Shutdown Your HomeLab With PowerCLI

Introduction

If you run a large home-lab like I do, shutting it down in an emergency can be a slow process, especially if you are panicking about your UPS staying up long enough.  You  DO have a UPS don’t you.!?

I had written a PowerCLI script for myself that was custom to my specific lab.  I have since made it more generic so that everyone can use it if they wanted to.  The script does rely on one specific criteria for your home-lab though.

 

Home-Lab Layout

vc-foldersWithin the vCenter VMs and Templates view, you can organise your VMs into folders to help separate them into logical groups.  This has no bearing on the VMs themselves, its purely for your information.

As you can see by this image, I have a folder called Critical that I use to hold my important VMs.  These are…

  • live-dc : The DHCP and DNS server for my home network,
  • svr-dc : The domain controller, as well as DHCP and DNS for my private lab network,
  • svr-sql : The Microsoft SQL server for my private network.  This holds all the databases for my lab,
  • svr-vc : The VMware virtual centre server for my home-lab.

This Critical folder is important in my script, as it controls which VMs are not shut down immediately, but must wait until the end and be shut down in a specific order.

 

The Script

The script can be downloaded below, make sure you read though it fully and understand how it works.  I am not responsible for anything going wrong.!

At the top of the script, you will need to change the settings to match your own home-lab.

[string]$vCenter_Server                    = "svr-vc"
[string]$vCenter_Server_UserName           = "administrator"
[string]$vCenter_Server_Password           = "********"

[string]$Known_ESX_Host                    = "esx1"
[string]$Known_ESX_Host_UserName           = "root"
[string]$Known_ESX_Host_Password           = "********"

[string]$Critical_Folder                   = "Critical"
[string[]]$Critical_Servers_Shutdown_Order = ("svr-vc", "svr-sql", "svr-dc", "live-dc")

[int]$Shutdown_TimeOut = 180 # Seconds

Lines:

  1. The name of your virtual centre server
  2. The username you use to connect to your virtual centre server
  3. The password for the above username
  4. .
  5. The name of one of your ESXi hosts.  This is explained below
  6. The username of the root account of for the above host
  7. The password for the root account
  8. .
  9. The critical folder mentioned above (not case sensitive)
  10. The servers in your critical folder, in the order they should be shut down in
  11. .
  12. How long to wait for a clean shut down before killing power to a virtual machine

 

Specific ESXi Host Name

The reason for a specific host name in the script, is so that when you come to power on your home-lab, you will know exactly which host will hold your critical VMs.  The script will migrate all powered off VMs as well as your critical ones to this host before powering everything down.  If you have a number of hosts it’s helpful if you don’t need to check each one for your domain controller is virtual centre server.

 

Download

Download the script from the link below, and again, make sure you test it before putting it live.!

ShutdownEntireHomeLab.ps1download-file

More Pushover Configuration

Introduction

After successfully configuring Pushover with PRTG, I moved on to configuring my Synology DiskStation (easy) and VMware vCenter (harder) installation to also notify me via Pushover.

 

Register An Application

In both cases, I registered a new application within the Pushover console.  I did this so that each alert would come though with their own specific icon and description.  See my previous blog posting on how to do this.

I used the following icons for each application :

  • synology Synology
  • vmware VMware

 

Synology DiskStation Notifications

syno-notifications-1This is was the easiest change to make, simply…

  1. Login to your DiskStation,
  2. Open the Control Panel,
  3. Select the Notification option,
  4. Choose either (or both) of the following tabs…
    • Email
    • Push Service
  5. Enter your Pushover API email address
    • [user-key]+a=[api-key]@api.pushover.net

 

VMware vCenter Alerts

Setting up these alerts were a lot harder.  It took a lot of trial and error.  Hopefully this will save you the same hassle.

Before you start, make sure you have the Microsoft dotNet framework version 4 or later installed, as well as PowerShell 4 or later.  Next, we’ll create a folder and two files on your vCenter server…

  1. On the C: drive, create a folder called Scripts,
  2. Create two plain text files and enter the following code…

send-alert.bat

"c:\windows\system32\windowspowershell\v1.0\powershell.exe" c:\scripts\send-alert.ps1 -title '%1' -message '%2'

send-alert.ps1

param(
    [string]$title,
    [string]$message
)

$parameters = @{
    token    = "[api-key]"
    user     = "[user-key]"
    priority = "0"
    title    = $title
    message  = $message
}

$parameters | Invoke-RestMethod -Uri "https://api.pushover.net/1/messages.json" -Method Post

Remember to enter your own api-key and user-key into the .ps1 script file.

 

vmware-definitionsvCenter Configuration

Next we need to configure VMware vCenter to run the batch file whenever an alert condition is met.  At last count there are 68 different alert definitions within vCenter.  You could change each on manually, but that would take all day.  If you have VMware PowerCLI installed (and you really should have) you can script this.

