The VM’s Faulty Pagefile

Recently I was having an issue with one of my Virtual Machines, specifically the one I use for accounting purposes. Each time I booted the VM I would get an error stating that there was an error with the paging file. Me being me, I ignored it and continued on about my task, with a case of “its only my stuff I will deal with it later” and putting the issue out of my mind. However I then started to get errors in the software I was using, thinking, “oh great what now” I looked at a few things and then came back to this error, which as it turns out, was the cause of the symptoms I was seeing in the software package I was using.

Windows created a temporary paging file on your computer because of a problem that occured with your paging file configuration when you started your computer. The total paging file size for all disk drives may be somewhat larger than the size you specified

Now what does this mean, well it can mean one of several things. Most commonly, expecially on a VM it means that the disk is full to a point where Windows cannot create the paging file when it starts up.

Luckily this is a simple fix, which I am not going to take you through here as the way it is done is entirely dependent on your paticular hypervisor (most commonly Hyper-V, VMWare, Parallels or VirtualBox), this does however assume you have the space free to increase the size of the virtual disk, if you do not have space, you will need to clear some files off the VM to make space.

Ok, but what if you have plenty of space. Well their are two options off the top of my head that make work, one is removing and then recreating the paging file as it may have become corrupted, especially if the system had an unclean shutdown (powered off instantly such as a power failure) or you may need to run a system file check to clean up any errors.

Whilst neither are hard to do, both can take some time to complete. I would suggest starting with the system file scan as it is the easier of the two to do and the more comprehensive, but both options are outlined below

System File Scan

To do this you need to open an administrative command prompt

Open an Administrative Command Prompt
Open an Administrative Command Prompt

 

Once you are in the command prompt type;

sfc /scannow

Type sfc /scannow
Type sfc /scannow

 

This tool will now run (which may take some time), and verify the files Microsoft has put into the system to validate they are the correct files, if they are not and have been replaced or otherwise modified, it will replace them with the original file. This process may take some time depending on the hardware you are running it on

SFC Running - This may take a while
SFC Running – This may take a while

 

Once complete, you need to restart the PC, and the SFC tool tells you as much

SFC has completed it task, now it wants you to reboot your PC
SFC has completed it task, now it wants you to reboot your PC

 

Restart your PC and see if the issue has been resolved, if not you may try to manually delete and recreate the pagefile as outlined as below.

 

Manual Removal and Recreation of the Pagefile

 

Having logged into your system as an account with administrative rights (or otherwise authorised yourself for administrative access to the system panel) you need to open the system properties display on the system, or if the dialogue box with the warning pops up then click OK and the Pagefile controls will open, allowing you to skip the first section

 

    1. Firstly, if the Paging file settings display is not open we need to open it, do this by

      a) Right Clicking on
      If it’s not already open, open the virtual memory settings by rich-clicking on Computer, → Properties → Advanced System Settings → click the Advanced tab → Under Performance, click Settings, go to Advanced tab, finally under Virtual Memory section click the Change button.

 

    1. Uncheck the Automatically manage paging file size for all drives checkbox.

 

    1. Set a “Custom size” for the paging file on the C drive: 0MB initial, 0MB maximum.

 

    1. Click OK, close all dialog boxes, and restart your computer.

 

    1. After logging in again, delete the file C:\pagefile.sys
        1. To do this, you may need to change your folder settings so you can see it first. Open a window of your C: drive and click Organize at the top, then Folder and Search Options
        1. Click the View tab, and make sure Show hidden files, folders and drives is turned on, and that Hide protected system files is not checked.
      1. Click OK and go back to your C: drive, find pagefile.sys and delete it.

 

    1. Now go back to the virtual memory settings (see step 2 above) and set the paging file for the C: drive to System managed size, and then make sure the Automatically manage paging file size for all drives checkbox is checked.

 

    1. Click OK, close all dialog boxes, and restart your computer.

LFTP and the Stuck Login

I have been working on a new backup management system that utilizes the Synology and its ability to schedule tasks recently. Whilst I am untimely working on a program written in Go to be able to manage multiple backup configurations utilizing multiple backup protocols to achieve my goal I have been playing with the underlying software and protocols outside this program. One such piece of software is LFTP, this software allows for the transfer of files utilizing the FTP, FTPs, sFTP, HTTP, HTTPS and other protocols but the afore mentioned ones are the ones that are important for the software I am writing, but most importantly it supports mirroring with the FTP series protocols

Whilst I am writing this software I still wanted to get backups of the system running, to this end I was testing the LFTP commands and I hit an issue where the system will simply not connect to the server, yet the regular FTP client works fine.

Firstly we have to understand that LFTP does not connect to the server until the first command is issued, in the case of the example below, this was ls. Once this command is issued LFTP attempts to connect to and log in to the server, and this is where the issue happens, LFTP just hangs at “Logging In”

user@server backupfolder$ lftp -u username,password ftp.hostname.comlftp username@ftp.hostname.com:~> ls`ls' at 0 [Logging in...] 

