Category Archives: Synology

More Pushover Configuration

Introduction

After successfully configuring Pushover with PRTG, I moved on to configuring my Synology DiskStation (easy) and VMware vCenter (harder) installation to also notify me via Pushover.

 

Register An Application

In both cases, I registered a new application within the Pushover console.  I did this so that each alert would come though with their own specific icon and description.  See my previous blog posting on how to do this.

I used the following icons for each application :

  • synology Synology
  • vmware VMware

 

Synology DiskStation Notifications

syno-notifications-1This is was the easiest change to make, simply…

  1. Login to your DiskStation,
  2. Open the Control Panel,
  3. Select the Notification option,
  4. Choose either (or both) of the following tabs…
    • Email
    • Push Service
  5. Enter your Pushover API email address
    • [user-key]+a=[api-key]@api.pushover.net

 

VMware vCenter Alerts

Setting up these alerts were a lot harder.  It took a lot of trial and error.  Hopefully this will save you the same hassle.

Before you start, make sure you have the Microsoft dotNet framework version 4 or later installed, as well as PowerShell 4 or later.  Next, we’ll create a folder and two files on your vCenter server…

  1. On the C: drive, create a folder called Scripts,
  2. Create two plain text files and enter the following code…

send-alert.bat

"c:\windows\system32\windowspowershell\v1.0\powershell.exe" c:\scripts\send-alert.ps1 -title '%1' -message '%2'

send-alert.ps1

param(
    [string]$title,
    [string]$message
)

$parameters = @{
    token    = "[api-key]"
    user     = "[user-key]"
    priority = "0"
    title    = $title
    message  = $message
}

$parameters | Invoke-RestMethod -Uri "https://api.pushover.net/1/messages.json" -Method Post

Remember to enter your own api-key and user-key into the .ps1 script file.

 

vmware-definitionsvCenter Configuration

Next we need to configure VMware vCenter to run the batch file whenever an alert condition is met.  At last count there are 68 different alert definitions within vCenter.  You could change each on manually, but that would take all day.  If you have VMware PowerCLI installed (and you really should have) you can script this.

Manual Steps…

  1. vmware-alarm-4Open VMware vSphere Client, and login to your vCenter server,
  2. Select the very top level entry in the tree view on the left,
  3. Choose the Alarms tab along the top,
  4. Click the Definitions button,
  5. The list of 68+ definitions are list.  Double-click on one of them.  I’ll choose Datastore usage on disk,
  6. Select the Actions tab,
  7. Click Add,
  8. From the new entry that appears,
    • change “Send a notification email
    • to “Run a command
  9. Enter the following code into the Configuration column…
c:\scripts\send-alert.bat "{targetName}  >  {eventDescription}" "{triggeringSummary}"
  1. Click OK
  2. Rinse and repeat for the remaining definitions, or…

Automatic Script…

  1. Open a PowerCLI command window, and connect to your vCenter server
  2. Copy and paste the following code, and let it run…
$al = Get-AlarmDefinition
ForEach ($a in $al) {
    Get-AlarmDefinition -Name $a | New-AlarmAction -Script -ScriptPath 'c:\scripts\send-alert.bat "{targetName}  >  {eventDescription}" "{triggeringSummary}"'
}

Make sure you get the single quotes ( ‘ ) and double-quotes ( ” ) correct

For a list of variables you can use, check the VMware documentation.

 

Results

Once you have alerts working, you should get alerts through looking something like this…

space-alert

Synology Security

Introduction

If you are accessing your Synology DiskStation from outside your home network, there are a few things that can help you with regards to security and hacking.

 

SynoLocker Ransomware

Issues like the SynoLocker ransomware shouldn’t have happened.  This particular ransomware was possible because people didn’t patch and update their devices in a timely manor, for whatever reason.  The patch for this vulnerability was actually released several months before the first attack.

It is understandable that people were upset about getting hit with this ransomware, but some basic security would have prevented it.