Manual Steps…

  1. vmware-alarm-4Open VMware vSphere Client, and login to your vCenter server,
  2. Select the very top level entry in the tree view on the left,
  3. Choose the Alarms tab along the top,
  4. Click the Definitions button,
  5. The list of 68+ definitions are list.  Double-click on one of them.  I’ll choose Datastore usage on disk,
  6. Select the Actions tab,
  7. Click Add,
  8. From the new entry that appears,
    • change “Send a notification email
    • to “Run a command
  9. Enter the following code into the Configuration column…
c:\scripts\send-alert.bat "{targetName}  >  {eventDescription}" "{triggeringSummary}"
  1. Click OK
  2. Rinse and repeat for the remaining definitions, or…

Automatic Script…

  1. Open a PowerCLI command window, and connect to your vCenter server
  2. Copy and paste the following code, and let it run…
$al = Get-AlarmDefinition
ForEach ($a in $al) {
    Get-AlarmDefinition -Name $a | New-AlarmAction -Script -ScriptPath 'c:\scripts\send-alert.bat "{targetName}  >  {eventDescription}" "{triggeringSummary}"'
}

Make sure you get the single quotes ( ‘ ) and double-quotes ( ” ) correct

For a list of variables you can use, check the VMware documentation.

 

Results

Once you have alerts working, you should get alerts through looking something like this…

space-alert

Server Application Matrix

Introduction

Please Note: This is an old application I wrote in 2011.  It is no longer updated or supported.

This tool allows you to view exactly which applications are published on which servers within your Citrix Metaframe/Presentation Server/XenApp farm. Applications are shown in tree format as shown in the management console, and servers can be shown either alphabetically or grouped in their zones

Applications can also be published or unpublished from the farm with a simple click of the mouse – as long as editing is enabled first.
It should work with all versions of Citrix Presentation Server and XenApp prior to XenApp 6.

Please note, this will only shown what’s published, not installed.

 

Prerequisites

Most Microsoft Windows 2003 Servers should already have the required files installed by default. However, if this is not the case, the following links will help you download and install the pre-requisites…

 

Installation

  1. Download the ZIP file below and extract the file onto one of your Citrix farm servers or a network share,
  2. From one of your Presentation/XenApp servers, execute the extracted file,
  3. The following window will appear, with the current server name already filled in…

sam0

  1. Click the Build Matrix button and wait.
    Depending on the size of your farm, this could take a while. A progress counter will inform you of its status.
    Once complete, the window will change, and once resized it should show you something that looks like this…

sam1

 

Filtering

You can also filter the list or applications and servers that are shown…

sam3

Options

There are also a couple of options too…

sam2

 

Download

If you are interested in this tool, please download it from the link below…

download-filesam.zip

 

Push Notifications With PRTG And Pushover

PushoverIntroduction

I was looking for a way for my PRTG installation to alert me whenever I was away from home.  I initially thought of using an “email to SMS message” service, and started looking into this option.  I was then pointed to an API push service called Pushover.

Setting this up to work with PRTG is amazingly simple.  The instructions and scripts I use are taken from this blog, just cleaned up a bit and with more screenshots.

 

Prerequisites

A Pushover account,

Install Python for Windows onto your PRTG server.  Choose Python 2, not 3.

An Android or Apple device with the Pushover app installed,

store-google   store-apple

 

Pushover Instructions

Once you have created your account and verified your email address, you need to create an application in-order to get an API key.

  1. pushover - 1From your main home page,
  2. Next to Your Applications, click Register An Application,
  3. Fill out the displayed form, my entries were…
    • PRTG
    • Application
    • (blank)
    • This image (click to enlarge) – PRTG-75x75
  4. Tick the Terms Of Service check box and click Create Application.

Once the application has been created, you will be presented with an API Key.  You will need this later, along with your User Key.

 

Device Setup

Depending on your device, download the appropriate app and install it.  Log in to the app, and check the settings to see if you need to change anything, specifically the Edit Quiet Hours.

 

Python Scripts

Log on yo your PRTG server, and install Python.  This is a very straight forward installation…

python install - 1   python install - 2   python install - 3   python install - 4   python install - 5

Once done, we need to create two plain text files into the following folder…

C:\Program Files (x86)\PRTG Network Monitor\Notifications\EXE

 

File 1 – pushover.bat

Create a file called pushover.bat and enter the following code…

C:\Python27\Python "C:\Program Files (x86)\PRTG Network Monitor\Notifications\EXE\pushover.py" %*

Change the listed paths if required.

