With the current hype around the outbreak of #SynoLocker, a ransomware virus which encrypts all your files and only allows decryption after paying a ransom fee ($400), it is nice to have your Synology protected as good as possible to minimize the attack vectors (ways people can compromise the security) to a minimum without loosing any end-user usability and ease.
In the different forums you find the following advices:
* Disable the default Admin Account
* Change the default ports on the services
* Use SSL
* Don't use 3rd party applications
* etc.
Below I will describe what is in my opinion a good way to protect your Synology for attacks. I will be using 3rd party applications from the SynoCommunity repository.
Starting point is an up to date Synology system and you are logged on as an Admin user (Admin or a different user with admin-rights)
Below are the links to a series of posts to secure your Synology:
1. Make sure your synology is up to date
2. Publish the applications through HAProxy
3. More to come..
Monday, August 11, 2014
Synology : Publish through HAProxy
This is the second article in a series to secure your Synology NAS.
HAProxy enables users to access programs on their NAS without opening additional ports in the firewall. Also because the applications are not accessible on the ports which they normally run on, and you need to know the exact url to use, it is hard to exploit the application if there is an bug in the software. (For instance SYNOLOCKER)
If you use the DDNS service of Synology you can use names in front of the DDNS name to connect to the services.
f.i. https://dsm.mydemonas.synology.me would redirect me to the admin interface of my NAS.
To achieve this we need to install an additional program HA-Proxy. This is available through the repository from Syno Community. The address for the repository is: http://packages.synocommunity.com
What this tutorial will assist you in is the following:
1. Add the repository
2. Prepare the NAS for the application
2.a Install a certificate
2.b enable SSH
3. Install the application and pre-requisite
3.a some problem fixing
4. conclusion.
I hope this will help you ;)
Add the repository
First open the package center:
When in Package center select Installed and click the button Settings
Click on Add, and fill in the following information:
Name: Syno Community
Location: http://packages.synocommunity.com
A lot of packages will appear here.
Create a Certificate
Before we install HAProxy we first need to update the certificate and enable SSH.
Go to Control Panel
Open Security
Click on the TAB Certificate
Click on Create Certificate
In this tutorial we create a self-signed certificate, if you have a valid certificate you can import it here, or you can create a certificate request which you can send to a certificate authority.
Fill-in your information
At common name fill in the DNS name you want to use. The DDNS service from synology can provide you with a DNS name, you can add the local ip adres in de Subject Alternative Name field. Click Apply
Enable SSH
Since the custom configuration of HAProxy is only available through the command line we must enable SSH to connect to the NAS.
Open Control panel
Open Terminal en SNMP
Select Enable SSH Service and click Apply
Installation of the Package
Now we can install haproxy. Since a requirement is Python 2.7 or higher we first install Python.
Open Package Center
Select Community
Look for the package python and click install
Wait until the installation is finished
Look for the application HAProxy and click install
HAProxy uses an username and password to protect the status page. Enter those here.
Default is admin admin
Click Next
Make sure the checkbox is ticked to run the application, and click apply
With version 1.5-dev25-12 there is an problem in the configuration which doesn't allow the application to run. We can however fix it ourselves.
Download putty
Open the downloaded program file and connect to the IPAdres of your NAS over SSH
The username is always root
The password is your admin password
Change the current folder to "/volume1/@appstore/haproxy/var and open the file haproxy.cfg
Commands:
cd /volume1/@appstore/haproxy/var/
vi haproxy.cfg
When the file opens scroll down to the part backend gateone.
Add verify none to the server line. For this press the i
add the words to the line. press ESC
type :wq [ENTER]
Now the package will run when we start it.
Conclusion
HAProxy will natively run on the ports 5080 and 5443
We can change these ports in the configuration file or you can modify your firewall (router) to forward the request incoming on port 80 or 443 to the ports of haproxy. By default the applications are only available over the https (5443) port but you can copy those lines to the http (5080) port option. This makes it less secure!!
HAProxy enables users to access programs on their NAS without opening additional ports in the firewall. Also because the applications are not accessible on the ports which they normally run on, and you need to know the exact url to use, it is hard to exploit the application if there is an bug in the software. (For instance SYNOLOCKER)
If you use the DDNS service of Synology you can use names in front of the DDNS name to connect to the services.
f.i. https://dsm.mydemonas.synology.me would redirect me to the admin interface of my NAS.
To achieve this we need to install an additional program HA-Proxy. This is available through the repository from Syno Community. The address for the repository is: http://packages.synocommunity.com
What this tutorial will assist you in is the following:
1. Add the repository
2. Prepare the NAS for the application
2.a Install a certificate
2.b enable SSH
3. Install the application and pre-requisite
3.a some problem fixing
4. conclusion.