 

Synology Security Advisor

The new Security Advisor in DSM 5.1 is a big help for people securing their devices.  It performs up to 35 checks (currently) to make sure your device is working securely.  There are three available settings for the baseline checks,

  1. For home and personal use,
  2. For work and business use,
  3. Custom.

The first two options select a specific subset of the checks to run.  Personally, I would choose Custom and select all of the checks.

Once you have picked an option, run a scan and see how you fair.  If there are any warnings or errors, try to fix the issue.  If you are not sure about a setting, check the Synology Forums, they are a great source of information.

If you have green across the board, you are going great.

 

Extra Steps

Here is my list of extra steps that people should consider doing to help secure their Synology devices.  These go above and beyond the list of checks that Synology do in their Security Advisor, so if you have all green ticks for the checks above, then give these a go…

1.  Disable The Default Administrator Account

This one is not so obvious, but everyone who has a Synology device knows the name of the default admin account.  It will be the account that all hackers will try to attack.

  1. Go to the Users section in the Control Panel,
  2. Create a new user.  Call  this user something other than “admin”,
  3. Make sure it’s a member of the Administrators group,
  4. Logout, and login as this new user account,
  5. Disable the default “Admin” account.

 

2.  Use 2-Step Verification

2-step verification helps with making sure only you can login with your account.  It consists of a 6-digit number than changes every 60 seconds.  The numbers appear to be random, but are actually calculated from a complicated mathematical formula.

You will need to install an app on your phone to give you the 6-digit numbers.  I use the Google Authenticator app but there are many others available.  the Google version is only available on the Google Play Store and the Apple App Store.  For the Windows Phone Store, I picked the Microsoft Authenticator as I believe it uses the same algorithm…

store-google  store-apple   store-windows

Before you enable 2-step verification, you need to make sure the date and time on your device is accurate.  The best way to do this is to use a reliable time source…

  1. Log on to your DiskStation with an administrator account,
  2. Open the Control Panel,
  3. Go to the Regional Options section,
  4. Under the Time Setting part, select Synchronise with NTP server,
  5. Enter pool.ntp.org into the Server Address box
  6. Click Update Now

 

To enable 2-step verification for an account…

  1. Log on to your DiskStation with the account you want to use,
  2. Click the Person Icon in the title bar, top right,
  3. Click the Options menu item,
  4. Tick the box labelled Enable 2-Step Verification,
  5. Run through the wizard that appears, make sure you read the instructions…

2sv-1  2sv-2  2sv-3  2sv-4  2sv-5

To test, simply logout, and log back in again.  When you enter your username and password, instead of being logged in, a new box appears asking for the 6-digit code that is displayed on your phone.

 

3.  Default Ports

The default ports that the Synology DiskStations use for the web interface are 5000 and 5001.  It’s a very good idea to change these ports to something else.

To do this, first pick a number between 1024 and 65000, I’ll use 12345 as an example…

  1. Open the Control Panel,
  2. Go to the Network section,
  3. Select the DSM Settings tab,
  4. Enter the port number you thought of (12345) into the HTTP field,
  5. Enter the port number plus one (12346) into the HTTPS field,
  6. If you are using HTTP, you should consider HTTPS.

 

4.  Firewall

The Synology DSM has a built in firewall.  You can use this to block access to your DiskStation.

The default way the firewall it set up by Synology is to have separate firewall rules for each application or port that is used.  Personally I find this messy, as there are too many rules which could overlap and conflict.

Access the firewall settings in the Control Panel, Security section.

 

firewallInstead I have just three rules.  While this works for me, your situation may call for more rules than this…

  1. Allow all traffic on all ports from my local network,
  2. Allow only HTTPS port (12346 from the example above) from IPs in England (where I live),
  3. Allow only various application ports (web, owncloud, etc) from IPs in England,

If no rules are matched, then deny access.