 

File 2 – pushover.py

Create a file called pushover.py and enter the following code…

import httplib, urllib, sys
 
apiKey = sys.argv[1]
userKey = sys.argv[2]
priority = sys.argv[3]
title = sys.argv[4]
msg = ''
 
for count, arg in enumerate(sys.argv):
    if count > 4:
        msg += arg + '\n'
 
conn = httplib.HTTPSConnection("api.pushover.net:443")
conn.request("POST", "/1/messages.json",
    urllib.urlencode({
        "token": apiKey,
        "user": userKey,
        "message": msg,
        "title": title,
        "priority": priority,
        "retry":"30",
        "expire":"3600"
    }),
    { "Content-type": "application/x-www-form-urlencoded" })
response = conn.getresponse()

 

PRTG Setup

Part one

  1. From your PRTG console,
  2. Click Setup > Account Settings > Notifications,
  3. Click the ‘Add New Notification‘ button on the bottom left,
  4. Add a name for your notification – PRTG – ALERT,
  5. Scroll down and check the Execute Program box,
  6. Choose pushover.bat from the dropdown,
  7. Enter the parameters as follows:

[api-key] [user-key] [priority] “%device – %name : %status” “ALERT/ERROR” “Msg: %message”

Example:  abcd1234efgh5678 ab12cd34ef56gh78 0 “%device – %name : %status” “ALERT/ERROR” “Msg: %message”

(For a list of priority values, check out the Pushover FAQs)

  1. Click Save,
  2. Click Test, and you should receive an alert on your device almost immediately.

 pushover - alarmtest

I have three alerts set up..

  • ALERT/ERROR
  • WARNING
  • ALL OK

 

Part two

Now that we have an alert or three setup, we need to make sure your devices start using them.  For my small setup, I set my notifications at the top level, at the Local Probe…

  1. From the PRTG console, select the Local Probe device (or other device if you want more control),
  2. Select the Notifications tab along the top,
  3. Click Add State Trigger,
  4. From the new trigger then appears, choose the options that bests suits you and your environment.  The no notification drop down should list the alerts you setup above.

prtg notifications - 1

The values I have are shown below…

prtg notifications - 2

 

Errors / Issues / Troubleshooting

When I initially set this up the alerts were not coming though.  In order to troubleshoot this issue, I ran the pushover.py script manually.  Do do this…

  1. Open a command prompt on your PRTG server,
  2. Type the following command into the window…
C:\Python27\Python "C:\Program Files (x86)\PRTG Network Monitor\Notifications\EXE\pushover.py" [api-key] [user-key] 0 "Manual Test" "Ignore This Message"

…making sure to enter your API Key and User Key in the correct locations

  1. You should see no output if everything works OK.

In my case, I got SSL handshake errors.  To fix this, I just visited the Pushover API site (https://api.pushover.net) in order for my server to download the SSL certificate.

 

More Pushover Configuration

I have added another post about using Pushover notifications with my Synology DiskStation and VMware vCenter Alerts.  Read about it here.

VMware Mobile Monitoring

Introduction

If you want to quickly check on your virtual infrastructure and you’re not next to your PC/Laptop, what do you do.?

Well, VMware have released a tool that will allow you to monitor you hosts and guests.

 

watchlistVMware Mobile Watchlist

(Description taken directly from Google Play Store)

vSphere Mobile Watchlist enables secure vSphere infrastructure monitoring and remediation directly from your smartphone. With Watchlist, VMware administrators will be able to log in to a vCenter Server or ESXi host directly and choose virtual machines and hosts from inventory to create targeted views of objects and their properties. Remediate directly from the device with power and management operations, and delegation of tasks to onsite colleagues with linked relevant Knowledge Base (KB) articles.vSphere Mobile Watchlist brings the following key capabilities to vSphere administrators on the go:

  • EASILY CREATE WATCHLISTS:
    Search for and select a subset of VMs and hosts from your VMware vCenter Server and/or ESXi inventory to monitor in one or multiple watchlists.
  • VMs and HOSTS AT A GLANCE:
    Review the status of selected Watchlist VMs and hosts from your device including state, configuration details, resource usage, health alerts, view of the VM console, and related objects.
  • DISCOVER:
    Alerts are linked to pertinent diagnostic information from the VMware Knowledge Base, as well as articles from the Web.
  • REMEDIATE REMOTELY:
    Remediate problems directly from the device by powering on/off, resuming/suspending, connecting/disconnecting, or restarting VMs and/or hosts — or for situations where on-site remediation is required, share alert(s) along with recommended solutions in an email to team members back at the datacenter.

vSphere Mobile Watchlist is compatible with Android 4+.

