The Case of the Hijacked Internet Explorer (IE) Default Browser Message

I recently had a case of a hijacked Default Browser message (the one that asks you to set the browser as default) in Internet Explorer (IE) 11 on a Windows 8.1 machine. Now that is not to say that it cannot happen to other versions of Windows, Internet Explorer or even other browsers, but this fix will clear the Internet Explorer issue.

With many of these things, the cause of this is malware, and the user doing or rather installing or running something they shouldn’t be (what they wanted the software for was perfectly OK, its just they got stung by the malware).

Anyway the issue presented like this;

The Hijacked page, remember do not click on any links
The Hijacked page, remember do not click on any links

IMPORTANT NOTE: Now first things first. DO NOT click on any of the links in the page. It is also important to note that even if Internet Explorer is the default browser, or you have told it not to bother you, it will still appear.

Now the first step in this is understanding what has happened, which in this case is that the iframe.dll file has be hijacked, either through modification or replacement (which indicates that the program would have had to have gone through UAC and the user OK’ing the change), specifically it seems that the page is being redirected, but I cannot confirm this as it was more important to fix the issue than it was to find out the technical reasons why

None the less the first step is to run a malware cleaner, specifically I use Malwarebytes, and I did a cleanup of the system with CCleaner for good measure, but it is important to note that this is just to clean up other things that the malware may have left behind, it is not to fix this problem.

As this problem resides in what is a reasonably well protected file, the best way to fix the issue is with Microsoft’s built-in System File Checker (SFC) tool.

It is actually rather simple to fix this error;

Open a Command Prompt window as Administrator

Open an Administrative Command Prompt
Open an Administrative Command Prompt

Once you are in the command prompt type;

sfc /scannow

Type sfc /scannow
Type sfc /scannow

This tool will now run and verify the files Microsoft has put into the system to validate they are the correct files, if they are not and have been replaced or otherwise modified, it will replace them with the original file. This process may take some time depending on the hardware you are running it on

SFC Running - This may take a while
SFC Running – This may take a while

Once complete, you need to restart the PC, and the SFC tool tells you as much

SFC has completed it task, now it wants you to reboot your PC
SFC has completed it task, now it wants you to reboot your PC

Restart your PC and the offending window will now be replaced with the default Microsoft one. Now how I said before it seems to override/overwrite the setting telling Internet Explorer not to display the defaultbrowser.htm tab (either because it is default, or you have told it not to check). This continues on here, because that setting was tampered with by the malware it will display the default browser page, to clear this you either simply need to tell it to not display it, or go through the set as default process.

Enjoy

Justin

Using Docker Behind a Proxy

Justin 09 Dec , 2015 0 comments Docker

I have started learning about containerisation with the view ultimately of deploying it in a production environment for some of the services at my larger clients. Testing and developing this however is made more difficult by the use of a mandated proxy by those who control the WAN and access to the greater internet.

Consequently when I was attempting to pull images and files from the Docker Hub I was getting errors.

Now I could use environment variables, but as this is a test machine and is on my laptop it is not always going to be behind a proxy (it is most of the time, just not always).

Consequently I wanted to add or enable the proxy variable in the Docker configuration file. Fortunately it is easy to find both the file and the line to edit.

For my test machine which is running Ubuntu Server 14.04 it is in the following location

/etc/default/docker

So you want to edit it (remembering to use sudo) with the following command

sudo nano /etc/default/docker

in this file there is a commented out line beginning with

#export http_proxy “http://127.0.0.1:3128/“

Simply remove the # from the start of the line, and fill in the section that contains http://127.0.0.1:3128/ with your proxy details (http://serveraddress:portnumber/)

Save the file [Ctrl+o] Alternatively you can save the file upon exit, the system will prompt you

If it refuses to save to the location, it is most likely due to lack of permissions, you did sudo when you opened nano didn’t you?

Exit Nano [Ctrl+x]

Now restart the docker process

sudo service docker.io restart (again notice the sudo)

Now you can pull down images if you got your setting right

Enjoy

Secure that Synology

I have recently started moving long term storage & other bulk data off the high-powered servers I maintain at home for working on virtual machines and other projects, and on to two Synology NAS devices, specifically a DS-1815+ for my parents and a DS-2415+ for myself. Both of these have had the official 4GB RAM upgrade installed to give each 6GB of RAM and each has only half of its bays currently populated with 8TB Seagate Archive HDD’s (so 4 in the DS-1815+ giving a total of ~15TB formatted allowing for a two disk redundancy, and 6 in the DS-2415+ giving a formatted capacity of ~30TB, again with two disk redundancy).

What I needed to do with this however is secure it as best possible without effecting the way either myself of my parents use the devices. However I have also moved several “low resource” tasks directly to the NAS to remove them from the server, what this will allow me to do is turn the power-hog of a server off when I do not need it for work, saving money. I will take you through each of these items as I get the time, but basically the following have been moved

  • File Storage
  • PLEX Server
  • Time Machine
  • BitTorrent (BT) Sync
  • SickBeard
  • SabNZBd
  • CouchPotato
  • Crashplan

To reduce the likelihood of anything causing issues with the Synology devices, and to secure them as best as possible as outlined above there are a few things that can be done.