Now, I know that IP addresses can be spoofed quite easily, but this helps beat a lot of the mass attacks coming from China, Russia and the USA.

You may want to have a few more rules, just remember to try and keep it simple.  If you over complicate things, you may open a hole in your network.

 

5.  Auto Block

The Auto Block feature is another new addition to DSM 5.1.  It allows you to block users on specific IP addresses trying to login to your DiskStation too many times.  Auto Block is also in the Security section of the Control Panel.  two tabs over from the Firewall.

  1. Tick the box labelled Enable auto block,
  2. Enter a number for the Login attempts field, (I have mine set to 5),
  3. Enter a number for the Within (minutes) field, (again I have 5 for this),

This means that anyone entering their password incorrectly 5 times, within the space of 5 minutes, will get their IP address blocked.  This is a low enough number of attempts in a long enough time window that I can catch quite a lot of attempts.

  1. If you want to enable block expiration option, tick the box.  This will automatically allow a blocked IP address to become unblocked.  I don’t have this set.  Once blocked, you stay blocked.

One thing to be aware of however, since I am not automatically unblocking IP addresses, there is a chance I might get blocked myself.  The way around this is to add a known internal IP address to the Allow/Block List.  This way, if you do get blocked, you just need to change your IP address to this specific address and connect to your device.  You can then unblock yourself.  Never specifically allow an external (internet) address.

 

6. More Coming Soon

I will add any more security options here, if you know of any good tips that you think other people should know about, leave it in the comments.

 

 

Access Your Synology With Your Own Domain Name

Introduction

The Synology Diskstation NAS boxes are great.  I have a DS1813+ that I use for my file storage and VMware virtual machines.  They have a great function called QuickConnect that allows people to quickly and easily access they DiskStations from outside of their home network.

They even have a quick knowledge base tutorial on how to achieve this.

For this post though, I’ll be taking you though the steps to connect using your own domain name.  There are a number of steps, and we’ll be going back and forth between different providers.

 

Requirements

For this to work, you will need a few things…

  • Your own personal domain name to use.  I’ll use nas.example.com in the screen shots and descriptions,
  • A free (or paid) DDNS service provider
  • Know how your router works, and how to perform port forwarding,
  • Optional, but recommended, a SSL certificate for secure communications.

 

Domain Names

Despite this blogs title, using your own domain name is somewhat optional.  You could just use a free Dynamic DNS service provider, and just leave it at that.  We will be using one later on anyway.  However if you do this, you can’t secure your connections with SSL, and security is important.

Domain names can be a personal thing.  Some people have just one, some people have lots.  Whatever you choose, make sure you can remember it.  I use a UK domain name registrar called 123-reg.co.uk for all my domain name needs.

Once you have thought of a domain name and checked to see if it’s available, you can buy it.  You can buy the domain for however long you think you need it (1 year, 2 years, etc).  I have had one of my domains for over 10 years.!

Now that we have a domain, we can start to configure a few more things.  Firstly, make sure any emails sent to this domain are forwarded to your own email address.  This should be fairly easy, just set up a catch-all email redirect.  We will come back to the domain settings later, as we need to configure a new DNS entry to point to a DDNS service provider.

 

DDNS Service Provider

We will need a service provider that the Synology can talk to automatically, so that when your external IP address changes (whenever you reboot your router), the domain name forwarding will continue to work.

How DDNS Works (very basic overview)

  1. The Synology DiskStation updates the DDNS service provider when an IP address change is detected,
  2. A client computer (you) requests a connection to your domain name,
  3. The domain name is forwarded to your DDNS service provider,
  4. The DDNS service provider returns to the client the IP given to it by the DiskStation,
  5. The client computer (you) connects to the DiskStation.

 

Service Providers

syno-ddnsAs you can see from the image below, there are a lot of service providers that Synology can automatically update.  Pick one from the list that you feel comfortable with, and sign up for a free account – if they have one.  The provider I use is NoIP.com.  They have a free service, however, you need to renew the account every 30 days (by just clicking a link).