To work out what the issues I had to do a little research and it comes down the fact the LFTP wants to default to secure connections, which in and of itself is not a bad thing, in fact it is a good thing but many FTP servers are yet to implement the sFTP/FTPs protocols and as such we end up with a hang at login. There is, however, two ways to fix this.

The first way to fix this is to turn off FTP for this connection only which is done through the modified connect command of

lftp -e "set ftp:ssl-allow=off;" -u username,password ftp.hostname.com

This is best if you are dealing with predominantly secure sites, however as I said most FTP servers are still utilising the older insecure FTP protocol at which point it may be more beneficial to change the LFTP configuration to default to insecure mode (and then enable it if needed for the secure connections, depends on which you have more of). To do this we need to edit the LFTP config file, to do this do the following

Utilising your favorite text editor (vi, nano or whatever it matters not) the config file is at /etc/lftp.conf

At some point in the file (I suggest at the end) put the following line

set ftp:ssl-allow false

Save your configuration and the defaulting to secure is turned off and your LFTP connection should work

Have Fun

Justin

The Old Backup Regime

After I purchased the NAS box to place at home for my work data (there is a separate one for family data, they do however backup to each other but I will cover that in another post) I decommissioned my old Windows Server 2008 R2 box.

This box, however, did do a multitude of things that were controlled via scheduled tasks and scripts that I have now moved to the Synology. Chief amongst this was the backup for several websites for “just for when” something goes wrong.

There were several bits of software in the implementation of this task, these were (are);

  • wget (Windows Version) – Command line utility for downloading files, whilst there are other options, this was quick and simple, exactly what I needed
  • FTPSync (CyberKiko) – a Great little piece of software, can display a GUI showing sync progress which is useful for troubleshooting or runs in a silent mode with no GUI. It utilises simple ini text files for configuration (it encrypts the password) making it easy to configure and it has many options for doing this configuration
  • DeleteMe (CyberKiko) – Simple file removal tool, give it a folder (it can have multiple set up) and a maximum age of the files in that folder and it will remove anything older than that.
  • 7Zip (Command Line Version) – Command Line zip archive creation utility, what more is there to say
  • Custom PHP DB Export Scripts  – Custom PHP scripts that pulls the database(s) out of MySQL and zips it up. This was originally run with a CRON job, but I found it easier to use wget to pull the trigger file when I wanted the backup was then created, then pull the file itself, then pull a delete trigger

That’s it for the software I use but what about the backup process itself? For each of the sites, I need to backup the custom PHP scripts were configured on the server. Then a custom batch file containing a bunch of commands (or should that be a batch of commands) to download and archive the files.

The batch file had the following segments in it to achieve the end goal;

  1.  Check if backup is still running from previous attempt (Utilizes blank text file that is created at start of script and then removed at end)
    1. If it is running, skip the script and go to the end of the file
    2. If a backup job is not running, create the file locking out other jobs.
  2. Run cleanup of old files
  3. If an existing backup directory for today exists (due to a failed backup job most likely), remove it and create a new one
  4. Start logging output to a log file
  5. Start Repeating Process (Repeats once for each site that is being backed up)
    1. Generate Database Backup
    2. Retrieve Database Backup
    3. Remove Database Backup to the long term storage folder
    4. Rename Database Backup File
    5. Move Database Backup File to Storage Location
    6. Sync (utilizing FTPSync) the sites directories
    7. Remove Existing zipped backup file of the site’s files and directories if it exists
    8. Zip folder structure and files for the website put the ZIP file in the long term storage folder
  6. Copy Backup Complete information to log file
  7. Remove Process Lock File

To download the batch files, click here

Reasonably simple, to add a new site, copy and paste a previous one, update a few details and off you go.

Now I realize that some of this is perhaps not the best or most secure way to achieve a goal (specifically how I was handling the database) but it was quick, easy and it worked. I could have also made the whole process more efficient by using config a files and a for loop, but well I didn’t

Have Fun

Justin

 

Installing a non-Windows Secure Boot capable EFI Virtual Machine in Hyper-V

So you have downloaded an operating system installation disk (Ubuntu 16.04.2 used in this instructional) and noticed supports EFI, yet when you try to boot from the ISO message, you are greeted with a message stating that the machine does not detect it as a valid Secure Boot capable disk, as shown below it states that “The image’s hash and certificate are not allowed”

Luckily this is an easy fix, as it is simply secure boot that Ubuntu/Hyper-V are having an argument over the validity of the Secure Boot certificate.

