the application if there is an bug in the software. (For instance SYNOLOCKER)
If you use the DDNS service of Synology you can use names in front of the DDNS name to connect to the services.
f.i. https://dsm.mydemonas.synology.me would redirect me to the admin interface of my NAS.

To achieve this we need to install an additional program HA-Proxy. This is available through the repository from Syno Community. The address for the repository is: http://packages.synocommunity.com

What this tutorial will assist you in is the following:
1. Add the repository
2. Prepare the NAS for the application
2.a Install a certificate
2.b enable SSH
3. Install the application and pre-requisite
3.a some problem fixing
4. conclusion.

I hope this will help you ;)



Add the repository
First open the package center:

















When in Package center select Installed and click the button Settings












Click on Add, and fill in the following information:
Name: Syno Community
Location: http://packages.synocommunity.com


On the left hand side click on community and then refresh.



A lot of packages will appear here.



Create a Certificate
Before we install HAProxy we first need to update the certificate and enable SSH.

Go to Control Panel


 Open Security


Click on the TAB Certificate


Click on Create Certificate

In this tutorial we create a self-signed certificate, if you have a valid certificate you can import it here,  or you can create a certificate request which you can send to a certificate authority.

Fill-in your information

At common name fill in the DNS name you want to use. The DDNS service from synology can provide you with a DNS name, you can add the local ip adres in de Subject Alternative Name field. Click Apply



Enable SSH
Since the custom configuration of HAProxy is only available through the command line we must enable SSH to connect to the NAS.

Open Control panel

Open Terminal en SNMP
 Select Enable SSH Service and click Apply

Installation of the Package

Now we can install haproxy. Since a requirement is Python 2.7 or higher we first install Python.
Open Package Center

 Select Community

Look for the package python and click install

Wait until the installation is finished

Look for the application HAProxy and click install

HAProxy uses an username and password to protect the status page. Enter those here.
Default is admin admin
Click Next

Make sure the checkbox is ticked to run the application, and click apply

With version 1.5-dev25-12 there is an problem in the configuration which doesn't allow the application to run. We can however fix it ourselves.

Download putty

Open the downloaded program file and connect to the IPAdres of your NAS over SSH
The username is always root
The password is your admin password

Change the current folder to "/volume1/@appstore/haproxy/var and open the file haproxy.cfg

Commands:
  cd /volume1/@appstore/haproxy/var/
  vi haproxy.cfg

When the file opens scroll down to the part backend gateone.
Add verify none to the server line. For this press the i
add the words to the line. press ESC
type :wq [ENTER]

Now the package will run when we start it.

Conclusion
HAProxy will natively run on the ports 5080 and 5443
We can change these ports in the configuration file or you can modify your firewall (router) to forward the request incoming on port 80 or 443 to the ports of haproxy. By default the applications are only available over the https (5443) port but you can copy those lines to the http (5080) port option. This makes it less secure!!





Synology : Make sure it is up to date and you are informed of updates.

My first in a series is the advice to make sure your system is always up to date. The press release of Synology states that the current versions of the software where NOT vulnerable for this virus. So first we make your system send you emails if there is an update for your Synology.

Click on the start button (Top Left corner) and open Control Panel










Open Notification












If you have information of sending emails through a SMTPServer (Mail Server) you can use the first tab (Email) to enter this information.

Be sure to test the configuration. 



















If you don't have access to an email server to send the emails you can choose to use the Synology notification email server. you find this on the tab "Push Service"
Fill in your emailaddress, click Apply, after a few seconds a new button appears. Click on this button "send verification mail", open your email box and click on the verification link in this email.
Email notifications will now be send. 


















In the "Advanced" tab you can select which notifications you want to receive. I have selected all notifications



In the left menu go to "Update & Restore", in the page click on the button "Update Settings" and make sure that the system is checking for New and All updates and that the checkbox is checked to check and download these updates.


















Next close all the open pages, and open the Package Center













When the Package Center opens click on the Settings button














Make sure both options are selected on the General Tab



















On the tab Auto Update you can choose to Auto Update the Synology Packages



















Now you will receive emails if there are updates available for your Synology System or applications.

Thursday, June 5, 2014

Apple OSX 10.10 Yosemite sluggish and unresponsive or snappy as expected??

Last week Apple presented Mac OSX 10.10 Code name Yosemite. Now with better integration with your phone and ipad.... Off course I have to try this so I installed iOS 8 on my Phone(s) and OSX 10.10 on my Mac.

And then the troubles began... Not on the phone but on my Mac. It was unresponsive, memory hogging and throughout terrible. I even considered reverting back to OSX 10.9 Mavericks.
But I am not a quitter so the search for a solution started...

There is a side note that there is a NDA on OSX 10.10 and therefor there is little found on the internet about it and the problems which are found..

When I started looking at the resource usage I couldn't find anything off other than that kernel_task was using a lot of memory, but other than that nothing wrong... But whenever I switch between applications the screen froze and a colourful skippybal came in place of my cursor.. Since I have a lot of tweaks installed, I instantly started blaming them, and cleaned them away from my system.. But it didn't solve anything...

Maybe it where the add-ins I am using such as dropbox and bitcasa.. so deleted those. Still no response from my system..
In the meantime a forum was started for Yosemite where people started sharing their problems. On that forum someone shared that he had an unresponsive system and no sound. I had sound, but still worth a look. (http://forums.macrumors.com/showthread.php?t=1740460) In this thread it was suggested to remove a driver from a third-party add-on.
I checked if I had the same driver on my system, but no such luck.

Off to more digging into this issue, but still no luck in finding something. resetting the SMC and PRAM both didn't help and all other suggestions found on the internet for versions since 10.5

At that time I started looking at all open processes and applications. All tweaks where already removed but legitimate application such as VMWare Fusion, Parallels and Microsoft where still on my machine. Only one application was still running and that was Parallels Access. I had never used it and had always thought it part of parallels itself.
So I searched for problems between Yosemite and Parallels Access. But couldn't find any. I did find a post that it is an agent which allows you to use your iPad to control the Mac (http://forums.macrumors.com/showpost.php?p=18300289&postcount=25) Since it is not something I use, and I was in a PenTesting class where we just learned not to have anything installed you are not using since that might get attacked, I decided to uninstall the agent. In the link in the post was a link to a knowledge base article from Parallels in how to remove it (http://kb.parallels.com/en/117142) in which they have a script (Parallels Access Uninstall script) to remove the software. Just sudo run the script from terminal and it is gone...

One reboot later my system was responsive, snappy and nice to work with again..

I am not going to share any details and screenshots just yet, but I like that I can answer SMS texts on my laptop now :)