 

During the sign-up, you will be asked for a host name to use, I find it easier to use the domain name I registered above.  Also, make sure you use a very strong password.

ddns-hostname

OK, we now have a domain, and a DDNS hostname.  Go back to your domain name registrar and edit the DNS settings for it.  For 123-reg, they have an advanced panel, this is most likely what you will need.  You need to create a new DNS entry for your domain name.  I called my sub-domain NAS, but you can use what you want. The DNS type for this is a CNAME.  It will redirect to your DDNS service provider hostname.

cname-entry

This may will take between an hour and a day for any changes to replicate around the internet, so don’t worry if it doesn’t work straight away.

 

Port Forwarding

Before you start port forwarding, you will need a few things…

  • The IP address you have assigned to your Synology DiskStation,
  • The Port you use to connect to your DiskStation,
    • The defaults are 5000 and 5001 for HTTP and HTTPS.
    • I’ll be using the default of 5001 for the demo, but you really should change this port number – I’ll show you how later on.  If you are going to use a different number, pick any number between 1024 and 65000.  Remember it.
  • Of course, the username/password for your router.!

Every home router is different, and some corporate ones require more than just a couple of steps.  I’ll point you to a web site I used to use; be warned however, it has a lot of adverts – you are using an avert blocker right.!?

This is a link to an old router I used to have, a Netgear DG834.  You can try to find your own router from their extensive list if you like.  For more advanced routers you may need a few more steps.  For the specific router I use, a Juniper NetScreen 5GT, there are quite a number of steps required, in different areas of the device.

The basic overview is to add a rule to your router/firewall that allows all traffic coming into your home on the specific port (5001), to be forwarded to your DiskStation, where, your DiskStation will handle it.

 

Obtaining a SSL Certificate

For all my SSL needs, I use the free Class 1 certificates from StartSSL.  They are valid for one year, and can be easily renewed.  Did I also mention they are free.  No hidden charges, completely free.

You’ll need to signup for an account (I know, another one).  You will then need to validate the domain name that you want to create a certificate for.

startssl-domainnamevalidation

  1. From the Control Panel, click on the Validations Wizard,
  2. Choose Domain Name Validation,
  3. Enter the domain name your bought above,
  4. Click continue past the email selection page,
    • This is why it was important earlier to make sure all emails are forwarded,
  5. Wait for an email from StartSSL to arrive.  It will contain a verification code, enter it in the box provided,
  6. All done.

Once validated, you can now create a SSL certificate.

  1. startssl-certwizFrom the Control Panel, click on the Certificates Wizard,
  2. Choose Web Server SSL/TLS Certificate,
  3. Create a Key Password
    • Make sure it’s a long one – use the maximum allowed
  4. Change the Keysize to 4096
  5. Make sure Secure Hash Algorithm is set to SHA2,
  6. Copy all the text, and save it as a plain text file in notepad.  Call it SSL.KEY,
    • This is your encrypted private key, do not give it to anyone,
  7. Select the domain you want to use this SSL certificate for, if you have more than one domain,
  8. Enter a sub domain of NAS, or whatever you used for the CNAME above,
  9. Click Continue past the message, then wait for an email from StartSSL (it could take a while, but it’s usually quick)
  10. While you wait for your certificate to be generated, go back to the Control Panel
  11. Select Decrypt Private Key from the menu,
  12. Paste in the encrypted private key from step 6 and the Key Password from step 3,
  13. When you click Decrypt, the key will be decrypted and presented to you
  14. Select all the text, and save it as DECRYPTED.KEY,
    • This is you private key, do not give it to anyone.
  15. Once you get this email, go back to the StartSSL Control Panel and select Retrieve Certificate,
  16. Select the correct certificate from the drop down list (if you have more than one),
  17. Copy all the text, and save it as a plain text file in notepad.  Call it SSL.CER,
    • This is your certificate,
  18. All done.

