Category Archives: Random Thoughts

Passwords

Introduction

We all use passwords in our day-to-day lives.  Logging on to your favourite site, remoting into a server, connecting to your home-lab.  Passwords are here to stay.

There are people that think passwords will eventually disappear, but I don’t believe they will.  People still to be be authenticated in some way, whether it’s a typed password or a retinal scan.  It’s all the same.

While we still have typed passwords, you should at least make sure they are as secure as possible.

 

Passwords Tips

XKCD Password Strength (https://www.xkcd.com/936/)

XKCD Password Strength (https://www.xkcd.com/936/)

This is a list of tips that I try to use whenever I create a new password for a website or service…

  1. Use a random password generator,
  2. Use numbers and symbols if the service supports them,
  3. Make the password as long as possible.  The longer the better,
  4. Don’t tell anyone your passwords.
  5. Use a different password for each site or service.
    Never use the same password twice.

 

Password Managers

Now, I know there are many people out there that will have hundreds of websites and services that they use all the time, and trying to remember any password longer than 10 or 12 letters can be hard, so trying to remember more than an handful will be near impossible.

There is help though.  There are several tools that will help you store your passwords in an encrypted database and all you need to do is just remember one password.

One of the most popular free tools is called KeePass.  This will keep all your passwords safe and allow you to generate random passwords for your various websites.  There are others available, some free, some paid.  I personally use the paid tool 1Password, and have used this for quite a number of years.  However at work I do use KeePass quite a bit.

 

KeePass Setup

keepass-1Once you have downloaded and installed KeePass, run the application.  It will open to a blank form, click the File, New… to create a new password database.

 

This should be the last password that you will ever need to remember.  Make it a good one.  The longer and more complicated you can make it, the better.  As you can see, I used the password from the XKCD Comic above as an example.

Once you have entered a master password, click OK.

 

 

 

keepass-2

A new window will appear, enter some optional details for the title and description if you want to, and select the Security tab.  Here we should change the Key transformation number from the default of 6000 to something much larger.  Click the blue link labelled 1 second delay.  Depending on the speed of your computer, this number should change to something with a few more numbers.  Mine came out at about 16965888.

You can change the settings in the other tabs too if you like, but the defaults should be fine. Click OK when you are done.  Your new database will open and it will have some pre-configured folders and a couple of entries.

 

 

To create a new password entry, click Edit, Add Entry…  From the window that appears, fill in all the details you can.  A default password is created for you.  So if you are signing up for the first time to a site, you can use this suggested password.

keepass-4

keepass-passgenIf you don’t want this password, or the website doesn’t support the length or complexity, you can launch the password generator to create a new one.  Simple click the small key icon next to the password box.

keepass-5   keepass-6

 

Plug-ins

There are tons of plug-ins available for KeePass.  These perform all types of actions and allow you to expand the functionally KeePass.  There are plugins that will allow you to import an existing password database, or import your existing passwords from Firefox.  There are also plug-ins to hook into your favourite browser to help with auto-logging in.

Grab them from here.

Temporary Internet Files

Introduction

If you manage Windows terminal servers, or Citrix XenApp servers you will know all about temporary internet files, and the amount of space they take up on your servers and user profile folders.

There are ways to reduce the impact on profile folders by using GPOs to not copy the folder about, but this still could leave them on the server.

 

Removal Script

I have customised a script I found somewhere on the internet to remove the temporary internet folders for all users on a particular server.  The script enumerates C:\USERS for every user and if a Temporary Internet Files folder exists, it is deleted and a new one created in its place.  This is a quicker method than removing specific files.  It will also delete and recreate the users Temp folder.

 

The Script

@ECHO OFF
@ECHO Started: %time%
@PUSHD "C:\Users"

FOR /D %%F IN (*.*) DO (
    IF EXIST "%%F\AppData\Local" (
        @ECHO Processing user: %%F
        @PUSHD "%%F\AppData\Local"

        IF EXIST "Microsoft\Windows\Temporary Internet Files" (
            @ECHO Removing directory 'Temporary Internet Files'
            @PUSHD "Microsoft\Windows"
            IF [%%F] == [%username%] (
                @PUSHD "Temporary Internet Files"
                FOR /F %%E IN ('DIR /AD /B') DO (
                    @PUSHD %%E
                    FOR /F %%G IN ('DIR /AD /B') DO (
                        @ECHO Removing %%G
                        RD /S /Q %%G
                    )
                    POPD
                )
                POPD
            ) ELSE (
                RD /S /Q "Temporary Internet Files"
                @ECHO Creating new 'Temporary Internet Files' directory
                MD "Temporary Internet Files"
            )
            POPD
        )