Check out the video I have created showing you how to do this, alternatively keep reading below for instructions and more details

 

 

Turning off your VM, open up the settings page and navigate to the “Security” menu (Server 2016). As you can see in the image below, “Secure Boot” is enabled (checked) and the template is set to “Microsoft Windows”. What this effectively does is limit the Secure Boot function to working only with an appropriately signed Microsoft Windows boot system.

To fix this, there are two options, and it depends on the operating system you are trying to install. Preferably we want to keep the benefits of Secure Boot so the best option if it works for your operating system we want to simply change the template to “Microsoft UEFI Certificate Authority” this opens up the Secure Boot option to work with a greater range of appropriately signed boot systems, as against the Microsoft Windows one exclusively. The settings for this are shown below

Click Apply and this is hopefully now work, and you can check this by running the virtual machine.

Upon booting your virtual machine, you will now be presented with the boot menu from the disk, allowing you to continue on your way

 

If this change in of the CA template for Secure Boot does not work however you may need to disable secure boot entirely.

To achieve this go back to the “Security” menu simply uncheck it as per the image below, click Apply and it should now work.

 

 

Have Fun

Justin

Access a Cisco Switch via USB Console

It may be that you want to use a USB cable, or it may be that just like me you forgot your USB to serial adapter, and now your faced with connecting to a Cisco switch with a USB cable rather than the serial cable on OSX.

Well how do we go about this, with Windows we could simply look up the port number in device manager, with OS X they do not use this reference, instead referring to the device as a TTY USB modem.

First we need to look up the device, which is contained with other devices in the folder /dev/, we also want to limit it to devices of the USB type so we are going to limit the command to that. Open terminal and type the following command;

ls -ltr /dev/*usb*

This will list all devices in the /dev/ directory (the devices directory) where it contains the key phrase usb within it, with all information, in a list with the most recently modified device (and therefore most likely the device we are looking for)

Your device will show up as something such as

tty.usbmodem.12a1

Now we have the path to the device, we need to open a console using it. In OS X the console utility screen is built in, so lets open it utilising this utility and a baud rate of 9600 which most devices will happily handle. To do this type;

screen /dev/tty.usbmodem.12a1 9600

What this command is stating is open screen on device /dev/tty/usbmodem.12a1 utilising a 9600 baud rate, no settings for stop bits etc are input, you can also utilise other baud rates if needed.

Your terminal will now connect to the console of the Cisco device, this should also however work for any other devices that utilises a USB chipset to communicate via serial emulation.

Justin

Secure that Synology

I have recently started moving long term storage & other bulk data off the high-powered servers I maintain at home for working on virtual machines and other projects, and on to two Synology NAS devices, specifically a DS-1815+ for my parents and a DS-2415+ for myself. Both of these have had the official 4GB RAM upgrade installed to give each 6GB of RAM and each has only half of its bays currently populated with 8TB Seagate Archive HDD’s (so 4 in the DS-1815+ giving a total of ~15TB formatted allowing for a two disk redundancy, and 6 in the DS-2415+ giving a formatted capacity of ~30TB, again with two disk redundancy).

What I needed to do with this however is secure it as best possible without effecting the way either myself of my parents use the devices. However I have also moved several “low resource” tasks directly to the NAS to remove them from the server, what this will allow me to do is turn the power-hog of a server off when I do not need it for work, saving money. I will take you through each of these items as I get the time, but basically the following have been moved

  • File Storage
  • PLEX Server
  • Time Machine
  • BitTorrent (BT) Sync
  • SickBeard
  • SabNZBd
  • CouchPotato
  • Crashplan

To reduce the likelihood of anything causing issues with the Synology devices, and to secure them as best as possible as outlined above there are a few things that can be done.

01. Keep your NAS up to date
Your NAS like any computer (as that is essentially what a NAS is, a specialised computer) will from time to to time, have security issues identified and patched, as well as new features published, and as such it should be kept up to date. The Synology system like most computer systems these days, there is an option to have it automatically taken care of for you by the operating system (in the case of the Synology it is called Disk Station Manager or DSM) and it is a simple process to so.

Open Control Panel

SYNO-GEN-Desktop-CP
Control Panel on Desktop

 

SYNO-GEN-StartMenu-CP
Control Panel in Start Menu

Click “Update & Restore” in the “System” Menu or alternatively if you already have the control panel open in the Left Hand Menu Scroll down to “Update & Restore” and single click.