01. Keep your NAS up to date
Your NAS like any computer (as that is essentially what a NAS is, a specialised computer) will from time to to time, have security issues identified and patched, as well as new features published, and as such it should be kept up to date. The Synology system like most computer systems these days, there is an option to have it automatically taken care of for you by the operating system (in the case of the Synology it is called Disk Station Manager or DSM) and it is a simple process to so.

Open Control Panel

SYNO-GEN-Desktop-CP
Control Panel on Desktop

 

SYNO-GEN-StartMenu-CP
Control Panel in Start Menu

Click “Update & Restore” in the “System” Menu or alternatively if you already have the control panel open in the Left Hand Menu Scroll down to “Update & Restore” and single click.

SYNO-SEC-ControlPanel-Basic-UR
Basic Control Panel
(Click “Advanced Mode” to change)

 

SYNO-SEC-ControlPanel-Advanced-UR
Advanced Control Panel
(Click “Basic Mode” to change)

Select “Update Settings”

SYNO-SEC-UpdatesMain
Open Update Settings

Select either “Newest DSM and all updates” (my preference) or “Important Updates Only”, check the “Check for DSM updates automatically” checkbox and select settings that suit you. I personally use and recommend “Install newest DSM update automatically” although you may want to choose “Install Important DSM Updates Automatically”, however I would caution against using “Download DSM updates but let me choose whether to install them”. This setting may be appropriate in some situations such as hosting business data and wanting to let it sit there for a couple of days to give the community time to vet it first, but on the whole I have not had issues with the first option and as such continue to use it. However remember, even though its a NAS you should still have a backup

SYNO-SEC-UpdateSettings
Update Settings Details

Click OK to save and commit the changes

02. Update Packages Automatically
Updating your packages on the device is just as important as keeping the device itself up to date. Fortunately Synology have once again made this a simple process.

Open Package Centre

SYNO-GEN-Desktop-PC
Package Centre – Desktop

 

SYNO-GEN-StartMenu-PC
Package Centre – Start Menu

If you have not used “Package Centre” before you may need to agree to the terms and conditions

SYNO-GEN-PC-TNC
Terms and Conditions Screen
Click “OK”

Click on Settings

 

SYNO-SEC-PC-Settings
Package Centre – Settings Selection

Select “Auto Updates”


SYNO-SEC-PC-Settings-Main
Select Auto Updates (Highlighted)

 

Ensure that “Update packages automatically” is selected. I usually use the “All Packages” option, however in a few cases I have had to use individual selections due to the updating of some components breaking others.

SYNO-SEC-PC-Settings-AutoUpdates
Ensure that “Update packages automatically” is selected

 

Click OK to save and update the settings

03. Install Antivirus
A NAS like any network (and internet) connected device will from time to time have issues that could allow a virus or other malware on to the system such as SynoLocker that was going around a while back. To combat this I highly suggest you install an Antivirus solution such as the Antivirus Essentials package from Synology. I do not know how this compares to the McAfee solution (which is only a trial and requires payment) also available as I refuse to use the McAfee as a point of principle, nor do I know its strike rate versus what you would get on a “normal” PC installation of an antivirus. But it never hurts to have it there anyway. I would also recommend setting up the antivirus to run a scan on a regular basis such as the one on your desktop, laptop or tablet should. To do this it is reasonably simple

Open Package Centre

SYNO-GEN-Desktop-PC
Package Centre – Desktop

 

SYNO-GEN-StartMenu-PC
Package Centre – Start Menu

If you have not used “Package Centre” before you may need to agree to the terms and conditions

SYNO-GEN-PC-TNC
Terms and Conditions Screen
Click “OK”

 

On the menu on the left hand side of the package centre select security

SYNO-SEC-AV-PC-SC
Opening page of Package Center with Security Highlighted

 

On the Security packages page you will see the “Antivirus Essentials” package (by default they are displayed in alphabetical order). Under “Antivirus Essentials” click install, and wait for the install to proceed.

SYNO-SEC-AV-PC-IN
Package Centre Security Packages with Install “Antivirus Essentials” highlighted
SYNO-SEC-AV-PC-IN-4
Installing “Antivirus Essentials”

Upon successfully completing the installation you will get notifications in the top right corner, the notification centre, and the button below the “Antivirus Essentials” logo will change from “Install” to “Open”. Click “Open” to open the Antivirus essentials package.

SYNO-SEC-AV-PC-OP
Install complete
Install button is now open button
Click this and open the package

Upon opening the package you will be presented with the default screen, on the left hand side select “Settings”

SYNO-SEC-AV-FP
“Antivirus Essentials” start screen with “Settings” highlighted

Under the “Update” section, ensure the “Update virus definition before scanning” checkbox is checked (enabled), we do not want to scan with old definitions now do we, that would be silly

SYNO-SEC-AV-DT
Select “Update virus definitions before scanning”

In the left hand column select “Scheduled Scan”, you will most likely be presented with a blank schedule as by default no scans are scheduled, to create a schedule click on “Create” which is a the top left of the right hand section of the page.

SYNO-SEC-AV-SS
By default there are no scheduled scans

The next settings are really up to you, but I normally select “Full Scan” unless there is a compelling reason not, fill in the “Date” and “Time” fields with your desired settings, click OK and the item is created in the schedule.