        IF EXIST "Temp" (
            @ECHO Removing directory 'TEMP'
            IF [%%F] == [%username%] (
                @PUSHD "Temp"
                FOR /F %%E IN ('DIR /AD /B') DO (
                    @PUSHD %%E
                        FOR /F %%G IN ('DIR /AD /B') DO (
                            @ECHO Removing %%G
                            RD /S /Q %%G
                        )
                        POPD
                    )
                    POPD
                ) ELSE (
                    RD /S /Q "Temp"
                    @ECHO Creating new 'TEMP' directory
                    MD "Temp"
            )
        )
        POPD
        @ECHO. 
    )
)
POPD
@ECHO Finished: %time%
PAUSE

 

Instructions For Use

  1. Select the code above and save as plain text file with an extension of either .CMD or .BAT
  2. Copy to one of your terminal servers
  3. Right click and choose Run As Administrator

If your users folder is not in C:\Users, make sure you change line 3 above to the correct location.

Synology Security

Introduction

If you are accessing your Synology DiskStation from outside your home network, there are a few things that can help you with regards to security and hacking.

 

SynoLocker Ransomware

Issues like the SynoLocker ransomware shouldn’t have happened.  This particular ransomware was possible because people didn’t patch and update their devices in a timely manor, for whatever reason.  The patch for this vulnerability was actually released several months before the first attack.

It is understandable that people were upset about getting hit with this ransomware, but some basic security would have prevented it.

 

Synology Security Advisor

The new Security Advisor in DSM 5.1 is a big help for people securing their devices.  It performs up to 35 checks (currently) to make sure your device is working securely.  There are three available settings for the baseline checks,

  1. For home and personal use,
  2. For work and business use,
  3. Custom.

The first two options select a specific subset of the checks to run.  Personally, I would choose Custom and select all of the checks.

Once you have picked an option, run a scan and see how you fair.  If there are any warnings or errors, try to fix the issue.  If you are not sure about a setting, check the Synology Forums, they are a great source of information.

If you have green across the board, you are going great.

 

Extra Steps

Here is my list of extra steps that people should consider doing to help secure their Synology devices.  These go above and beyond the list of checks that Synology do in their Security Advisor, so if you have all green ticks for the checks above, then give these a go…

1.  Disable The Default Administrator Account

This one is not so obvious, but everyone who has a Synology device knows the name of the default admin account.  It will be the account that all hackers will try to attack.

  1. Go to the Users section in the Control Panel,
  2. Create a new user.  Call  this user something other than “admin”,
  3. Make sure it’s a member of the Administrators group,
  4. Logout, and login as this new user account,
  5. Disable the default “Admin” account.

 

2.  Use 2-Step Verification

2-step verification helps with making sure only you can login with your account.  It consists of a 6-digit number than changes every 60 seconds.  The numbers appear to be random, but are actually calculated from a complicated mathematical formula.

You will need to install an app on your phone to give you the 6-digit numbers.  I use the Google Authenticator app but there are many others available.  the Google version is only available on the Google Play Store and the Apple App Store.  For the Windows Phone Store, I picked the Microsoft Authenticator as I believe it uses the same algorithm…

store-google  store-apple   store-windows

Before you enable 2-step verification, you need to make sure the date and time on your device is accurate.  The best way to do this is to use a reliable time source…

  1. Log on to your DiskStation with an administrator account,
  2. Open the Control Panel,
  3. Go to the Regional Options section,
  4. Under the Time Setting part, select Synchronise with NTP server,
  5. Enter pool.ntp.org into the Server Address box
  6. Click Update Now

 

To enable 2-step verification for an account…

  1. Log on to your DiskStation with the account you want to use,
  2. Click the Person Icon in the title bar, top right,
  3. Click the Options menu item,
  4. Tick the box labelled Enable 2-Step Verification,
  5. Run through the wizard that appears, make sure you read the instructions…

2sv-1  2sv-2  2sv-3  2sv-4  2sv-5

To test, simply logout, and log back in again.  When you enter your username and password, instead of being logged in, a new box appears asking for the 6-digit code that is displayed on your phone.

 

3.  Default Ports

The default ports that the Synology DiskStations use for the web interface are 5000 and 5001.  It’s a very good idea to change these ports to something else.

To do this, first pick a number between 1024 and 65000, I’ll use 12345 as an example…

  1. Open the Control Panel,
  2. Go to the Network section,
  3. Select the DSM Settings tab,
  4. Enter the port number you thought of (12345) into the HTTP field,
  5. Enter the port number plus one (12346) into the HTTPS field,
  6. If you are using HTTP, you should consider HTTPS.

 

4.  Firewall

The Synology DSM has a built in firewall.  You can use this to block access to your DiskStation.

The default way the firewall it set up by Synology is to have separate firewall rules for each application or port that is used.  Personally I find this messy, as there are too many rules which could overlap and conflict.

Access the firewall settings in the Control Panel, Security section.