SYNO-SEC-ControlPanel-Basic-UR
Basic Control Panel
(Click “Advanced Mode” to change)

 

SYNO-SEC-ControlPanel-Advanced-UR
Advanced Control Panel
(Click “Basic Mode” to change)

Select “Update Settings”

SYNO-SEC-UpdatesMain
Open Update Settings

Select either “Newest DSM and all updates” (my preference) or “Important Updates Only”, check the “Check for DSM updates automatically” checkbox and select settings that suit you. I personally use and recommend “Install newest DSM update automatically” although you may want to choose “Install Important DSM Updates Automatically”, however I would caution against using “Download DSM updates but let me choose whether to install them”. This setting may be appropriate in some situations such as hosting business data and wanting to let it sit there for a couple of days to give the community time to vet it first, but on the whole I have not had issues with the first option and as such continue to use it. However remember, even though its a NAS you should still have a backup

SYNO-SEC-UpdateSettings
Update Settings Details

Click OK to save and commit the changes

02. Update Packages Automatically
Updating your packages on the device is just as important as keeping the device itself up to date. Fortunately Synology have once again made this a simple process.

Open Package Centre

SYNO-GEN-Desktop-PC
Package Centre – Desktop

 

SYNO-GEN-StartMenu-PC
Package Centre – Start Menu

If you have not used “Package Centre” before you may need to agree to the terms and conditions

SYNO-GEN-PC-TNC
Terms and Conditions Screen
Click “OK”

Click on Settings

 

SYNO-SEC-PC-Settings
Package Centre – Settings Selection

Select “Auto Updates”


SYNO-SEC-PC-Settings-Main
Select Auto Updates (Highlighted)

 

Ensure that “Update packages automatically” is selected. I usually use the “All Packages” option, however in a few cases I have had to use individual selections due to the updating of some components breaking others.

SYNO-SEC-PC-Settings-AutoUpdates
Ensure that “Update packages automatically” is selected

 

Click OK to save and update the settings

03. Install Antivirus
A NAS like any network (and internet) connected device will from time to time have issues that could allow a virus or other malware on to the system such as SynoLocker that was going around a while back. To combat this I highly suggest you install an Antivirus solution such as the Antivirus Essentials package from Synology. I do not know how this compares to the McAfee solution (which is only a trial and requires payment) also available as I refuse to use the McAfee as a point of principle, nor do I know its strike rate versus what you would get on a “normal” PC installation of an antivirus. But it never hurts to have it there anyway. I would also recommend setting up the antivirus to run a scan on a regular basis such as the one on your desktop, laptop or tablet should. To do this it is reasonably simple

Open Package Centre

SYNO-GEN-Desktop-PC
Package Centre – Desktop

 

SYNO-GEN-StartMenu-PC
Package Centre – Start Menu

If you have not used “Package Centre” before you may need to agree to the terms and conditions

SYNO-GEN-PC-TNC
Terms and Conditions Screen
Click “OK”

 

On the menu on the left hand side of the package centre select security

SYNO-SEC-AV-PC-SC
Opening page of Package Center with Security Highlighted

 

On the Security packages page you will see the “Antivirus Essentials” package (by default they are displayed in alphabetical order). Under “Antivirus Essentials” click install, and wait for the install to proceed.

SYNO-SEC-AV-PC-IN
Package Centre Security Packages with Install “Antivirus Essentials” highlighted
SYNO-SEC-AV-PC-IN-4
Installing “Antivirus Essentials”

Upon successfully completing the installation you will get notifications in the top right corner, the notification centre, and the button below the “Antivirus Essentials” logo will change from “Install” to “Open”. Click “Open” to open the Antivirus essentials package.

SYNO-SEC-AV-PC-OP
Install complete
Install button is now open button
Click this and open the package

Upon opening the package you will be presented with the default screen, on the left hand side select “Settings”

SYNO-SEC-AV-FP
“Antivirus Essentials” start screen with “Settings” highlighted

Under the “Update” section, ensure the “Update virus definition before scanning” checkbox is checked (enabled), we do not want to scan with old definitions now do we, that would be silly

SYNO-SEC-AV-DT
Select “Update virus definitions before scanning”

In the left hand column select “Scheduled Scan”, you will most likely be presented with a blank schedule as by default no scans are scheduled, to create a schedule click on “Create” which is a the top left of the right hand section of the page.

SYNO-SEC-AV-SS
By default there are no scheduled scans

The next settings are really up to you, but I normally select “Full Scan” unless there is a compelling reason not, fill in the “Date” and “Time” fields with your desired settings, click OK and the item is created in the schedule.

SYNO-SEC-AV-SS-WD
My Weekday Schedule
SYNO-SEC-AV-SS-WE
My Weekend Schedule
SYNO-SEC-AV-SS-F
My Complete Schedule

Close the App, All done

Please note you do not have to have just one scheduled scan, as above personally I use two, one at midday for each weekday as I am in theory not home using the NAS as I am at visiting clients, and on weekends it runs at 3 AM. I could do 3 AM daily, but I have other tasks that start at 2AM (specifically the DSM update check) and I want to reduce the likelihood of one conflicting with the other

04. Configure and use the Synology Device Firewall
Whilst your NAS may not be on the internet, more commonly you will be using some services, and whilst your router will provide a little protection, it is better to create explicit rules on the device to protect it from attacks.