SYNO-SEC-AV-SS-WD
My Weekday Schedule
SYNO-SEC-AV-SS-WE
My Weekend Schedule
SYNO-SEC-AV-SS-F
My Complete Schedule

Close the App, All done

Please note you do not have to have just one scheduled scan, as above personally I use two, one at midday for each weekday as I am in theory not home using the NAS as I am at visiting clients, and on weekends it runs at 3 AM. I could do 3 AM daily, but I have other tasks that start at 2AM (specifically the DSM update check) and I want to reduce the likelihood of one conflicting with the other

04. Configure and use the Synology Device Firewall
Whilst your NAS may not be on the internet, more commonly you will be using some services, and whilst your router will provide a little protection, it is better to create explicit rules on the device to protect it from attacks.

Personally with this I use three rules to keep it simple; The first rule allows full access from the local network, although ultimately once I have things settled down at each site I tend to secure it allowing only the protocols and ports through that are required for that site. The second rule allows traffic from Australia and the UK (as my brother is currently residing in the UK) and the final rule blocks everything else.

To do this follow these instructions

Open Control Panel

SYNO-GEN-Desktop-CP
Control Panel on Desktop
SYNO-GEN-StartMenu-CP
Control Panel in Start Menu

The next thing you will have to do is dependent on your view of the control panel, if you are in “Basic Mode” you will need to click on “Advanced Mode” in the upper right hand corner of the “Control Panel”, if you are already in advanced mode continue to the next step.

Basic Control Panel - "Advanced Mode" Highlighted
Basic Control Panel – “Advanced Mode” highlighted

In “Advanced Mode” you simple click the “Security” item


Advanced Mode - "Security" Highlighted
Advanced Mode – “Security” Highlighted

Opening this Security section drops you into the “Security” subpage, as such you will need to select “Firewall” from the tabs at the top

Security Page - "Firewall" tab highlighted
Security Page – “Firewall” tab highlighted

In the firewall tab, by default there is no rules so you will need to create them, you do this by clicking create in the upper left corner of the right hand page section

Home page of the "Firewall" tab
Home page of the “Firewall” tab

Once you have clicked create you will be shown a basic menu for creating the rule structure

Basic Rule creation window
Basic Rule creation window

Now while clicking OK in the above window would create a rule, it would create a rule allowing all traffic from every device, everywhere to all services that you currently have, or may create in future on the NAS device (assuming the appropriate NAT forwards in in place anyway) so we need to not click OK and modify some settings to make it useful

Firstly we are going to create a network rule to allow all access from the local network, so we are going to change the “Source IP” section to the “Specific IP” section (yes even though we are allowing a whole network). Now this seems to be a non-issue as I have never had local access denied to the device, but as we will be putting a deny all in later its better to be safe than sorry as in the future this may change.

Create Firewall Rule based on IP (Range)
Create Firewall Rule based on IP (Range)

After changing Source IP to the “Specific IP” Radio button, click the now working “Select” button to the right of it, this will bring up the IP input menu. Once the below input box has popped up, change the radio button option to either “Subnet” if you want to allow the whole subnet or “IP Range” if you want just a range of IP’s. I have used the subnet option and put the network address in the “IP address” field in my case this is 172.16.1.0 and the subnet mask in the “Subnet mask/Prefix length” field in my case this is 255.255.255.128. If you want to use the “IP range” option put the first (lower) IP address of the range in the “From” field. and the last (higher/upper) IP address in the “To” field. Click OK to save your input data, and “OK” once again to save your rule

Dialogue Box for IP input
Dialogue Box for IP input

Clicking on “Create” again we will now create a regional allow for the regions/countries you want, the first part of this is changing the “Source IP” field so that the “Region” radio button is selected

Create firewall rule based on region
Create firewall rule based on region

Once it is selected, again click the “Select” button, this will bring up an input box requesting you to select regions, in my case I want to select Australia and Great Britain. Click “OK” once the regions are selected to save your selection, and “OK” once again to save your rule

Selecting Australia
Selecting Australia
Selecting Great Britain
Selecting Great Britain

Now creating a region based filter may be a bit over the top to some considering I travel often, but it’s not that hard to change so when I or another family member travels overseas and requires access to the NAS I simply add the areas that are being visited to the allow rule.

Finally we want to create an explicit deny rule. What this rule does, is deny any access to the NAS that does not meet the rules above it. Due to the way this works, this should always be the last (bottom) rule on the firewall, as everything will match it so any rules below it will not be processed. To create this rule it is even easier than the others. Once again click the “Create” button, bringing up the popup. We want to leave both the “Ports” and “Source IP” with settings of “All” but we want to change “Action” to “Deny” and “OK” to save your rule

Creating an Explicit Deny for Security
Creating an Explicit Deny for Security

Below is a screenshot of these three basic rules and how they appear in the firewall control panel to ensure they work correctly

Firewall Rules In Order
Firewall Rules In Order

05. Disable or remove unused applications and services
As with any device, the more programs, features and services you put on it the more potential places there are for people, or malware to gain access to the system, the simple solution to this is if you do not need it, remove it, if you only need it sporadically, only use enable it when you need it.