 

Synology Configuration

We are almost done.  We have a domain, with DDNS forwarding, and port forwarding (on a custom port).  We just need to add the certificate to the DiskStation and optionally change the port numbers…

Enable DDNS Settings

  1. Open the Control Panel,
  2. Go to the External Access section,
  3. Select the DDNS tab,
  4. Click Add,
  5. Select the service provider you picked earlier (NoIP in my case),
  6. Enter the DDNS hostname,
  7. Enter your DDNS username and password,
  8. Click Test Connection to make sure everything is working fine.
  9. Select the Advanced tab,
  10. Enter your domain name in the Hostname or static IP field.

Enable HTTPS and Change Connection Port

  1. syno-httpsOpen the Control Panel,
  2. Go to the Network section,
  3. Select the DSM Settings tab,
  4. (Optional) Change the HTTPS port number to the one you picked earlier,
  5. Tick the Enable HTTPS connections tick box,
  6. Tick all the other options on this page too.
  7. Click OK,

Install SSL Certificate

  1. syno-importcertOpen the Control Panel,
  2. Go to the Security section,
  3. Select the Certificate tab,
  4. Click the Import Certificate button,
  5. Select the two files you created above,
    1. decrypted.key,
    2. ssl.cer,
  6. Once you click OK, the DSM should reload and connect you on a HTTPS connection.

 

Testing It All

You should now be able to connect to your Synology DiskStation via your newly bought domain name.

Synology Diskstation

Introduction

My home lab relies on having a fast reliable iSCSI storage for both the virtual machines disk and the ISO images that are used to build the VMs.  This storage is being housed in a Synology Diskstation DS1813+ NAS box.

 

For the iSCSI storage, I am using four old 1.5Tb Seagate spinning disks, all of which have a few bad sectors.  Ideally, I would replace them with solid state ones, and I may do at some point.  The speed increase would be a great boost for my VMs.

 

Disk Station Manager (DSM)

DiskStation Manager (DSM) is an intuitive web-based operating system found on every Synology NAS. It’s been designed to help you manage your data: documents, photos, music, videos and all other important forms of digital assets. With DiskStation Manager, it’s more than just storing data. DSM offers a various range of applications and services to bring more entertainment to your home life as well as better productivity at work.

Taken from https://www.synology.com/en-uk/dsm/5.1/features

 

Packages

Not only are the Synology NAS boxes very good at being storage devices, supporting a wide range of features, including iSCSI, IEEE 802.3ad and VAAI, They also have a large array of packages that can be used outside of a Home Lab. (not all models support all features)

 

There are currently (at time of writing) over 70 packages that can be installed and used on almost every Synology device.  These packages include…

  • Audio Station – allows you to access the music library on your Synology DiskStation,
  • Cloud Station – allows you to easily sync files between your Synology products, computers, and mobile devices,
  • Photo Station – an online photo album integrated with a blog for you to easily share photos and videos,
  • Surveillance Station – a web-based application that can manage IP cameras to safeguard your home or office environment,
  • Video Station – an ideal video organizer of your collection of movies, TV shows, home videos, and TV recordings, allowing you to watch videos on your computer and other devices.

Check out the full list of packages, some of which I am sure you will find useful.

 

Online Demo

If you are still not sure you want a Synology NAS, they have an online demo of their DSM, ready for anyone to login and use.  Go to the following page and login with the credentials below…

Demo Site : https://demo.synology.com:5001
Username : admin
Password : synology

Take your time, have a play and see what you think.

It would be silly of me to try and list everything that the Synology devices can do, it’s just so much.  Instead, I would redirect you to the Synology site where their marketing people can convince you buy one.

Intel NUC As A ESXi Host (part 4)

Introduction

My home lab uses a Synology Diskstation DS1813+ for its iSCSI storage.  It’s used for both the virtual machine storage and any ISO files that I need for the VMs.