Personally with this I use three rules to keep it simple; The first rule allows full access from the local network, although ultimately once I have things settled down at each site I tend to secure it allowing only the protocols and ports through that are required for that site. The second rule allows traffic from Australia and the UK (as my brother is currently residing in the UK) and the final rule blocks everything else.

To do this follow these instructions

Open Control Panel

SYNO-GEN-Desktop-CP
Control Panel on Desktop
SYNO-GEN-StartMenu-CP
Control Panel in Start Menu

The next thing you will have to do is dependent on your view of the control panel, if you are in “Basic Mode” you will need to click on “Advanced Mode” in the upper right hand corner of the “Control Panel”, if you are already in advanced mode continue to the next step.

Basic Control Panel - "Advanced Mode" Highlighted
Basic Control Panel – “Advanced Mode” highlighted

In “Advanced Mode” you simple click the “Security” item


Advanced Mode - "Security" Highlighted
Advanced Mode – “Security” Highlighted

Opening this Security section drops you into the “Security” subpage, as such you will need to select “Firewall” from the tabs at the top

Security Page - "Firewall" tab highlighted
Security Page – “Firewall” tab highlighted

In the firewall tab, by default there is no rules so you will need to create them, you do this by clicking create in the upper left corner of the right hand page section

Home page of the "Firewall" tab
Home page of the “Firewall” tab

Once you have clicked create you will be shown a basic menu for creating the rule structure

Basic Rule creation window
Basic Rule creation window

Now while clicking OK in the above window would create a rule, it would create a rule allowing all traffic from every device, everywhere to all services that you currently have, or may create in future on the NAS device (assuming the appropriate NAT forwards in in place anyway) so we need to not click OK and modify some settings to make it useful

Firstly we are going to create a network rule to allow all access from the local network, so we are going to change the “Source IP” section to the “Specific IP” section (yes even though we are allowing a whole network). Now this seems to be a non-issue as I have never had local access denied to the device, but as we will be putting a deny all in later its better to be safe than sorry as in the future this may change.

Create Firewall Rule based on IP (Range)
Create Firewall Rule based on IP (Range)

After changing Source IP to the “Specific IP” Radio button, click the now working “Select” button to the right of it, this will bring up the IP input menu. Once the below input box has popped up, change the radio button option to either “Subnet” if you want to allow the whole subnet or “IP Range” if you want just a range of IP’s. I have used the subnet option and put the network address in the “IP address” field in my case this is 172.16.1.0 and the subnet mask in the “Subnet mask/Prefix length” field in my case this is 255.255.255.128. If you want to use the “IP range” option put the first (lower) IP address of the range in the “From” field. and the last (higher/upper) IP address in the “To” field. Click OK to save your input data, and “OK” once again to save your rule

Dialogue Box for IP input
Dialogue Box for IP input

Clicking on “Create” again we will now create a regional allow for the regions/countries you want, the first part of this is changing the “Source IP” field so that the “Region” radio button is selected

Create firewall rule based on region
Create firewall rule based on region

Once it is selected, again click the “Select” button, this will bring up an input box requesting you to select regions, in my case I want to select Australia and Great Britain. Click “OK” once the regions are selected to save your selection, and “OK” once again to save your rule

Selecting Australia
Selecting Australia
Selecting Great Britain
Selecting Great Britain

Now creating a region based filter may be a bit over the top to some considering I travel often, but it’s not that hard to change so when I or another family member travels overseas and requires access to the NAS I simply add the areas that are being visited to the allow rule.

Finally we want to create an explicit deny rule. What this rule does, is deny any access to the NAS that does not meet the rules above it. Due to the way this works, this should always be the last (bottom) rule on the firewall, as everything will match it so any rules below it will not be processed. To create this rule it is even easier than the others. Once again click the “Create” button, bringing up the popup. We want to leave both the “Ports” and “Source IP” with settings of “All” but we want to change “Action” to “Deny” and “OK” to save your rule

Creating an Explicit Deny for Security
Creating an Explicit Deny for Security

Below is a screenshot of these three basic rules and how they appear in the firewall control panel to ensure they work correctly

Firewall Rules In Order
Firewall Rules In Order

05. Disable or remove unused applications and services
As with any device, the more programs, features and services you put on it the more potential places there are for people, or malware to gain access to the system, the simple solution to this is if you do not need it, remove it, if you only need it sporadically, only use enable it when you need it.

Don’t get me wrong, Synology and third parties have some great features available for the devices, Photo Station, Plex and Cloud Station just to name a few, but if you do not need them, do not install them, you can always add them later if you need them, if you have them installed and no longer use them, remove them, again you can re-add them later (make sure you have a backup of the data if you remove them).