Don’t get me wrong, Synology and third parties have some great features available for the devices, Photo Station, Plex and Cloud Station just to name a few, but if you do not need them, do not install them, you can always add them later if you need them, if you have them installed and no longer use them, remove them, again you can re-add them later (make sure you have a backup of the data if you remove them).

To see what you have running it is a simple matter as outlined below

Open Package Centre

Package Centre - Desktop
Package Centre – Desktop
Package Centre - Start Menu
Package Centre – Start Menu

Depending on how it’s set up you may end up seeing the “Recommended” section or the “Installed” section, if you see “Recommended” simply select “Installed” in the left hand menu to see what is installed

Installed Packages
Installed Packages

To remove one of these if they are no longer needed simple click on the package and open it

Opened Package Menu
Opened Package Menu

Click on the “Action” menu and select “Uninstall”

Uninstall Package
Uninstall Package

You will get a series of two popups, the first checking that you’re sure you want to uninstall the package, the second to tell you it has been uninstalled

Confirm Uninstall of Package
Confirm Uninstall of Package

Package has now been successfully removed
Package has now been successfully removed

You will then be taken back to the “Installed” display, now missing the package you have removed

SYNO-SEC-PC-REMOVED

Packages however are not the only risk, the same and to a large extent a greater risk can be had from services such as SSH and Telnet (which should not be used PERIOD). SSH for example is a prime candidate for being left enabled when you do not need it, again do not get me wrong its a great tool and I use SSH all the time on several of my machines, but if I do not need it I turn it off, one less avenue open for attack.

To disable SSH, or Terminal which are the commonly left open ones do the following

Open Control Panel

Control Panel on Desktop
Control Panel on Desktop
Control Panel in Start Menu
Control Panel in Start Menu

The next thing you will have to do is dependent on your view of the control panel, if you are in “Basic Mode” you will need to click on “Advanced Mode” in the upper right hand corner of the “Control Panel”, if you are already in advanced mode continue to the next step.

Basic Control Panel - "Advanced Mode" Highlighted
Basic Control Panel
“Advanced Mode” Highlighted

In “Advanced Mode” you simple click the “Terminal & SNMP” item

Click "Terminal & SNMP"
Click “Terminal & SNMP”

The Terminal control window will open, and the settings will either be on (checked) or off (unchecked) simple uncheck them if you do not need them running

SSH Enabled
SSH Enabled
SSH Disabled
SSH Disabled

Click Apply and your done

When you remove a service and no longer need it, also remember to remove any port forwards from your router, no need to leave those ports open if you don’t need to

06. Disable or remove unused accounts
What has been said for applications and services, also goes for users, in fact users would be somewhat more important. If an account is not required, remove it. Do not get me wrong I am not saying use a single account for everyone, far from it, in fact I ensure everyone has their own account for access where required so that people are accountable for their actions, but if the account is no longer required, and will not be in the near future I will remove it, if it is going to be needed in the short term, I will disable it and enable it when I need it again.

I do take my security perhaps a little too far as I have separate accounts for administration, another for normal user access to the data, a setup that I highly recommend for security. I also however have third account for the AFP share which is presented for Time Machine on the Apple devices. I have done this to reduce the chance of anyone getting access to the full system backups, as there is more in the backups than there is in the data synced between the other folders. I do however ensure that the standard admin and guest accounts are disabled. As these accounts are standard it is safe to assume that hackers know about them and therefore are a security risk.

It is however important to note that it seems by default that DSM (Disk Station Manager – the Synology Operating System) does not allow you to remove the accounts, probably due to operational reasons in the case of the guest account. In the case of the admin account I suspect this is due to how the factory reset works, specifically due the fact that when reset via the reset button enables the account and resets the password to a factory default.

It is also important to note that the password for the built-in admin account is the one used by BOTH the admin and root SSH accounts to the device, and that disabling the account in the web interface does not seem to disable the acount on the system itself as the SSH access is still evident.

Now the smart people at Synology have disabled the guest account by default, meaning you have to enable it for it to be a security issue. However we may need to disable or remove annother account, and Synology have thankfully made it quite easy to achieve;

Open Control Panel

Control Panel on Desktop
Control Panel on Desktop
Control Panel in Start Menu
Control Panel in Start Menu

Click “Users” in the “System” Menu or alternatively if you already have the control panel open in the Left Hand Menu Scroll down to “Users” and single click.

Basic Control Panel (Click "Advanced Mode" to change)
Basic Control Panel
(Click “Advanced Mode” to change)
Advanced Control Panel (Click "Basic Mode" to change)
Advanced Control Panel
(Click “Basic Mode” to change)

Select “User” and click to open, this will change the window to display the “User” menu. Once this has happened select the user to disable, in this case “admin” and click the edit button

Admin User selected, Click the Edit Button
Admin User selected, Click the Edit Button

This will in turn pop up a menu to edit the user, down the bottom of which is the option to disable the user, and we want to disable the user immediately in this case (the scheduled disabling of the account for example would be used for a contractor or other person who you want to access the files on the devices only for a limited time). Once the options are set, hit OK and disable the user

Disabling the admin user immediately
Disabling the admin user immediately

This will drop you back to the user management screen, however the admin account will now be disabled

Disabled admin account
Disabled admin account

Now that’s all good, but how about if you want to remove an account, well that again is simple.