 

Table Of Contents

This will be a multi-part post, as it covers a lot of topics…

  1. NUC Specs, and build information,
  2. Building a custom ESX image that includes drivers for the NUC’s network card and SSD,
  3. DHCP, PXE booting and automatic installation scripts,
  4. Synology configuration for VMware datastores,
  5. Networking, VLANs and getting it to work,
  6. Installing ESXi
  7. Any other configuration,
  8. Final (random) thoughts.

 

Synology Configuration

Within the Synology DSM, open Storage Manager, and select iSCSI LUN. Click Create and follow the wizard to create a new LUN and iSCSI Target for your VMware datastore.

Syno-iSCSI-1   Syno-iSCSI-2   Syno-iSCSI-3   Syno-iSCSI-4

 I have two LUNs and Targerts configured…

  • Data – 2Tb for all the virtual machines,
  • ISOs – 690Gb for any ISO images

 storage

 

 

 

Intel NUC As A ESXi Host (part 3)

Introduction

In this part, we’ll look at the settings need to get your NUCs to automatically install and configure.

 

Table Of Contents

This will be a multi-part post, as it covers a lot of topics…

  1. NUC Specs, and build information,
  2. Building a custom ESX image that includes drivers for the NUC’s network card and SSD,
  3. DHCP, PXE booting and automatic installation scripts,
  4. Synology configuration for VMware datastores,
  5. Networking, VLANs and getting it to work,
  6. Installing ESXi
  7. Any other configuration,
  8. Final (random) thoughts.

 

Requirements

You will need a server that can handle TFTP and Web requests.  Since I am using a Synology Diskstation for my iSCSI storage needs, this can also handle both TFTP and Web.  If you don’t have a TFTP server, you can use the free TFTP tool from SolarWinds.

 

DHCP Settings

In order for PXE booting to work, you need to create an entry in your DHCP server for the NUCs, and make sure the PXE settings are correct.  I already have a Windows 2008 R2 server running DHCP for my home network, so these steps will reflect this.  Most home routers should allow you to add the two required setings.

In your DHCP Scope Options window, add the following two options…

  • Option 66 : Boot Server Host Name – Add the name of IP of your TFTP server
  • Option 67 : Bootfile Name – enter “pxelinux.0

While you are in your DHCP settings, add an IP reservation for your NUCs.  This will help with the auto configuration later.  To do this, you will need IP addresses that is not being used, and should ideally be outside your DHCP Scope.  You will also need the MAC addresses from the bottom of your NUCs.

You will also need to give your NUCs a name.  I have gone for the simple route of calling them ESX1, ESX2 and ESX3.

 

TFTP Server / PXE Booting

Now that your have your DHCP setup, we can extract the files from the ISO image we created in Part 2.   Extract them to a know location, and setup your TFTP server to point to these files.

Once extracted, you should have two folders called efi and upgrade.  There should also be about 90 files in the root.   Create a new folder called pxelinux.cfg and create a plain text file called default (no file extension)

Copy and paste the following into the default file…

DEFAULT menu.c32
MENU TITLE ESXi-5.5 Boot Menu
NOHALT 1
PROMPT 0
TIMEOUT 20
LABEL install
KERNEL mboot.c32
APPEND -c boot.cfg
APPEND ks=http://[enter-web-server-here]/esx-auto-build.cfg
MENU LABEL ESXi-5.5 ^Installer
LABEL hddboot
LOCALBOOT 0x80
MENU LABEL ^Boot from local disk

Make sure you enter the name or IP address of your web server in the correct place.  Don’t change anything else, unless you really have to.

The last remaining file is called pxelinux.0.  To be honest, I can’t remember where I got this from, but it’s required and important.  To download file file, unzip it and copy it to the same TFTP folder as the ISO files.

 

Automatic Installation Script

The installation script is a large file that automates the configuration of ESXi once it has been installed.  I have separated this script out to another blog post as it would make this page very long indeed.