To see what you have running it is a simple matter as outlined below

Open Package Centre

Package Centre - Desktop
Package Centre – Desktop
Package Centre - Start Menu
Package Centre – Start Menu

Depending on how it’s set up you may end up seeing the “Recommended” section or the “Installed” section, if you see “Recommended” simply select “Installed” in the left hand menu to see what is installed

Installed Packages
Installed Packages

To remove one of these if they are no longer needed simple click on the package and open it

Opened Package Menu
Opened Package Menu

Click on the “Action” menu and select “Uninstall”

Uninstall Package
Uninstall Package

You will get a series of two popups, the first checking that you’re sure you want to uninstall the package, the second to tell you it has been uninstalled

Confirm Uninstall of Package
Confirm Uninstall of Package

Package has now been successfully removed
Package has now been successfully removed

You will then be taken back to the “Installed” display, now missing the package you have removed

SYNO-SEC-PC-REMOVED

Packages however are not the only risk, the same and to a large extent a greater risk can be had from services such as SSH and Telnet (which should not be used PERIOD). SSH for example is a prime candidate for being left enabled when you do not need it, again do not get me wrong its a great tool and I use SSH all the time on several of my machines, but if I do not need it I turn it off, one less avenue open for attack.

To disable SSH, or Terminal which are the commonly left open ones do the following

Open Control Panel

Control Panel on Desktop
Control Panel on Desktop
Control Panel in Start Menu
Control Panel in Start Menu

The next thing you will have to do is dependent on your view of the control panel, if you are in “Basic Mode” you will need to click on “Advanced Mode” in the upper right hand corner of the “Control Panel”, if you are already in advanced mode continue to the next step.

Basic Control Panel - "Advanced Mode" Highlighted
Basic Control Panel
“Advanced Mode” Highlighted

In “Advanced Mode” you simple click the “Terminal & SNMP” item

Click "Terminal & SNMP"
Click “Terminal & SNMP”

The Terminal control window will open, and the settings will either be on (checked) or off (unchecked) simple uncheck them if you do not need them running

SSH Enabled
SSH Enabled
SSH Disabled
SSH Disabled

Click Apply and your done

When you remove a service and no longer need it, also remember to remove any port forwards from your router, no need to leave those ports open if you don’t need to

06. Disable or remove unused accounts
What has been said for applications and services, also goes for users, in fact users would be somewhat more important. If an account is not required, remove it. Do not get me wrong I am not saying use a single account for everyone, far from it, in fact I ensure everyone has their own account for access where required so that people are accountable for their actions, but if the account is no longer required, and will not be in the near future I will remove it, if it is going to be needed in the short term, I will disable it and enable it when I need it again.

I do take my security perhaps a little too far as I have separate accounts for administration, another for normal user access to the data, a setup that I highly recommend for security. I also however have third account for the AFP share which is presented for Time Machine on the Apple devices. I have done this to reduce the chance of anyone getting access to the full system backups, as there is more in the backups than there is in the data synced between the other folders. I do however ensure that the standard admin and guest accounts are disabled. As these accounts are standard it is safe to assume that hackers know about them and therefore are a security risk.

It is however important to note that it seems by default that DSM (Disk Station Manager – the Synology Operating System) does not allow you to remove the accounts, probably due to operational reasons in the case of the guest account. In the case of the admin account I suspect this is due to how the factory reset works, specifically due the fact that when reset via the reset button enables the account and resets the password to a factory default.

It is also important to note that the password for the built-in admin account is the one used by BOTH the admin and root SSH accounts to the device, and that disabling the account in the web interface does not seem to disable the acount on the system itself as the SSH access is still evident.

Now the smart people at Synology have disabled the guest account by default, meaning you have to enable it for it to be a security issue. However we may need to disable or remove annother account, and Synology have thankfully made it quite easy to achieve;

Open Control Panel

Control Panel on Desktop
Control Panel on Desktop
Control Panel in Start Menu
Control Panel in Start Menu

Click “Users” in the “System” Menu or alternatively if you already have the control panel open in the Left Hand Menu Scroll down to “Users” and single click.

Basic Control Panel (Click "Advanced Mode" to change)
Basic Control Panel
(Click “Advanced Mode” to change)
Advanced Control Panel (Click "Basic Mode" to change)
Advanced Control Panel
(Click “Basic Mode” to change)

Select “User” and click to open, this will change the window to display the “User” menu. Once this has happened select the user to disable, in this case “admin” and click the edit button

Admin User selected, Click the Edit Button
Admin User selected, Click the Edit Button

This will in turn pop up a menu to edit the user, down the bottom of which is the option to disable the user, and we want to disable the user immediately in this case (the scheduled disabling of the account for example would be used for a contractor or other person who you want to access the files on the devices only for a limited time). Once the options are set, hit OK and disable the user

Disabling the admin user immediately
Disabling the admin user immediately

This will drop you back to the user management screen, however the admin account will now be disabled

Disabled admin account
Disabled admin account

Now that’s all good, but how about if you want to remove an account, well that again is simple.