Select the user you want to remove and hit the “Delete” button

SYNO-SEC-USER-MENU-DELETE
User Selected and Delete highlighted
Select user and click delete

This will bring up a confirmation box confirming you want to do this, and telling you that the users home folder will be removed and is unrecoverable (hope you have a backup :D)

Confirm that you want to remove the user and its associated home folder (if applicable)
Confirm that you want to remove the user and its associated home folder (if applicable)

Now that’s done it will again drop you back to the user management scree, the account is however gone

Account Removed
Account Removed

That’s it, users are disabled and/or removed

07. Install and use a SSL Certificate
Whilst an SSL certificate strictly speaking does not add to the security of the device directly, it does help secure (through encryption) peoples interaction with the device, specifically those interactions over SSL supported mediums such as HTTP (web interface), the most important of these interactions being the transmission of credentials to the system to gain access it. Encryption does this by obuscating the data that would otherwise be sent in plain text. This however does not mean you can use a weak password (and that includes using the same password for multiple services).

Now there are several ways to do this depending on how you want to go, there is using a self-signed certificate which will secure the device, but you will get warnings about the certificate not being from a recognised source unless you add it to the trusted sources on your systems (this can be done via GPO’s, System Profiles etc on large corporate systems, and can even be done through scripting on systems where you cannot manage them centrally, you could of course use the old chestnut of installing it manually on every system, but who wants to do that?).

If you do not want to go through the process of dealing with a self-signed certificate you can get a certificate signed by an external certificate signing authority which will mean there is no need to install the certificate authority manually, as the roots are included on most operating systems by default. The downfall of this is that there are multiple types of certificates available from certification authorities as well. You are able to get a single domain certificate, a multiple domain certificate (UCC), or a wildcard certificate that protects all the sub-domains of a certain root domain.

As you want to protect more and more (sub)domains, the cost of the certificate goes up, with wildcard certificates in particular becoming very expensive to purchase and maintain. I will let you decide which way you want to go and work out the particulars, but I myself and my clients all use externally signed wildcard domain certificates. The steps for installing and setting up a certificate are basically the same no matter which way you go.

What may be different however is if you need the certificate chain. As I use GoDaddy certificates and want to present all my certificates to the client browser as a certification chain to maintain the integrity of the process, so I do need to put the entire chain into the system (it is also a part of getting a higher ranking in the SSL security tests, but more on that later). You can also let the browser find chain certificates, but this does present another possible attack vector to the system, or you may no need one, depending on the external provider or in the case for most self signed certificates.

To do this follow these instructions

Open Control Panel

Control Panel on Desktop
Control Panel on Desktop
Control Panel in Start Menu
Control Panel in Start Menu

The next thing you will have to do is dependent on your view of the control panel, if you are in “Basic Mode” you will need to click on “Advanced Mode” in the upper right hand corner of the “Control Panel”, if you are already in advanced mode continue to the next step.

Basic Control Panel - "Advanced Mode" Highlighted
Basic Control Panel
“Advanced Mode” Highlighted

In “Advanced Mode” you simple click the “Security” item


Advanced Mode<br />"Security" Highlighted
Advanced Mode – “Security” Highlighted

Opening this Security section drops you into the “Security” sub-page, as such you will need to select “Certificate” from the tabs at the top

Security Page - "Certificate" tab highlighted
Security Page – “Certificate” tab highlighted

Now that you are in the certificate menu, you will notice there is already a certificate on the device. This is a self signed certificate, and if you want to allow that, you could simply export the certificate (using the “Export” button) and import it into your trusted certificates store on your machine(s) as discussed above and be done with it. However I am going to show you how to add a third party certificate. Up the top of the tab you will notice two buttons, one saying “Create certificate” the other saying “Import certificate”. If you need to create a certificate signing request (CSR) you can do it through the Create menu (you can also create a custom self signed, renew a self signed, or even sign a CSR from another source allowing you to use the Synology as the Certificate Authority). Again here I am going to skip over this and go straight on with the import of the certificate, therefore we want to hit the “Import certificate” button.

Security Page - "Import certificate" button highlighted
Security Page – “Import certificate” button highlighted

This opens an import page, which contains three fields, these being the certificate itself, the intermediate certificates (if any) and the private key. Both the certificate, and the private key are required, and how you get the private key is dependent on how you generated the certificate, if there are questions on how to get the private key, ask in the comments and I will try to help out. Personally I use a program called XCA for my key/certificate management and I find it works very well.

 

Blank Import Form
Blank Import Form

Once the fields are filled in by browsing and selecting the appropriate files, you need to simply select “OK” and the device will now import the certificates

Completed Import Form
Completed Import Form

The screen once this has been completed will now drop back to the normal certificate home screen, but your certificate is now installed.

Home Page with Third Party Certificates
Home Page with Third Party Certificates

Congratulations, you have installed your certificate, however installing an SSL certificate by itself however is only part of the puzzle, you actually need to configure the device and its services to make use of the certificate, and ideally to redirect all requests for plain old unencrypted and insecure HTTP to your new encrypted and (hopefully) secure HTTPS implementation, also enabling HSTS is a good idea so we will turn that on as well.

