Monday, August 11, 2014

How to operate a secure Synology system...

With the current hype around the outbreak of #SynoLocker, a ransomware virus which encrypts all your files and only allows decryption after paying a ransom fee ($400), it is nice to have your Synology protected as good as possible to minimize the attack vectors (ways people can compromise the security) to a minimum without loosing any end-user usability and ease.

In the different forums you find the following advices:
* Disable the default Admin Account
* Change the default ports on the services
* Use SSL
* Don't use 3rd party applications
* etc.

Below I will describe what is in my opinion a good way to protect your Synology for attacks. I will be using 3rd party applications from the SynoCommunity repository.
Starting point is an up to date Synology system and you are logged on as an Admin user (Admin or a different user with admin-rights)

Below are the links to a series of posts to secure your Synology:
1. Make sure your synology is up to date
2. Publish the applications through HAProxy
3. More to come..

Synology : Publish through HAProxy

This is the second article in a series to secure your Synology NAS.

HAProxy enables users to access programs on their NAS without opening additional ports in the firewall. Also because the applications are not accessible on the ports which they normally run on, and you need to know the exact url to use, it is hard to exploit the application if there is an bug in the software. (For instance SYNOLOCKER)
If you use the DDNS service of Synology you can use names in front of the DDNS name to connect to the services.
f.i. would redirect me to the admin interface of my NAS.

To achieve this we need to install an additional program HA-Proxy. This is available through the repository from Syno Community. The address for the repository is:

What this tutorial will assist you in is the following:
1. Add the repository
2. Prepare the NAS for the application
2.a Install a certificate
2.b enable SSH
3. Install the application and pre-requisite
3.a some problem fixing
4. conclusion.

I hope this will help you ;)

Add the repository
First open the package center:

When in Package center select Installed and click the button Settings

Click on Add, and fill in the following information:
Name: Syno Community

On the left hand side click on community and then refresh.

A lot of packages will appear here.

Create a Certificate
Before we install HAProxy we first need to update the certificate and enable SSH.

Go to Control Panel

 Open Security

Click on the TAB Certificate

Click on Create Certificate

In this tutorial we create a self-signed certificate, if you have a valid certificate you can import it here,  or you can create a certificate request which you can send to a certificate authority.

Fill-in your information

At common name fill in the DNS name you want to use. The DDNS service from synology can provide you with a DNS name, you can add the local ip adres in de Subject Alternative Name field. Click Apply

Enable SSH
Since the custom configuration of HAProxy is only available through the command line we must enable SSH to connect to the NAS.

Open Control panel

Open Terminal en SNMP
 Select Enable SSH Service and click Apply

Installation of the Package

Now we can install haproxy. Since a requirement is Python 2.7 or higher we first install Python.
Open Package Center

 Select Community

Look for the package python and click install

Wait until the installation is finished

Look for the application HAProxy and click install

HAProxy uses an username and password to protect the status page. Enter those here.
Default is admin admin
Click Next

Make sure the checkbox is ticked to run the application, and click apply

With version 1.5-dev25-12 there is an problem in the configuration which doesn't allow the application to run. We can however fix it ourselves.

Download putty

Open the downloaded program file and connect to the IPAdres of your NAS over SSH
The username is always root
The password is your admin password

Change the current folder to "/volume1/@appstore/haproxy/var and open the file haproxy.cfg

  cd /volume1/@appstore/haproxy/var/
  vi haproxy.cfg

When the file opens scroll down to the part backend gateone.
Add verify none to the server line. For this press the i
add the words to the line. press ESC
type :wq [ENTER]

Now the package will run when we start it.

HAProxy will natively run on the ports 5080 and 5443
We can change these ports in the configuration file or you can modify your firewall (router) to forward the request incoming on port 80 or 443 to the ports of haproxy. By default the applications are only available over the https (5443) port but you can copy those lines to the http (5080) port option. This makes it less secure!!

Synology : Make sure it is up to date and you are informed of updates.

My first in a series is the advice to make sure your system is always up to date. The press release of Synology states that the current versions of the software where NOT vulnerable for this virus. So first we make your system send you emails if there is an update for your Synology.

Click on the start button (Top Left corner) and open Control Panel

Open Notification

If you have information of sending emails through a SMTPServer (Mail Server) you can use the first tab (Email) to enter this information.

Be sure to test the configuration. 

If you don't have access to an email server to send the emails you can choose to use the Synology notification email server. you find this on the tab "Push Service"
Fill in your emailaddress, click Apply, after a few seconds a new button appears. Click on this button "send verification mail", open your email box and click on the verification link in this email.
Email notifications will now be send. 

In the "Advanced" tab you can select which notifications you want to receive. I have selected all notifications

In the left menu go to "Update & Restore", in the page click on the button "Update Settings" and make sure that the system is checking for New and All updates and that the checkbox is checked to check and download these updates.

Next close all the open pages, and open the Package Center

When the Package Center opens click on the Settings button

Make sure both options are selected on the General Tab

On the tab Auto Update you can choose to Auto Update the Synology Packages

Now you will receive emails if there are updates available for your Synology System or applications.