Select the user you want to remove and hit the “Delete” button

SYNO-SEC-USER-MENU-DELETE
User Selected and Delete highlighted
Select user and click delete

This will bring up a confirmation box confirming you want to do this, and telling you that the users home folder will be removed and is unrecoverable (hope you have a backup :D)

Confirm that you want to remove the user and its associated home folder (if applicable)
Confirm that you want to remove the user and its associated home folder (if applicable)

Now that’s done it will again drop you back to the user management scree, the account is however gone

Account Removed
Account Removed

That’s it, users are disabled and/or removed

07. Install and use a SSL Certificate
Whilst an SSL certificate strictly speaking does not add to the security of the device directly, it does help secure (through encryption) peoples interaction with the device, specifically those interactions over SSL supported mediums such as HTTP (web interface), the most important of these interactions being the transmission of credentials to the system to gain access it. Encryption does this by obuscating the data that would otherwise be sent in plain text. This however does not mean you can use a weak password (and that includes using the same password for multiple services).

Now there are several ways to do this depending on how you want to go, there is using a self-signed certificate which will secure the device, but you will get warnings about the certificate not being from a recognised source unless you add it to the trusted sources on your systems (this can be done via GPO’s, System Profiles etc on large corporate systems, and can even be done through scripting on systems where you cannot manage them centrally, you could of course use the old chestnut of installing it manually on every system, but who wants to do that?).

If you do not want to go through the process of dealing with a self-signed certificate you can get a certificate signed by an external certificate signing authority which will mean there is no need to install the certificate authority manually, as the roots are included on most operating systems by default. The downfall of this is that there are multiple types of certificates available from certification authorities as well. You are able to get a single domain certificate, a multiple domain certificate (UCC), or a wildcard certificate that protects all the sub-domains of a certain root domain.

As you want to protect more and more (sub)domains, the cost of the certificate goes up, with wildcard certificates in particular becoming very expensive to purchase and maintain. I will let you decide which way you want to go and work out the particulars, but I myself and my clients all use externally signed wildcard domain certificates. The steps for installing and setting up a certificate are basically the same no matter which way you go.

What may be different however is if you need the certificate chain. As I use GoDaddy certificates and want to present all my certificates to the client browser as a certification chain to maintain the integrity of the process, so I do need to put the entire chain into the system (it is also a part of getting a higher ranking in the SSL security tests, but more on that later). You can also let the browser find chain certificates, but this does present another possible attack vector to the system, or you may no need one, depending on the external provider or in the case for most self signed certificates.

To do this follow these instructions

Open Control Panel

Control Panel on Desktop
Control Panel on Desktop
Control Panel in Start Menu
Control Panel in Start Menu

The next thing you will have to do is dependent on your view of the control panel, if you are in “Basic Mode” you will need to click on “Advanced Mode” in the upper right hand corner of the “Control Panel”, if you are already in advanced mode continue to the next step.

Basic Control Panel - "Advanced Mode" Highlighted
Basic Control Panel
“Advanced Mode” Highlighted

In “Advanced Mode” you simple click the “Security” item


Advanced Mode<br />"Security" Highlighted
Advanced Mode – “Security” Highlighted

Opening this Security section drops you into the “Security” sub-page, as such you will need to select “Certificate” from the tabs at the top

Security Page - "Certificate" tab highlighted
Security Page – “Certificate” tab highlighted

Now that you are in the certificate menu, you will notice there is already a certificate on the device. This is a self signed certificate, and if you want to allow that, you could simply export the certificate (using the “Export” button) and import it into your trusted certificates store on your machine(s) as discussed above and be done with it. However I am going to show you how to add a third party certificate. Up the top of the tab you will notice two buttons, one saying “Create certificate” the other saying “Import certificate”. If you need to create a certificate signing request (CSR) you can do it through the Create menu (you can also create a custom self signed, renew a self signed, or even sign a CSR from another source allowing you to use the Synology as the Certificate Authority). Again here I am going to skip over this and go straight on with the import of the certificate, therefore we want to hit the “Import certificate” button.

Security Page - "Import certificate" button highlighted
Security Page – “Import certificate” button highlighted

This opens an import page, which contains three fields, these being the certificate itself, the intermediate certificates (if any) and the private key. Both the certificate, and the private key are required, and how you get the private key is dependent on how you generated the certificate, if there are questions on how to get the private key, ask in the comments and I will try to help out. Personally I use a program called XCA for my key/certificate management and I find it works very well.

 

Blank Import Form
Blank Import Form

Once the fields are filled in by browsing and selecting the appropriate files, you need to simply select “OK” and the device will now import the certificates

Completed Import Form
Completed Import Form

The screen once this has been completed will now drop back to the normal certificate home screen, but your certificate is now installed.