Thankfully, Synology have made that very easy, by putting all the check box options for this on the one page, from within the open “Certificates” tab on the left panel you want to select “Network”

Certificates Home with Network Highlighted
Certificates Home with Network Highlighted

Clicking on this will drop you to the “Network” home page, where we need to select the “DSM Settings” tab

DSM Settings Tab Highlighted
DSM Settings Tab Highlighted

Now we are in the DSM settings tab is open you will notice there is an option to enable HTTPS connections, and several sub-options that need to be checked.

DSM Settings homepage, notice that HTTPS and its options are disabled
DSM Settings homepage
Notice that HTTPS and its options are disabled

Check the “Enable HTTPS connection” option, and the two unchecked sub-options (Automatic Redirection and HSTS) and click “Apply”

With HTTPS and its options enabled, click "Apply"
With HTTPS and its options enabled, click “Apply”

You now have a device using SSL encryption, and HSTS to ensure be best possible chance of keeping that data safe, it is important to note however that with HSTS enabled, which is a method by which the server tells the browser only to communicate it over HTTPS, until a per-determined time is reached, we also need to ensure that we keep a valid certificate on the device an update it PRIOR to the old one expiring. If this is not done, you otherwise you risk loosing access to the device without resetting the browser or overriding the default behavior of the browser to drop out due to the expired certificate.

08. Enable Device Auto-Block Lockouts
DSM has a feature as part of the firewalling system to automatically block access to clients that attempt to log in a given number of times, over a given period, to be locked out for a given period.

To this end I have the following settings set for security
Attempts: 3
Time Period: 60 Minutes
Block Expires: 1 Day

To configure this you will have to be in the “Advanced” mode of the control panel, if you are in “Basic Mode” you will need to click on “Advanced Mode” in the upper right hand corner of the “Control Panel”, if you are already in advanced mode continue to the next step.

Basic Control Panel - "Advanced Mode" Highlighted
Basic Control Panel – “Advanced Mode” Highlighted

In “Advanced Mode” you simple click the “Security” item


Advanced Mode - "Security" Highlighted
Advanced Mode – “Security” Highlighted

Opening this Security section drops you into the “Security” sub page, as such you will need to select “Auto Block” from the tabs at the top

Security Page - "AutoBlock" tab highlighted
Security Page – “AutoBlock” tab highlighted

In the Auto Block tab the details have already been filled in, although the “Enable auto block” and “Enable block expiration” check boxes are unchecked

Check the “Enable auto block” which will allow you to change the “Login attempts” and “Within (minutes)” fields, then if you want to enable block expiration which I highly recommend the check the “Enable block expiration” which will then enable the “Unblock after (days)’ field.

Auto Block Page (Default Settings)
Auto Block Page (Default Settings)
Auto Block set to my settings
Auto Block set to my settings

As stated above and as in the screenshot my settings are

Attempts: 3
Time Period: 60 Minutes
Block Expires: 1 Day

Once the settings are to your liking click “Apply” Auto Block is now enabled.

NOTE: Unless you want to get banned from your own device I strongly suggest you enable ban expiration, although you can get around this by changing IP’s, but it does cause issues when used in conjunction with with reverse proxies (which will be explained in a later article), as all EXTERNAL requests are comming from the one IP.

There you have it as “basic” secured Synology, I have included a couple of tips below but if there are any comments or questions, please leave them in the comments below

Justin

Useful Tip
Create and assign permissions to groups, not users. Coming from a Systems Administrations point of view, if you need to add permissions to something, create a group if an appropriate one does not already exist, and assign that group permissions to the item or object, even if the group only has one user. This will allow you to move people into and out of groups in the future to assign them permissions to things, without having to look up and assign permissions to each user. This is how I was taught to do it in large installations (admittedly using Directory Services for corporate authentication) and its saved me much time and effort in the past and I continue to do it how.

Useful Tip #2
Again this may be me taking it a little far, but I hide all the shares on the device unless they are truly public. Like many people, we occasionaly have guests on our WiFi, and I simply want to hide the data from them (what they cannot see, they will not try to access for the most part). This is simply done by clicking the “Hide this shared folder in My Network Places” checkbox. I also check the “Hide sub-folders and files from users without permissions” checkbox for good measure. this will stop files and folders showing up in the directory listing to users without permissions to that folder, if you use those features.

OSX 10.10 802.1x Profiles

DISCLAIMER: Playing with system configuration data and removing files is dangerous and presents a risk to your system, only attempt this fix at your own risk, any consequences are on your head

Recently I have had to start replacing a number of certificates used for wireless authentication on a RADIUS/802.1X authenticated wireless network at a number of clients, and for the most part it has gone smoothly (but this does not make for a good blog post now does it). There have however been issues with a number of OS X based devices, and more specifically devices that have gone through a number of in place upgrades since the system profile was installed.

These systems have all had a number of in place upgrades over the years from either OS X 10.6 given their age and as such there are now issues removing these 802.1X profiles.

To understand why this is happening, a little background on how the profiles were managed previously and are managed now is in order.