I hope this will help you ;)
Add the repository
First open the package center:
When in Package center select Installed and click the button Settings
Click on Add, and fill in the following information:
Name: Syno Community
Location: http://packages.synocommunity.com
On the left hand side click on community and then refresh.
A lot of packages will appear here.
Create a Certificate
Before we install HAProxy we first need to update the certificate and enable SSH.
Go to Control Panel
Click on the TAB Certificate
Click on Create Certificate
In this tutorial we create a self-signed certificate, if you have a valid certificate you can import it here, or you can create a certificate request which you can send to a certificate authority.
Fill-in your information
At common name fill in the DNS name you want to use. The DDNS service from synology can provide you with a DNS name, you can add the local ip adres in de Subject Alternative Name field. Click Apply
Enable SSH
Since the custom configuration of HAProxy is only available through the command line we must enable SSH to connect to the NAS.
Open Control panel
Open Terminal en SNMP
Now we can install haproxy. Since a requirement is Python 2.7 or higher we first install Python.
Open Package Center
Select Community
Look for the package python and click install
Wait until the installation is finished
Look for the application HAProxy and click install
HAProxy uses an username and password to protect the status page. Enter those here.
Default is admin admin
Click Next
Make sure the checkbox is ticked to run the application, and click apply
With version 1.5-dev25-12 there is an problem in the configuration which doesn't allow the application to run. We can however fix it ourselves.
Download putty
Open the downloaded program file and connect to the IPAdres of your NAS over SSH
The username is always root
The password is your admin password
Change the current folder to "/volume1/@appstore/haproxy/var and open the file haproxy.cfg
Commands:
cd /volume1/@appstore/haproxy/var/
vi haproxy.cfg
When the file opens scroll down to the part backend gateone.
Add verify none to the server line. For this press the i
add the words to the line. press ESC
type :wq [ENTER]
Now the package will run when we start it.
Conclusion
HAProxy will natively run on the ports 5080 and 5443
We can change these ports in the configuration file or you can modify your firewall (router) to forward the request incoming on port 80 or 443 to the ports of haproxy. By default the applications are only available over the https (5443) port but you can copy those lines to the http (5080) port option. This makes it less secure!!
Synology : Make sure it is up to date and you are informed of updates.
My first in a series is the advice to make sure your system is always up to date. The press release of Synology states that the current versions of the software where NOT vulnerable for this virus. So first we make your system send you emails if there is an update for your Synology.
Click on the start button (Top Left corner) and open Control Panel
Open Notification
If you have information of sending emails through a SMTPServer (Mail Server) you can use the first tab (Email) to enter this information.
Be sure to test the configuration.
If you don't have access to an email server to send the emails you can choose to use the Synology notification email server. you find this on the tab "Push Service"
Fill in your emailaddress, click Apply, after a few seconds a new button appears. Click on this button "send verification mail", open your email box and click on the verification link in this email.
Email notifications will now be send.
In the "Advanced" tab you can select which notifications you want to receive. I have selected all notifications
In the left menu go to "Update & Restore", in the page click on the button "Update Settings" and make sure that the system is checking for New and All updates and that the checkbox is checked to check and download these updates.
Next close all the open pages, and open the Package Center
When the Package Center opens click on the Settings button
Make sure both options are selected on the General Tab
On the tab Auto Update you can choose to Auto Update the Synology Packages
Now you will receive emails if there are updates available for your Synology System or applications.
Click on the start button (Top Left corner) and open Control Panel
Open Notification
If you have information of sending emails through a SMTPServer (Mail Server) you can use the first tab (Email) to enter this information.
Be sure to test the configuration.
If you don't have access to an email server to send the emails you can choose to use the Synology notification email server. you find this on the tab "Push Service"
Fill in your emailaddress, click Apply, after a few seconds a new button appears. Click on this button "send verification mail", open your email box and click on the verification link in this email.
Email notifications will now be send.
In the "Advanced" tab you can select which notifications you want to receive. I have selected all notifications
In the left menu go to "Update & Restore", in the page click on the button "Update Settings" and make sure that the system is checking for New and All updates and that the checkbox is checked to check and download these updates.
Next close all the open pages, and open the Package Center
When the Package Center opens click on the Settings button
Make sure both options are selected on the General Tab
On the tab Auto Update you can choose to Auto Update the Synology Packages
Now you will receive emails if there are updates available for your Synology System or applications.
Subscribe to:
Posts (Atom)