 

firewallInstead I have just three rules.  While this works for me, your situation may call for more rules than this…

  1. Allow all traffic on all ports from my local network,
  2. Allow only HTTPS port (12346 from the example above) from IPs in England (where I live),
  3. Allow only various application ports (web, owncloud, etc) from IPs in England,

If no rules are matched, then deny access.

Now, I know that IP addresses can be spoofed quite easily, but this helps beat a lot of the mass attacks coming from China, Russia and the USA.

You may want to have a few more rules, just remember to try and keep it simple.  If you over complicate things, you may open a hole in your network.

 

5.  Auto Block

The Auto Block feature is another new addition to DSM 5.1.  It allows you to block users on specific IP addresses trying to login to your DiskStation too many times.  Auto Block is also in the Security section of the Control Panel.  two tabs over from the Firewall.

  1. Tick the box labelled Enable auto block,
  2. Enter a number for the Login attempts field, (I have mine set to 5),
  3. Enter a number for the Within (minutes) field, (again I have 5 for this),

This means that anyone entering their password incorrectly 5 times, within the space of 5 minutes, will get their IP address blocked.  This is a low enough number of attempts in a long enough time window that I can catch quite a lot of attempts.

  1. If you want to enable block expiration option, tick the box.  This will automatically allow a blocked IP address to become unblocked.  I don’t have this set.  Once blocked, you stay blocked.

One thing to be aware of however, since I am not automatically unblocking IP addresses, there is a chance I might get blocked myself.  The way around this is to add a known internal IP address to the Allow/Block List.  This way, if you do get blocked, you just need to change your IP address to this specific address and connect to your device.  You can then unblock yourself.  Never specifically allow an external (internet) address.

 

6. More Coming Soon

I will add any more security options here, if you know of any good tips that you think other people should know about, leave it in the comments.

 

 

Access Your Synology With Your Own Domain Name

Introduction

The Synology Diskstation NAS boxes are great.  I have a DS1813+ that I use for my file storage and VMware virtual machines.  They have a great function called QuickConnect that allows people to quickly and easily access they DiskStations from outside of their home network.

They even have a quick knowledge base tutorial on how to achieve this.

For this post though, I’ll be taking you though the steps to connect using your own domain name.  There are a number of steps, and we’ll be going back and forth between different providers.

 

Requirements

For this to work, you will need a few things…

  • Your own personal domain name to use.  I’ll use nas.example.com in the screen shots and descriptions,
  • A free (or paid) DDNS service provider
  • Know how your router works, and how to perform port forwarding,
  • Optional, but recommended, a SSL certificate for secure communications.

 

Domain Names

Despite this blogs title, using your own domain name is somewhat optional.  You could just use a free Dynamic DNS service provider, and just leave it at that.  We will be using one later on anyway.  However if you do this, you can’t secure your connections with SSL, and security is important.

Domain names can be a personal thing.  Some people have just one, some people have lots.  Whatever you choose, make sure you can remember it.  I use a UK domain name registrar called 123-reg.co.uk for all my domain name needs.

Once you have thought of a domain name and checked to see if it’s available, you can buy it.  You can buy the domain for however long you think you need it (1 year, 2 years, etc).  I have had one of my domains for over 10 years.!

Now that we have a domain, we can start to configure a few more things.  Firstly, make sure any emails sent to this domain are forwarded to your own email address.  This should be fairly easy, just set up a catch-all email redirect.  We will come back to the domain settings later, as we need to configure a new DNS entry to point to a DDNS service provider.

 

DDNS Service Provider

We will need a service provider that the Synology can talk to automatically, so that when your external IP address changes (whenever you reboot your router), the domain name forwarding will continue to work.

How DDNS Works (very basic overview)

  1. The Synology DiskStation updates the DDNS service provider when an IP address change is detected,
  2. A client computer (you) requests a connection to your domain name,
  3. The domain name is forwarded to your DDNS service provider,
  4. The DDNS service provider returns to the client the IP given to it by the DiskStation,
  5. The client computer (you) connects to the DiskStation.

 

Service Providers

syno-ddnsAs you can see from the image below, there are a lot of service providers that Synology can automatically update.  Pick one from the list that you feel comfortable with, and sign up for a free account – if they have one.  The provider I use is NoIP.com.  They have a free service, however, you need to renew the account every 30 days (by just clicking a link).

 

During the sign-up, you will be asked for a host name to use, I find it easier to use the domain name I registered above.  Also, make sure you use a very strong password.

ddns-hostname

OK, we now have a domain, and a DDNS hostname.  Go back to your domain name registrar and edit the DNS settings for it.  For 123-reg, they have an advanced panel, this is most likely what you will need.  You need to create a new DNS entry for your domain name.  I called my sub-domain NAS, but you can use what you want. The DNS type for this is a CNAME.  It will redirect to your DDNS service provider hostname.

cname-entry

This may will take between an hour and a day for any changes to replicate around the internet, so don’t worry if it doesn’t work straight away.