In 10.6 and prior an 802.1X profile was added (+) or removed (-) through the 802.1X tab in the Advanced settings on the interface (in this case WiFi/Airport)

OSX-10.6-802.1X-ShowButtons

In 10.7 and later these buttons have been removed

OSX-10.10-802.1X-NoButtons

With 10.7 to manage these profiles a new System Preferences option was added, it is called simply “Profiles”.

OSX-10.10-SystemPreferences-ProfileManager-Highlighted

Now whilst this is not an issue for most cases, unless a profile has been added since the upgrade, it does not appear in the Profiles pane, and therefore the Profiles pane does not show in the System Preferences menu.

This leaves us with a profile we cannot remove due to the lack of buttons in the 802.1X tab on the interface, and no Profiles pane accessible (due to no registered profiles) in the System Preferences tab

OSX-10.10-802.1X-NoButtons

OSX-10.10-SystemPreferences-NoProfilesManager

So how do we remove it? through the venerable and all powerful command line interface (Terminal).

First you need to know the location of the system configuration profiles which is the directory /Library/Preferences/SystemConfiguration.

Now this is where I can only guide you, I did this operation in the opposite order to what is outlined here due to the fact that I did the second part first and it did not remove the profile, therefore I do not know if its required or not to remove the profile, try running the first remove before removing the other two files.

The profile information seems to be stored in the file com.apple.network.eapolclient.configuration.plist within the system configuration directory, so to remove it we want to run the following command

sudo rm /Library/Preferences/SystemConfiguration/com.apple.network.eapolclient.configuration.plist

This will prompt you for a password if you have not authorized to sudo yet/recently (it has a timeout of 5 minutes), enter your password, hit enter and it will remove the file, now reboot OS X (yes this is required) and the profile SHOULD be removed.

OSX-10.10-802.1X-NoProfile

NOTE: Adrian Stevenson left a comment on the 13th of October 2015 stating that the above file is the only required to remove the profile, based upon this, the information below is not relevant to solving this issue, I have however left it so the article still contains all its original information

Further to this Kevin posted in the comments on the 27th of January 2016 that the command is confirmed on Mavericks only to require the first line

 

However if its not removed as I said above I had removed two other files prior to removing the com.apple.network.eapolclient.configuration.plist file. Specifically these are the following files;

/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
 /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist

These files were located via use of the grep command to locate references for the keyword “802” inside files (that are themselves inside the SystemConfiguration directory). The command locate these is as follows;

grep "802" /Library/Preferences/SystemConfiguration/*

NOTE: Notice the lack of a sudo, we are only reading information here, not writing so no need to sudo

It is however worth noting that due to the use of the keyword “802” this searches for all references to 802 (well der) and as wireless itself, as well as other communications protocols all have 802 numbers which they can be referenced by (i.e. 802.11 is wireless) it will find references to these protocols as well, so removing all files where this occurs may, and most likely will remove configurations for other 802 series protocols/standards where these are referenced by their 802 identifiers inside the configuration profiles. On the laptop I did this testing on, removing these files removed ALL wireless connection details, and although this may not be a great concern in some cases, it may cause issues in others.

Anyway if the removal of the first file and its subsequent reboot did not work, removing all three files should fix the issue (we want to remove the original file again to ensure there have been no references generated in the new file)

 

sudo rm /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
sudo rm /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist
sudo rm /Library/Preferences/SystemConfiguration/com.apple.network.eapolclient.configuration.plist

Reboot and the Profile should have now removed itself.

OSX-10.10-802.1X-NoProfile

Let me know if it works for you in the comments

Justin

Enabling Data Deduplication on Server 2012 R2


Data deduplication (or dedupe for short) is a process which by the system responsible for the deduplication scans the files in one or more specific locations for duplicates, and where duplicates are found it replaces all the duplicate data with a reference to the “original” data. This in essence is a data compression technique designed to save space by reducing the data actually stored, as well as aiming to provide single-instance data storage (storing only one copy of the data, no matter how many places its located in).

The way this is achieved is dependent on the system used, it can be done but it can be done on block level, file level or other levels, again depending on the system and how it is implemented.

What we are going to do in this article is we are going to enable deduplication on a Windows Server 2012 R2 Server. Keep in mind this is changing data and quite possibly going to cause data damage or loss, as such make sure you have a working backup BEFORE continuing.

Firstly we need to access the server that you are planning to configure deduplication on, I will leave it up to you how you achieve that. Once you have access to the server we can begin.

On the server open “Server Manager” if it is not already open

2014-09-19-01-ServerManager

If it gives you the default splash page, simply click next (and I suggest telling it to skip that page in future by use of the checkbox) Once we are in the “Installation Type” page we need to select “Role-based or feature-based installation” and click “Next”

2014-09-19-02-AddRoleorFeature

In the “Server Selection” page select the server you want to install the service on (commonly the one your using), Click “Next”

2014-09-19-03-SelectServer

 

Next up is the “Server Roles” page, here is where the configuration changes need to take place. In the right had list of checkboxes (titled “Roles”) scroll down till you see “File And Storage Services” then open “File and iSCSI Services” then further down the page check the “Data Duplication” checkbox. Click “Next”, accepting any additional features it wants to install.