 

Screen Shots

Below are some screen shots of my setup, showing my three hosts a a few of my running VMs…

Login Screen   Main Watchlist Screen (List View)   Main Watchlist Screen (Grid View)   ESX1 - Overview   ESX1 - Command Options   ESX1 - Task List

 

Download

You can download and install it from the Google Play Store using the link below…

store-google

 

 

NTP Time Service

Introduction

Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems…  NTP is intended to synchronize all participating computers to within a few milliseconds of Coordinated Universal Time (UTC).

Taken from Wikipedia

Making sure you have a reliable and accurate time source can help with mitigating issues on your network.

 

Problem

One of my ESXi hosts was replaced recently, and using my automatic build script I had the new replacement up and running quite quickly.  What my script doesn’t do however, is configure the NTP settings with the host and because of this, it’s internal clock was about 6 hours ahead of the rest of the network.

My PRTG Network Monitoring system is a VM that, via DRS, can move freely amongst my three hosts depending on the current workload.  At 5:00 am the other morning, my monitoring server was moved to the offending host.  This screwed up its monitoring results.

As the VM was migrated to the new host, the time suddenly jumped forward by about 6 hours.  The OS then took over sometime after and jumped back to the correct time.  This time flip-flop caused large gaps in the monitoring results, and left me scratching my head for a while figuring out why.!

 

How to fix the above issues

There were two issues at play here, the host NTP settings were not correct, and the guest VM was set to synchronise it’s time with the host.

 

Configure Host NTP Settings

To enable configure each hosts time setting…

  1. Select your host (if you have more than one, you will need to do this on each one in turn),
  2. Select the Configuration tab along the top of the main section,
  3. Down the left hand menu, near the middle, select Time Configuration,
  4. Click Properties at the top right,
  5. From the first window that appears, make sure the NTP Client Enabled option is selected,
  6. Click Options,
  7. From the General item, choose the middle option, choose Start and stop with host,
  8. Select the NTP Settings item, click Add, and enter the IP address or host name of your chosen NTP host,
  9. Tick the option Restart NTP service to apply changes.

NTP-1

NTP-2   NTP-3

If you don’t have an internal NTP time source, the best option is to use 0.pool.ntp.org1.pool.ntp.org2.pool.ntp.org, and 3.pool.ntp.org.  See the link below for more information, or for geographically local sources…

http://support.ntp.org/bin/view/Servers/NTPPoolServers

 

Disable ‘synchronise guest time with host’

I had my home-lab domain configured to use a specific time source, and to push that out to all the Windows machines.  This is a good idea to configure.  What I had done wrong, was allow the virtual machines guests to have their clocks synchronised with the hosts.  This is generally a bad idea.

  1. Right-click a virtual machine, choose Edit Settings…,
  2. Choose the Options tab along the top,
  3. Select the VMware Tools settings,
  4. Un-tick the Synchronize guest time with host option.

While you are there, it’s also a good idea to tick the other option : Check and upgrade Tools during power cycling.

 

If you have a lot of hosts to change, this is going to be a very tedious task.  Thankfully, there is a script that will handle this for you.

The script below will set both options for you:

  • Line 12: Check and upgrade Tools during power cycling,
  • Line 13: Synchronize guest time with host.

Save the script as a .PS1 file, and execute it within PowerCLI.  Remember to change the first line to enter your vCenter server name or IP address.

Connect-VIServer "ENTER VCENTER SERVER HERE"

# Query for the VM guests
$VMGuests = Get-VM

# Loop through your VM guests, set the VM Tools upgrade checkbox and the Sync Time checkbox to true
ForEach ($VMGuest in $VMGuests) {
    $spec = New-Object VMware.Vim.VirtualMachineConfigSpec
    $spec.changeVersion = $VMGuest.ExtensionData.Config.ChangeVersion
    $spec.tools = New-Object VMWare.Vim.ToolsConfigInfo
    
    $spec.tools.toolsUpgradePolicy = "upgradeAtPowerCycle"
    $spec.tools.syncTimeWithHost = $false

    # Apply the changes
    $MyVM = Get-View -Id $VMGuest.Id
    $MyVM.ReconfigVM_Task($spec)
}

So, there you have it.  Make sure all your VM hosts and guest are using the correct time, and are synchronised with a reliable time source.

Temporary Internet Files

Introduction

If you manage Windows terminal servers, or Citrix XenApp servers you will know all about temporary internet files, and the amount of space they take up on your servers and user profile folders.

There are ways to reduce the impact on profile folders by using GPOs to not copy the folder about, but this still could leave them on the server.

 

Removal Script

I have customised a script I found somewhere on the internet to remove the temporary internet folders for all users on a particular server.  The script enumerates C:\USERS for every user and if a Temporary Internet Files folder exists, it is deleted and a new one created in its place.  This is a quicker method than removing specific files.  It will also delete and recreate the users Temp folder.