 

Port Forwarding

Before you start port forwarding, you will need a few things…

  • The IP address you have assigned to your Synology DiskStation,
  • The Port you use to connect to your DiskStation,
    • The defaults are 5000 and 5001 for HTTP and HTTPS.
    • I’ll be using the default of 5001 for the demo, but you really should change this port number – I’ll show you how later on.  If you are going to use a different number, pick any number between 1024 and 65000.  Remember it.
  • Of course, the username/password for your router.!

Every home router is different, and some corporate ones require more than just a couple of steps.  I’ll point you to a web site I used to use; be warned however, it has a lot of adverts – you are using an avert blocker right.!?

This is a link to an old router I used to have, a Netgear DG834.  You can try to find your own router from their extensive list if you like.  For more advanced routers you may need a few more steps.  For the specific router I use, a Juniper NetScreen 5GT, there are quite a number of steps required, in different areas of the device.

The basic overview is to add a rule to your router/firewall that allows all traffic coming into your home on the specific port (5001), to be forwarded to your DiskStation, where, your DiskStation will handle it.

 

Obtaining a SSL Certificate

For all my SSL needs, I use the free Class 1 certificates from StartSSL.  They are valid for one year, and can be easily renewed.  Did I also mention they are free.  No hidden charges, completely free.

You’ll need to signup for an account (I know, another one).  You will then need to validate the domain name that you want to create a certificate for.

startssl-domainnamevalidation

  1. From the Control Panel, click on the Validations Wizard,
  2. Choose Domain Name Validation,
  3. Enter the domain name your bought above,
  4. Click continue past the email selection page,
    • This is why it was important earlier to make sure all emails are forwarded,
  5. Wait for an email from StartSSL to arrive.  It will contain a verification code, enter it in the box provided,
  6. All done.

Once validated, you can now create a SSL certificate.

  1. startssl-certwizFrom the Control Panel, click on the Certificates Wizard,
  2. Choose Web Server SSL/TLS Certificate,
  3. Create a Key Password
    • Make sure it’s a long one – use the maximum allowed
  4. Change the Keysize to 4096
  5. Make sure Secure Hash Algorithm is set to SHA2,
  6. Copy all the text, and save it as a plain text file in notepad.  Call it SSL.KEY,
    • This is your encrypted private key, do not give it to anyone,
  7. Select the domain you want to use this SSL certificate for, if you have more than one domain,
  8. Enter a sub domain of NAS, or whatever you used for the CNAME above,
  9. Click Continue past the message, then wait for an email from StartSSL (it could take a while, but it’s usually quick)
  10. While you wait for your certificate to be generated, go back to the Control Panel
  11. Select Decrypt Private Key from the menu,
  12. Paste in the encrypted private key from step 6 and the Key Password from step 3,
  13. When you click Decrypt, the key will be decrypted and presented to you
  14. Select all the text, and save it as DECRYPTED.KEY,
    • This is you private key, do not give it to anyone.
  15. Once you get this email, go back to the StartSSL Control Panel and select Retrieve Certificate,
  16. Select the correct certificate from the drop down list (if you have more than one),
  17. Copy all the text, and save it as a plain text file in notepad.  Call it SSL.CER,
    • This is your certificate,
  18. All done.

 

Synology Configuration

We are almost done.  We have a domain, with DDNS forwarding, and port forwarding (on a custom port).  We just need to add the certificate to the DiskStation and optionally change the port numbers…

Enable DDNS Settings

  1. Open the Control Panel,
  2. Go to the External Access section,
  3. Select the DDNS tab,
  4. Click Add,
  5. Select the service provider you picked earlier (NoIP in my case),
  6. Enter the DDNS hostname,
  7. Enter your DDNS username and password,
  8. Click Test Connection to make sure everything is working fine.
  9. Select the Advanced tab,
  10. Enter your domain name in the Hostname or static IP field.

Enable HTTPS and Change Connection Port

  1. syno-httpsOpen the Control Panel,
  2. Go to the Network section,
  3. Select the DSM Settings tab,
  4. (Optional) Change the HTTPS port number to the one you picked earlier,
  5. Tick the Enable HTTPS connections tick box,
  6. Tick all the other options on this page too.
  7. Click OK,

Install SSL Certificate

  1. syno-importcertOpen the Control Panel,
  2. Go to the Security section,
  3. Select the Certificate tab,
  4. Click the Import Certificate button,
  5. Select the two files you created above,
    1. decrypted.key,
    2. ssl.cer,
  6. Once you click OK, the DSM should reload and connect you on a HTTPS connection.

 

Testing It All

You should now be able to connect to your Synology DiskStation via your newly bought domain name.