2014-09-19-04-SelectService

In the “Features” page simply click “Next”

2014-09-19-05-IgnoreFeatures

On the “Confirmation” page check you are installing what is required and click “Install”

2014-09-19-06-Install

Wait for the system to install, and exit the installer control panel, restart if your server requires it.

Upon completion of the install and any tasks associated with the installation re-open “Server Manager” and in the left hand column select “File and Storage Services”

2014-09-19-07-ServerManager

This will change the screen in “Server Manager” to a three column layout, in the middle column select “Volumes”

2014-09-19-08-ServerVolumes

With the volumes now displaying in the right hand of the three columns, right click on the volume you want to configure deduplication on and select “Configure Data Deduplication”

2014-09-19-09-ServerVolumesRightClick

This will bring up the “Deduplication Settings” screen for the volume you right clicked on. Unless Data Deduplication has been configured before, the “Data deduplication” will be “Disabled”.

2014-09-19-10-DuplicationSettings-Initial

As I am configuring this on a file server, I am going to select the “General purpose file server” option, and leave the rest as defaults. I am then going to click on the “Set Deduplciation Schedule” button

2014-09-19-11-DuplicationSettings-Enable

The “Deduplication Schedule” will now open. I suggest checking the “Enable background optimization” checkbox as this will allow the server to optimise data in the background. I also elected to create schedules to allow for more aggressive use of system resources, the first one allows for it to be done after most people have left for the day, and before the servers scheduled backup, the second one allows it to run all weekend but again stops for backups. Please note that these settings are SYSTEM settings and apply to all data deduplication jobs on the system, and are not unique to each individual deduplication job

Click “Apply” on the “Deduplication Schedule” screen, and then “Apply” on the “Deduplication Settings” screen, this will drop you back to the “File and Storage Services > Volumes” screen, and you are now done, Data deduplication is configured.

Have fun, and don’t forget that backup

Justin

Office 365 Exchange Rules Allowance & Execution of Scripts Error

I have recently been migrating my work, personal and a few other domains, including clients to a new Microsoft Office 365 tenants. Nothing new to report here, however due to having many rules in place on some of the mailboxes I have needed to update the rules allowance on several of the mailboxes away from the default 64KB to a higher amount (in my case I chose 265KB as this is the maximum allowed). Now this was always a simple task on a locally hosted Exchange, simply done through PowerShell, and it turns out it can still be done this way on Office 365, but with a few more added steps to connect to the PowerShell system on the Office 365 Outlook server.

Firstly you want to open up PowerShell and input the command

$O365Creds = Get-Credential

This tells PowerShell to ask for a credential via the familiar login popup box.

2014-08-24-PSORU-01

This credential box DOES NOT check the credentials validity, it simply grabs them and puts the in a variable called $O365Creds.

Now we are going to actually connect to the system so we can start doing something

$O365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $O365Creds -Authentication Basic –AllowRedirection

That commands opens the session, if you have the wrong credentials you will get an error stating

New-PSSession : [ps.outlook.com] Connecting to remote server ps.outlook.com failed with the following error message :Access is denied.

If this happens simply re-run the credential request command, then re-run the session creation command

Once successful you will connect to the PowerShell server, with this you will most likely get a warning stating the following:

WARNING: Your connection has been redirected to the following URI:
https://pod51055psh.outlook.com/powershell-liveid?PSVersion=4.0

This is due to the “–AllowRedirection” switch in the session creation command. This switch is there to allow a single URL to redirect to multiple PowerShell servers within a cluster and is needed in an Office 365 system is a cluster and there is no way of knowing which PowerShell servers have empty sessions available on them, consequently the above warning is to be expected and not a concern

Both these are shown below;

2014-08-24-PSORU-02-ErrorandRedirection

Now we want to import the remote session (and consequently import the command information) to our local PowerShell session to do this we run, a progress bar will display in PowerShell as this is happening

Import-PSSession $O365Session

2014-08-24-PSORU-03-ProgressBar

When doing this you may get an error if you are doing this for the first time, or where the Execution Policy settings changed

Import-Module : There were errors in loading the format data file:
Microsoft.PowerShell, , <<File Path>> cannot be loaded because the execution of scripts is disabled on this system.

2014-08-24-PSORU-04-EPError

To get over this error you need to run an elevated command prompt (you DO NOT have to close the original PowerShell window) and run the following command

Set-ExecutionPolicy Unrestricted

PowerShell will give you a warning stating that this may potentially expose your system to security risks, either enter Y (for yes) and hit enter, or simply hit enter (as Y is the default) if you are happy with this

2014-08-24-PSORU-05-EPErrorFix

Once this is done re-run the PowerShell import command, it should now succeed

Now we can run the command to increase the amount of space for the rules which is a simple one line command

set-mailbox -identity mailbox@domain.tld -RulesQuota 256kb

This command expand the rules quote of mailbox mailbox@domain.tld to 256KB (this is the maximum available)

This command will not show any confirmation it will simply drop to asking you for the next command to input. Input any other rules upgrades (or any other commands you want to run remotely) and then log off

To do this simply run;

Remove-PSSession $O365Session

This will again show no confirmation and will simply drop you to the next command prompt

Have Fun

Justin