 

The Script

@ECHO OFF
@ECHO Started: %time%
@PUSHD "C:\Users"

FOR /D %%F IN (*.*) DO (
    IF EXIST "%%F\AppData\Local" (
        @ECHO Processing user: %%F
        @PUSHD "%%F\AppData\Local"

        IF EXIST "Microsoft\Windows\Temporary Internet Files" (
            @ECHO Removing directory 'Temporary Internet Files'
            @PUSHD "Microsoft\Windows"
            IF [%%F] == [%username%] (
                @PUSHD "Temporary Internet Files"
                FOR /F %%E IN ('DIR /AD /B') DO (
                    @PUSHD %%E
                    FOR /F %%G IN ('DIR /AD /B') DO (
                        @ECHO Removing %%G
                        RD /S /Q %%G
                    )
                    POPD
                )
                POPD
            ) ELSE (
                RD /S /Q "Temporary Internet Files"
                @ECHO Creating new 'Temporary Internet Files' directory
                MD "Temporary Internet Files"
            )
            POPD
        )

        IF EXIST "Temp" (
            @ECHO Removing directory 'TEMP'
            IF [%%F] == [%username%] (
                @PUSHD "Temp"
                FOR /F %%E IN ('DIR /AD /B') DO (
                    @PUSHD %%E
                        FOR /F %%G IN ('DIR /AD /B') DO (
                            @ECHO Removing %%G
                            RD /S /Q %%G
                        )
                        POPD
                    )
                    POPD
                ) ELSE (
                    RD /S /Q "Temp"
                    @ECHO Creating new 'TEMP' directory
                    MD "Temp"
            )
        )
        POPD
        @ECHO. 
    )
)
POPD
@ECHO Finished: %time%
PAUSE

 

Instructions For Use

  1. Select the code above and save as plain text file with an extension of either .CMD or .BAT
  2. Copy to one of your terminal servers
  3. Right click and choose Run As Administrator

If your users folder is not in C:\Users, make sure you change line 3 above to the correct location.

Synology Security

Introduction

If you are accessing your Synology DiskStation from outside your home network, there are a few things that can help you with regards to security and hacking.

 

SynoLocker Ransomware

Issues like the SynoLocker ransomware shouldn’t have happened.  This particular ransomware was possible because people didn’t patch and update their devices in a timely manor, for whatever reason.  The patch for this vulnerability was actually released several months before the first attack.

It is understandable that people were upset about getting hit with this ransomware, but some basic security would have prevented it.

 

Synology Security Advisor

The new Security Advisor in DSM 5.1 is a big help for people securing their devices.  It performs up to 35 checks (currently) to make sure your device is working securely.  There are three available settings for the baseline checks,

  1. For home and personal use,
  2. For work and business use,
  3. Custom.

The first two options select a specific subset of the checks to run.  Personally, I would choose Custom and select all of the checks.

Once you have picked an option, run a scan and see how you fair.  If there are any warnings or errors, try to fix the issue.  If you are not sure about a setting, check the Synology Forums, they are a great source of information.

If you have green across the board, you are going great.

 

Extra Steps

Here is my list of extra steps that people should consider doing to help secure their Synology devices.  These go above and beyond the list of checks that Synology do in their Security Advisor, so if you have all green ticks for the checks above, then give these a go…

1.  Disable The Default Administrator Account

This one is not so obvious, but everyone who has a Synology device knows the name of the default admin account.  It will be the account that all hackers will try to attack.

  1. Go to the Users section in the Control Panel,
  2. Create a new user.  Call  this user something other than “admin”,
  3. Make sure it’s a member of the Administrators group,
  4. Logout, and login as this new user account,
  5. Disable the default “Admin” account.

 

2.  Use 2-Step Verification

2-step verification helps with making sure only you can login with your account.  It consists of a 6-digit number than changes every 60 seconds.  The numbers appear to be random, but are actually calculated from a complicated mathematical formula.

You will need to install an app on your phone to give you the 6-digit numbers.  I use the Google Authenticator app but there are many others available.  the Google version is only available on the Google Play Store and the Apple App Store.  For the Windows Phone Store, I picked the Microsoft Authenticator as I believe it uses the same algorithm…

store-google  store-apple   store-windows

Before you enable 2-step verification, you need to make sure the date and time on your device is accurate.  The best way to do this is to use a reliable time source…

  1. Log on to your DiskStation with an administrator account,
  2. Open the Control Panel,
  3. Go to the Regional Options section,
  4. Under the Time Setting part, select Synchronise with NTP server,
  5. Enter pool.ntp.org into the Server Address box
  6. Click Update Now

 

To enable 2-step verification for an account…

  1. Log on to your DiskStation with the account you want to use,
  2. Click the Person Icon in the title bar, top right,
  3. Click the Options menu item,
  4. Tick the box labelled Enable 2-Step Verification,
  5. Run through the wizard that appears, make sure you read the instructions…

2sv-1  2sv-2  2sv-3  2sv-4  2sv-5

To test, simply logout, and log back in again.  When you enter your username and password, instead of being logged in, a new box appears asking for the 6-digit code that is displayed on your phone.

 

3.  Default Ports

The default ports that the Synology DiskStations use for the web interface are 5000 and 5001.  It’s a very good idea to change these ports to something else.

To do this, first pick a number between 1024 and 65000, I’ll use 12345 as an example…

  1. Open the Control Panel,
  2. Go to the Network section,
  3. Select the DSM Settings tab,
  4. Enter the port number you thought of (12345) into the HTTP field,
  5. Enter the port number plus one (12346) into the HTTPS field,
  6. If you are using HTTP, you should consider HTTPS.

 

4.  Firewall

The Synology DSM has a built in firewall.  You can use this to block access to your DiskStation.

The default way the firewall it set up by Synology is to have separate firewall rules for each application or port that is used.  Personally I find this messy, as there are too many rules which could overlap and conflict.

Access the firewall settings in the Control Panel, Security section.

 

firewallInstead I have just three rules.  While this works for me, your situation may call for more rules than this…

  1. Allow all traffic on all ports from my local network,
  2. Allow only HTTPS port (12346 from the example above) from IPs in England (where I live),
  3. Allow only various application ports (web, owncloud, etc) from IPs in England,

If no rules are matched, then deny access.

Now, I know that IP addresses can be spoofed quite easily, but this helps beat a lot of the mass attacks coming from China, Russia and the USA.

You may want to have a few more rules, just remember to try and keep it simple.  If you over complicate things, you may open a hole in your network.

 

5.  Auto Block

The Auto Block feature is another new addition to DSM 5.1.  It allows you to block users on specific IP addresses trying to login to your DiskStation too many times.  Auto Block is also in the Security section of the Control Panel.  two tabs over from the Firewall.

  1. Tick the box labelled Enable auto block,
  2. Enter a number for the Login attempts field, (I have mine set to 5),
  3. Enter a number for the Within (minutes) field, (again I have 5 for this),

This means that anyone entering their password incorrectly 5 times, within the space of 5 minutes, will get their IP address blocked.  This is a low enough number of attempts in a long enough time window that I can catch quite a lot of attempts.

  1. If you want to enable block expiration option, tick the box.  This will automatically allow a blocked IP address to become unblocked.  I don’t have this set.  Once blocked, you stay blocked.

One thing to be aware of however, since I am not automatically unblocking IP addresses, there is a chance I might get blocked myself.  The way around this is to add a known internal IP address to the Allow/Block List.  This way, if you do get blocked, you just need to change your IP address to this specific address and connect to your device.  You can then unblock yourself.  Never specifically allow an external (internet) address.

 

6. More Coming Soon

I will add any more security options here, if you know of any good tips that you think other people should know about, leave it in the comments.

 

 

Access Your Synology With Your Own Domain Name

Introduction

The Synology Diskstation NAS boxes are great.  I have a DS1813+ that I use for my file storage and VMware virtual machines.  They have a great function called QuickConnect that allows people to quickly and easily access they DiskStations from outside of their home network.

They even have a quick knowledge base tutorial on how to achieve this.

For this post though, I’ll be taking you though the steps to connect using your own domain name.  There are a number of steps, and we’ll be going back and forth between different providers.

 

Requirements

For this to work, you will need a few things…

  • Your own personal domain name to use.  I’ll use nas.example.com in the screen shots and descriptions,
  • A free (or paid) DDNS service provider
  • Know how your router works, and how to perform port forwarding,
  • Optional, but recommended, a SSL certificate for secure communications.

 

Domain Names

Despite this blogs title, using your own domain name is somewhat optional.  You could just use a free Dynamic DNS service provider, and just leave it at that.  We will be using one later on anyway.  However if you do this, you can’t secure your connections with SSL, and security is important.

Domain names can be a personal thing.  Some people have just one, some people have lots.  Whatever you choose, make sure you can remember it.  I use a UK domain name registrar called 123-reg.co.uk for all my domain name needs.

Once you have thought of a domain name and checked to see if it’s available, you can buy it.  You can buy the domain for however long you think you need it (1 year, 2 years, etc).  I have had one of my domains for over 10 years.!

Now that we have a domain, we can start to configure a few more things.  Firstly, make sure any emails sent to this domain are forwarded to your own email address.  This should be fairly easy, just set up a catch-all email redirect.  We will come back to the domain settings later, as we need to configure a new DNS entry to point to a DDNS service provider.

 

DDNS Service Provider

We will need a service provider that the Synology can talk to automatically, so that when your external IP address changes (whenever you reboot your router), the domain name forwarding will continue to work.

How DDNS Works (very basic overview)

  1. The Synology DiskStation updates the DDNS service provider when an IP address change is detected,
  2. A client computer (you) requests a connection to your domain name,
  3. The domain name is forwarded to your DDNS service provider,
  4. The DDNS service provider returns to the client the IP given to it by the DiskStation,
  5. The client computer (you) connects to the DiskStation.

 

Service Providers

syno-ddnsAs you can see from the image below, there are a lot of service providers that Synology can automatically update.  Pick one from the list that you feel comfortable with, and sign up for a free account – if they have one.  The provider I use is NoIP.com.  They have a free service, however, you need to renew the account every 30 days (by just clicking a link).

 

During the sign-up, you will be asked for a host name to use, I find it easier to use the domain name I registered above.  Also, make sure you use a very strong password.

ddns-hostname

OK, we now have a domain, and a DDNS hostname.  Go back to your domain name registrar and edit the DNS settings for it.  For 123-reg, they have an advanced panel, this is most likely what you will need.  You need to create a new DNS entry for your domain name.  I called my sub-domain NAS, but you can use what you want. The DNS type for this is a CNAME.  It will redirect to your DDNS service provider hostname.

cname-entry

This may will take between an hour and a day for any changes to replicate around the internet, so don’t worry if it doesn’t work straight away.

 

Port Forwarding

Before you start port forwarding, you will need a few things…

  • The IP address you have assigned to your Synology DiskStation,
  • The Port you use to connect to your DiskStation,
    • The defaults are 5000 and 5001 for HTTP and HTTPS.
    • I’ll be using the default of 5001 for the demo, but you really should change this port number – I’ll show you how later on.  If you are going to use a different number, pick any number between 1024 and 65000.  Remember it.
  • Of course, the username/password for your router.!

Every home router is different, and some corporate ones require more than just a couple of steps.  I’ll point you to a web site I used to use; be warned however, it has a lot of adverts – you are using an avert blocker right.!?

This is a link to an old router I used to have, a Netgear DG834.  You can try to find your own router from their extensive list if you like.  For more advanced routers you may need a few more steps.  For the specific router I use, a Juniper NetScreen 5GT, there are quite a number of steps required, in different areas of the device.

The basic overview is to add a rule to your router/firewall that allows all traffic coming into your home on the specific port (5001), to be forwarded to your DiskStation, where, your DiskStation will handle it.

 

Obtaining a SSL Certificate

For all my SSL needs, I use the free Class 1 certificates from StartSSL.  They are valid for one year, and can be easily renewed.  Did I also mention they are free.  No hidden charges, completely free.

You’ll need to signup for an account (I know, another one).  You will then need to validate the domain name that you want to create a certificate for.

startssl-domainnamevalidation

  1. From the Control Panel, click on the Validations Wizard,
  2. Choose Domain Name Validation,
  3. Enter the domain name your bought above,
  4. Click continue past the email selection page,
    • This is why it was important earlier to make sure all emails are forwarded,
  5. Wait for an email from StartSSL to arrive.  It will contain a verification code, enter it in the box provided,
  6. All done.

Once validated, you can now create a SSL certificate.

  1. startssl-certwizFrom the Control Panel, click on the Certificates Wizard,
  2. Choose Web Server SSL/TLS Certificate,
  3. Create a Key Password
    • Make sure it’s a long one – use the maximum allowed
  4. Change the Keysize to 4096
  5. Make sure Secure Hash Algorithm is set to SHA2,
  6. Copy all the text, and save it as a plain text file in notepad.  Call it SSL.KEY,
    • This is your encrypted private key, do not give it to anyone,
  7. Select the domain you want to use this SSL certificate for, if you have more than one domain,
  8. Enter a sub domain of NAS, or whatever you used for the CNAME above,
  9. Click Continue past the message, then wait for an email from StartSSL (it could take a while, but it’s usually quick)
  10. While you wait for your certificate to be generated, go back to the Control Panel
  11. Select Decrypt Private Key from the menu,
  12. Paste in the encrypted private key from step 6 and the Key Password from step 3,
  13. When you click Decrypt, the key will be decrypted and presented to you
  14. Select all the text, and save it as DECRYPTED.KEY,
    • This is you private key, do not give it to anyone.
  15. Once you get this email, go back to the StartSSL Control Panel and select Retrieve Certificate,
  16. Select the correct certificate from the drop down list (if you have more than one),
  17. Copy all the text, and save it as a plain text file in notepad.  Call it SSL.CER,
    • This is your certificate,
  18. All done.

 

Synology Configuration

We are almost done.  We have a domain, with DDNS forwarding, and port forwarding (on a custom port).  We just need to add the certificate to the DiskStation and optionally change the port numbers…

Enable DDNS Settings

  1. Open the Control Panel,
  2. Go to the External Access section,
  3. Select the DDNS tab,
  4. Click Add,
  5. Select the service provider you picked earlier (NoIP in my case),
  6. Enter the DDNS hostname,
  7. Enter your DDNS username and password,
  8. Click Test Connection to make sure everything is working fine.
  9. Select the Advanced tab,
  10. Enter your domain name in the Hostname or static IP field.

Enable HTTPS and Change Connection Port

  1. syno-httpsOpen the Control Panel,
  2. Go to the Network section,
  3. Select the DSM Settings tab,
  4. (Optional) Change the HTTPS port number to the one you picked earlier,
  5. Tick the Enable HTTPS connections tick box,
  6. Tick all the other options on this page too.
  7. Click OK,

Install SSL Certificate

  1. syno-importcertOpen the Control Panel,
  2. Go to the Security section,
  3. Select the Certificate tab,
  4. Click the Import Certificate button,
  5. Select the two files you created above,
    1. decrypted.key,
    2. ssl.cer,
  6. Once you click OK, the DSM should reload and connect you on a HTTPS connection.

 

Testing It All

You should now be able to connect to your Synology DiskStation via your newly bought domain name.

Home Lab Network

networking-1

Introduction

If you have been following my Intel NUC As A ESXi Host series, you will notice that I have two networks, one called “Live” and one “Private”

 

Networks

Live

My “Live” network is everything that can potentially contact the internet: laptops, servers, printers, etc.  This network is on the 192.168.xxx.yyy/24 range – like almost everyone’s home network.

Private

The “Private” network is the one where most of my home lab virtual machines live.  They don’t have internet access, and in fact, can’t interact with anything on the “Live” network.  Their IP range is 10.1.1.xxx/24.

One of the reasons for this split, is to make sure anything I do on my home lab servers will not affect my home equipment.  For example, changing DNS entries, forcing group policies to computers, etc.

Management Network (VMware)

The Management Network seen in the screen shot above, is the management IP address of your ESXi host.  If you have a host with more than one NIC card (and really you should if you can), then this IP address is the one you use to connect to your host.

 

 Servers On Both Networks

I do have a few virtual servers that belong on both networks.  For example, my PRTG Network Monitor server can monitor both my “Live” and “Private” networks.  My Windows Server Update Services (WSUS) server can provide updates to both networks.

 

Adding More Networks

You can have as many networks as you like, I just need two for my purposes, but you can create more.  To do this, follow the steps below…

Since my NUCs only have one network port, I am using a vSphere Standard Switch, not a vSphere Distributed Switch.  Because of this, you will need to replicate the steps below on to each of your hosts…

  1. Open the vSphere Client and connect to your host (if you have one, or your vCenter Server if you have one of those),
  2. Click the Configuration tab, then click Networking on the left menu,
  3. If you used my automatic configuration script, you’ll see something like the screen shot above,
  4. Click the Properties link above the network card, not the one top right,

esx-networking-1

  1. Click Add and follow the wizard selecting the options below…
    • Connection Types : Virtual Machine
    • Network Label : [whatever name you want to have]
    • VLAN ID : [a number between 2 and 4094]

esx-networking-2   esx-networking-3   esx-networking-4

  1. Click Close when you have added all the networks you want.

When you create a new virtual machine, or edit the properties of one, you will now have all your networking options listed for you…

esx-networking-5

 

IP Range

Once you have created your networks, you can use whatever IP range you want within them, they will be separated within your home lab.  As I mentioned above, my “Private” network is using the 10.1.1.xxx/24 range, and for that I have a DHCP server handing out addresses just for that network.  More on my virtual machine setup in a future blog post.

 

VLANs

Before you start using VLANs between hosts (if you have more than one) on your network, make sure that you have a managed switch that can handle VLANs.  If you don’t have a managed switch, you won’t be able to them.  A managed switch is one that has it’s own IP address that you can login to.  The managed switch I have is a HP 1810-8G (J9802A).  This allows me to not only enable and use VLANs, but also IEEE 802.3ad Link Aggregation for my Synology NAS.

If you do have more than one NUC, you will need to make sure they are tagged in your switch to handle the VLANs.  On my particular switch..

  1. Go into VLANs > VLAN Configuration,
  2. Tick the Create VLAN box, and enter the VLAN ID number (as we did above),
  3. Click Apply,
  4. Go to VLANs > VLAN Configuration,
  5. Select the correct VLAN from the small drop down list,
  6. Select each of the ports your NUCs are plugged into, making sure they have the “T” mark to designate Tagged.
  7. Click Apply.

And that’s it, your virtual machines should now be able to talk to each other across hosts on whatever VLAN and IP range you configure for them.