Home Page with Third Party Certificates
Home Page with Third Party Certificates

Congratulations, you have installed your certificate, however installing an SSL certificate by itself however is only part of the puzzle, you actually need to configure the device and its services to make use of the certificate, and ideally to redirect all requests for plain old unencrypted and insecure HTTP to your new encrypted and (hopefully) secure HTTPS implementation, also enabling HSTS is a good idea so we will turn that on as well.

Thankfully, Synology have made that very easy, by putting all the check box options for this on the one page, from within the open “Certificates” tab on the left panel you want to select “Network”

Certificates Home with Network Highlighted
Certificates Home with Network Highlighted

Clicking on this will drop you to the “Network” home page, where we need to select the “DSM Settings” tab

DSM Settings Tab Highlighted
DSM Settings Tab Highlighted

Now we are in the DSM settings tab is open you will notice there is an option to enable HTTPS connections, and several sub-options that need to be checked.

DSM Settings homepage, notice that HTTPS and its options are disabled
DSM Settings homepage
Notice that HTTPS and its options are disabled

Check the “Enable HTTPS connection” option, and the two unchecked sub-options (Automatic Redirection and HSTS) and click “Apply”

With HTTPS and its options enabled, click "Apply"
With HTTPS and its options enabled, click “Apply”

You now have a device using SSL encryption, and HSTS to ensure be best possible chance of keeping that data safe, it is important to note however that with HSTS enabled, which is a method by which the server tells the browser only to communicate it over HTTPS, until a per-determined time is reached, we also need to ensure that we keep a valid certificate on the device an update it PRIOR to the old one expiring. If this is not done, you otherwise you risk loosing access to the device without resetting the browser or overriding the default behavior of the browser to drop out due to the expired certificate.

08. Enable Device Auto-Block Lockouts
DSM has a feature as part of the firewalling system to automatically block access to clients that attempt to log in a given number of times, over a given period, to be locked out for a given period.

To this end I have the following settings set for security
Attempts: 3
Time Period: 60 Minutes
Block Expires: 1 Day

To configure this you will have to be in the “Advanced” mode of the control panel, if you are in “Basic Mode” you will need to click on “Advanced Mode” in the upper right hand corner of the “Control Panel”, if you are already in advanced mode continue to the next step.

Basic Control Panel - "Advanced Mode" Highlighted
Basic Control Panel – “Advanced Mode” Highlighted

In “Advanced Mode” you simple click the “Security” item


Advanced Mode - "Security" Highlighted
Advanced Mode – “Security” Highlighted

Opening this Security section drops you into the “Security” sub page, as such you will need to select “Auto Block” from the tabs at the top

Security Page - "AutoBlock" tab highlighted
Security Page – “AutoBlock” tab highlighted

In the Auto Block tab the details have already been filled in, although the “Enable auto block” and “Enable block expiration” check boxes are unchecked

Check the “Enable auto block” which will allow you to change the “Login attempts” and “Within (minutes)” fields, then if you want to enable block expiration which I highly recommend the check the “Enable block expiration” which will then enable the “Unblock after (days)’ field.

Auto Block Page (Default Settings)
Auto Block Page (Default Settings)
Auto Block set to my settings
Auto Block set to my settings

As stated above and as in the screenshot my settings are

Attempts: 3
Time Period: 60 Minutes
Block Expires: 1 Day

Once the settings are to your liking click “Apply” Auto Block is now enabled.

NOTE: Unless you want to get banned from your own device I strongly suggest you enable ban expiration, although you can get around this by changing IP’s, but it does cause issues when used in conjunction with with reverse proxies (which will be explained in a later article), as all EXTERNAL requests are comming from the one IP.

There you have it as “basic” secured Synology, I have included a couple of tips below but if there are any comments or questions, please leave them in the comments below

Justin

Useful Tip
Create and assign permissions to groups, not users. Coming from a Systems Administrations point of view, if you need to add permissions to something, create a group if an appropriate one does not already exist, and assign that group permissions to the item or object, even if the group only has one user. This will allow you to move people into and out of groups in the future to assign them permissions to things, without having to look up and assign permissions to each user. This is how I was taught to do it in large installations (admittedly using Directory Services for corporate authentication) and its saved me much time and effort in the past and I continue to do it how.

Useful Tip #2
Again this may be me taking it a little far, but I hide all the shares on the device unless they are truly public. Like many people, we occasionaly have guests on our WiFi, and I simply want to hide the data from them (what they cannot see, they will not try to access for the most part). This is simply done by clicking the “Hide this shared folder in My Network Places” checkbox. I also check the “Hide sub-folders and files from users without permissions” checkbox for good measure. this will stop files and folders showing up in the directory listing to users without permissions to that folder, if you use those features.

%d bloggers like this: