Category Archives: Synology NAS

Private DNS Domains: Creating SSL Certs for Your Devices That Access Internal Servers (Updated November 23, 2023)

Leave a reply

So in my last post, we went over creating the SSL cert creation for your internal web servers. It was a nice, wildcard cert that was able to be made once and installed on many making it easier on us. Now we’ll go over making the CA certs for Android and Windows clients that will do away with that annoying Chrome nag screen about security and whatnot when accessing them and instead appear as a nice and secure website to the browser!

Crafting the Simple Configuration for Android

It’s necessary for a simple configuration for Android to have the certificate to be a CA cert. So this part establishes the part where we define that for a later step in the process.

[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
commonName = *.yourinternaldomain.local

[ req_ext ]
subjectAltName = @alt_names
basicConstraints=CA:TRUE

[alt_names]
DNS.1 = yourinternaldomain.local
DNS.2 = *.yourinternaldomain.local

Save it as openssl.cnf. So, this is basically exactly like the server cnf file except for one thing and that is the line where it says basicConstraints=CA:TRUE. That makes it so that you don’t get an error on importing it into Android and it will work correctly!

You do NOT need this cnf file for the Windows cert, just skip ahead!

Generating the Signing Key for Android/Windows

So, this is for both Android and Windows, it’s basically the same but with different extensions.

Android:

openssl genrsa -out privkey.pem 2048

Windows:

openssl genrsa -out privkey.key 2048

I use the different extensions here just to keep things straight in my head when working with creating these certificates because we create a .pem for Android and a .crt for Windows.

Creating the Certificate Signing Request for Android/Windows

Like in the server post is basically the same, just with a tweak to differentiate the Windows command signature some.

Android:

openssl req -new -key privkey.pem -out csr.pem -config openssl.cnf

Windows:

openssl req -new -key privkey.key -out cert.csr

So, on Android, you see that you reference the cnf file. Remember, if you are doing this on Windows, you must specify the complete DOS path to the cnf file in the command statement.

Generate the Certificate

So now we have that we can generate the two different types of certificates for Android and Windows.

Android:

openssl x509 -req -days 365 -in csr.pem -signkey privkey.pem -out cert.pem -extensions req_ext -extfile openssl.cnf

Windows:

openssl x509 -req -days 365 -in cert.csr -signkey privkey.key -out cert.crt
OR (Easier way, skip all the previous Windows steps and follow the Android steps and after generating the Android Cert just do this!)
openssl x509 -outform der -in cert.pem -out cert.crt

And there you go, certificates made, one last thing for those special devices that require attention.

Craft a Full Chain pem

Here’s how to create a quick Full Chain pem file.

cat cert.pem privkey.pem > fullchain.pem

Installing the Certs

On Windows, you want to install the cert into your Trusted Root Certificates store. I had to restart Chrome and refresh my servers (that were already running their brand new internal certs) to get the Good To Go widget in the address bar. I haven’t tested with Edge, but I assume being chromium-based it probably uses the Windows Certificate Store as well. No idea about Firefox, never had the urge to use it.

On Android 13, based on your specific device look up how to install a custom certificate on it and it should see cert.pem (which you should have emailed to yourself already) in your storage somewhere. I’ve read you’re supposed to be able to just tap the pem file and it will auto-install but that did not work on a Pixel or a Samsung device. I had to go into Settings and do it through the menu.

If you are on a Pixel that is running Android 14 like me then when you get the option from settings to select the cert, it will not show any pem files. I am not sure why, but I found a workaround. After you download it, open the Files app and delete it. Sounds crazy but stay with me. Then go into settings and go through the certificate settings to the point of picking the certificate. This should launch a Files-like window to select it, tap the 3 dots in the upper right and select Show Hidden Files. Then there you go, the deleted cert.pem file will be there and just tap it and it will be installed. Crazy I know but that worked on my Pixel 8 Pro.

That should be it for Android, just kill and relaunch Chrome and it should be like on your desktop and with no nag screen.

I generally hope this helps anyone who could use the help. I know it has reduced the years of numerous clicking and tapping to get passed the security alerts over the years.

John

Private DNS Domains: Creating SSL Certs for Your Web Servers and Devices That Access Them (Updated November 23, 2023)

Leave a reply

It’s pretty easy to get a growing internal network going at home now with devices getting cheaper and whatnot. But I myself don’t particularly don’t feel the need to expose them to the internet and only use them for myself. But I don’t like the nagging from Chrome about how this site is not secure for whatever reason on my Desktop or my tablet or phone. So I sat down this weekend and worked out how to create a cert for my web serving stuff and a CA cert for my end-use devices that made Chrome be quiet and happy and think everything was nice and secure. Here’s how I did it for the server side, later tomorrow or today I will add a post on how to do the client cert for you.

Install openssl on your working machine and buckle up!

Once you have openssl installed you need to do this twice, once for the Web servers and once for the CA for the end-user devices to accept that cert you made before.

The first thing is to generate a configuration file because we are going to make a wildcard certificate to keep from having to generate a cert for each server independently! Here’s the configuration example:

[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
countryName        = US
stateOrProvinceName = Texas
localityName       = Who Hee
organizationName   = Your Org
organizationalUnitName= Your Org Name
commonName = *.yourinternaldomain.local

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = yourinternaldomain.local
DNS.2 = *.yourinternaldomain.local

(Added more depth to CNF file)

Ok on *nix you can pretty much save that in whatever directory you are going to run the openssl command from as it will assume based on the prompt that it exists wherever it was executed from. Save the file as: openssl.cnf

On Windows, you need to change the below (like literally the text that follows below) areas where the openssl.cnf is mentioned to point to where the config is saved in the prompt.

Generate the Signing Key

Next up we generate the signing key:

openssl genrsa -out privkey.pem 2048

That is it!

Generate the Certificate Signing Request

Now we have to generate the CSR for generating our actual server cert.

openssl req -new -key privkey.pem -out csr.pem -config openssl.cnf (Updated to add -config option to CSR request)

That was nice and easy as well, now onto generating the server’s certificate!

Create the Actual Server Certificate

Now to the almost final step which is to create the cert to be installed on all the internal servers.

openssl x509 -req -days 365 -in csr.pem -signkey privkey.pem -out cert.pem -extensions req_ext -extfile openssl.cnf

Here is where we reference the openssl.cnf to get our wildcard cert. Remember Windows users to input the complete DOS path and use quotes if it has spaces to the actual cnf file.

Once Last Thing For Those Special Needs Servers

For those servers (i.e. Synology) that require a Full Chain pem file as well you can do this from *nix.

cat cert.pem privkey.pem > fullchain.pem

Ok, the server cert is done, you should be able to add it to your web servers now. I’ll be putting up the client portion for Android and Windows client CA certs sometime later today or tomorrow so that the annoying Chrome nag screen goes away.

John

Tools Rundown: IT-Tools Docker Image!

Leave a reply

IT-Tools docker container is a very large suite of one-off tools and utilities that you access via a web interface. It is very easy to get running in Docker via Portainer and it is also very easy to use. I see this as a utility tool for all types of people in the IT field from admins to programmers as it really covers the gamut of tools that it provides.

How to get it going in Docker on my *nix system (this works for Synology as well)

Using Compose here is the basic gist of getting it up and running in Portainer. In Portainer, add a new stack, name it what you will, and then in the editor, paste the following:

version: '3.9'
services:
    it-tools:
        image: 'corentinth/it-tools:latest'
        restart: always
        ports:
            - '5545:80'
        container_name: IT-Tools

Then click on the “Deploy Stack” button and let it do its work. You should get a message that the stack was deployed successfully once it is finished.

I honestly have no idea how to do this in Windows as that demon child of an implementation of Docker is just weird and hard to understand versus the *nix versions.

Accessing IT-Tools

Once the stack is up and running, open your browser and navigate to: http://<ipaddressofdockerhost>:5545

This should open up this page for you.

And that is all there is to it! Just click an option to open it and use it, it’s all web-based. There is literally something that everyone can use quite often in their trade I believe and it definitely worth the 10-15 minutes it takes to get it going. Just bookmark it in your browser and then you have a great go-to tool for those things that you need a converter or other utility for.

You can choose a light or dark mode, as you can see from the screenshot I have it in dark mode. You can favorite utilities and tools as well and it will pin them to the top of the page as well.

I do hope you take a few minutes and try it out. It’s just a well-thought-out app that just ticks all the marks and that is few and far between these days. You rarely come across something like this.

John

Change default ports for Synology DSM 7.2 web interface to something other than 5000 and 5001

Leave a reply

โ€

Image Source: Unsplashโ€

In today’s digital landscape, securing our personal data and protecting our devices from potential vulnerabilities has become essential. As a Synology user, you might be familiar with the default ports 5000 and 5001 that are commonly used for accessing the Synology DSM 7.2 web interface. However, by changing these default ports to something more unique and secure, you can add an extra layer of protection to your Synology NAS device. In this article, we will explore the importance of changing default ports, provide you with a step-by-step guide on how to do it, and discuss some best practices for securing your Synology DSM 7.2 web interface.

Understanding default ports and their significance

Before we dive into the process of changing default ports, let’s first understand what default ports are and why they are significant. Ports are virtual channels on your network device that allow different services to communicate with each other. In the case of Synology DSM 7.2 web interface, the default ports 5000 and 5001 are used to access the management interface and secure HTTPS connection, respectively.

The problem with using well-known default ports is that they are widely recognized and often targeted by hackers. By changing these ports to different numbers, you can make it harder for potential attackers to identify and exploit vulnerabilities in your system. This simple measure can significantly enhance the security of your Synology NAS device.

Why change default ports for Synology DSM 7.2 web interface?

Changing the default ports for your Synology DSM 7.2 web interface offers several advantages. Let’s take a closer look at why it is recommended to customize the ports for your Synology NAS device:

  1. Enhanced security: As mentioned earlier, using well-known default ports makes your device an easy target for hackers. By changing the ports to something more unique, you can reduce the risk of unauthorized access and potential security breaches.
  2. Avoid port conflicts: In some cases, you may have other applications or services running on your network that are already using ports 5000 and 5001. By customizing the ports, you can avoid conflicts and ensure the smooth functioning of all your network services.
  3. Obscurity: While it’s not advisable to solely rely on port obscurity for security, changing the default ports can make it harder for attackers to identify your Synology device. It adds an extra layer of protection by making it more difficult for potential threats to locate your web interface.
  4. Compliance requirements: Depending on your industry or organizational policies, you may be required to change default ports for regulatory compliance. Customizing the ports can help align your Synology NAS device with specific security standards and protocols.

Now that we understand the significance of changing default ports, let’s proceed with the step-by-step guide on how to modify the default ports for your Synology DSM 7.2 web interface.

Step-by-step guide to changing default ports

Changing the default ports for your Synology DSM 7.2 web interface is a straightforward process. Follow these steps to customize the ports on your Synology NAS device:

  1. Accessing the Control Panel: Open your web browser and enter the IP address of your Synology NAS device in the address bar. Log in to the Synology DSM 7.2 web interface using your admin credentials. Once logged in, click on the “Control Panel” icon to access the settings.
  2. Navigating to Network: In the Control Panel, locate and click on the “Login Portal” icon. This will open the Portal settings page.
  3. Modifying the default ports: On the Network settings page, click on the “DSM” tab. Then at the bottom of the page will be the “Web Services” section. Here, you will find the option to change the default ports for HTTP and HTTPS connections. Enter the desired port numbers in the respective fields.
  4. Applying the changes: Once you have entered the new port numbers, click on the “Apply” button to save the changes. Your Synology NAS device will now use the new port numbers for accessing the web interface.

Testing the new port configuration

After changing the default ports, it is essential to test the new configuration to ensure everything is working correctly. Here are a few steps you can follow to test the new port setup:

  1. Accessing the web interface: Open your web browser and enter the IP address of your Synology NAS device, followed by the new port number. For example, if you changed the HTTP port to 8080, enter http://your-ip-address:8080 in the address bar. If you changed the HTTPS port to 8443, enter https://your-ip-address:8443.
  2. Verifying the connection: If the connection is successful, you should be able to access the Synology DSM 7.2 web interface using the new port numbers. Log in using your admin credentials and ensure that all functionalities are working as expected.
  3. Checking for errors: If you encounter any errors or are unable to establish a connection, double-check the port numbers you entered and make sure they are correct. Also, ensure that any firewall or router settings are updated to allow connections through the new port numbers.

By following these steps, you can verify that the new port configuration is functioning correctly and that you can access your Synology DSM 7.2 web interface securely.

Common issues and troubleshooting tips

While changing the default ports is a relatively simple process, you may encounter some common issues or face challenges during the configuration. Here are a few troubleshooting tips to help you overcome any problems you may encounter:

  1. Firewall settings: Ensure that your firewall settings are updated to allow connections through the new port numbers. If necessary, create new firewall rules to allow inbound and outbound traffic on the customized ports.
  2. Router configurations: If you are accessing your Synology NAS device from outside your local network, ensure that the router configurations are updated to forward the new port numbers to your device. This will allow external access to the web interface.
  3. Port availability: Double-check that the new port numbers you have selected are not in use by any other applications or services on your network. Port conflicts can prevent your Synology DSM 7.2 web interface from functioning correctly.

By addressing these common issues and following the troubleshooting tips, you can ensure a smooth transition to the new port configuration for your Synology NAS device.

Security considerations when changing default ports

While changing default ports can enhance the security of your Synology NAS device, it is important to consider a few additional security measures to protect your system effectively. Here are some security considerations to keep in mind:

  1. Strong passwords: Ensure that you have strong and unique passwords for your Synology DSM 7.2 web interface. Avoid using default or easily guessable passwords to prevent unauthorized access.
  2. Regular software updates: Keep your Synology DSM 7.2 software up to date by installing the latest updates and patches. This will help address any security vulnerabilities and ensure that your system is protected against known threats.
  3. Enable two-factor authentication: Two-factor authentication adds an extra layer of security by requiring a second form of verification, such as a code sent to your mobile device, in addition to your password. Enable this feature to further protect your Synology DSM 7.2 web interface.
  4. Disable unnecessary services: Review the services running on your Synology NAS device and disable any that are not required. Limiting the number of active services reduces the potential attack surface and minimizes the risk of security breaches.

By implementing these security considerations alongside changing the default ports, you can create a robust security framework for your Synology DSM 7.2 web interface.

Advanced configurations and customization options

For advanced users, Synology DSM 7.2 offers additional configuration options and customization features. These can further enhance the security and functionality of your Synology NAS device. Here are a few advanced configurations you can explore:

  1. VPN integration: Set up a virtual private network (VPN) to establish a secure connection between your remote device and your Synology NAS device. This allows you to access the web interface securely from anywhere while encrypting the data transmitted.
  2. SSL certificate: Consider installing an SSL certificate on your Synology NAS device to enable HTTPS connections. This provides an additional layer of encryption and ensures secure communication between your device and the web interface.
  3. IP blocking: Enable IP blocking to prevent multiple failed login attempts from specific IP addresses. This helps protect against brute-force attacks and further strengthens the security of your Synology DSM 7.2 web interface.

By exploring these advanced configurations and customization options, you can tailor your Synology NAS device to meet your specific security requirements and preferences.

Best practices for managing Synology DSM 7.2 web interface ports

To ensure the ongoing security and optimal performance of your Synology DSM 7.2 web interface, it is important to follow best practices for managing the ports. Here are some recommendations to keep in mind:

  1. Regularly review port configurations: Periodically review your port configurations to ensure they align with your security needs. If necessary, update the port numbers to maintain an effective security posture.
  2. Document your port changes: Keep a record of the port numbers you have customized and any associated configurations. This will help you troubleshoot issues and ensure consistency in your network setup.
  3. Backup your configurations: Regularly back up your Synology DSM 7.2 configurations to ensure that you can quickly restore your settings in case of any unforeseen events or system failures.
  4. Stay informed: Stay updated with the latest security advisories and news related to Synology DSM 7.2. This will help you stay ahead of potential threats and implement timely security measures.

By following these best practices, you can effectively manage your Synology DSM 7.2 web interface ports and maintain a secure and reliable network environment.

Changing the default ports for your Synology DSM 7.2 web interface is a simple yet crucial step in securing your Synology NAS device. By customizing the ports to something more unique and secure, you can enhance the protection of your data and mitigate potential vulnerabilities.

In this article, we discussed the significance of changing default ports and provided you with a step-by-step guide on how to modify the default ports for your Synology DSM 7.2 web interface. We also explored some best practices for securing your Synology NAS device and discussed advanced configurations and customization options.

Remember to regularly review and update your port configurations, follow security best practices, and stay informed about the latest security updates. By implementing these measures, you can ensure the ongoing security, performance, and reliability of your Synology DSM 7.2 web interface. Don’t compromise your security; start customizing your Synology DSM 7.2 web interface ports today!

Note: The information provided in this article is based on Synology DSM 7.2. Please refer to the official Synology documentation for specific instructions related to your device’s firmware version.

John

Authenticating to Your Synology NAS: How to Install an LDAP Client on Your Linux System

Leave a reply

Synology NAS (Network Attached Storage) is a game-changing technology that allows businesses and individuals to store and share data in a centralized location. This exceptional piece of hardware utilizes a Linux-based operating system, DiskStation Manager (DSM), designed for easy digital asset management.

However, when it comes to managing user access and security, Synology NAS integrates seamlessly with LDAP (Lightweight Directory Access Protocol). As the name suggests, LDAP is a protocol designed to access and maintain distributed directory information services over a network. It plays a crucial role in managing and fetching information from a directory, such as email addresses or usernames.

With LDAP, a client can communicate with an LDAP server to add, delete, or modify entries in the directory. It is a powerful tool that, when combined with Synology NAS, provides a robust, secure, and efficient system for managing data access and security.

The Power of Using LDAP with Synology NAS

Utilizing LDAP with Synology NAS takes data management to the next level. It adds an extra layer of security and convenience to your Synology NAS. With LDAP, you can centrally manage and authenticate users across your entire network. It means you can control who has access to what data, and track their activities.

As a protocol, LDAP is designed to be lightweight and fast. It can handle a large number of queries and can scale up to accommodate even the largest organization’s needs. When paired with Synology NAS, LDAP facilitates fast and efficient data retrieval, making it an excellent choice for businesses with large data sets.

Moreover, using LDAP with Synology NAS also simplifies the management of user access rights. With a single interface, you can control access to all connected devices. It greatly reduces the time and effort required to manage user permissions and enhances the overall security of your data.

What is LDAP?

LDAP, or Lightweight Directory Access Protocol, is a protocol that provides a framework for accessing and maintaining distributed directory information services. It is based on the X.500 standard, but is more streamlined and less resource-intensive, making it suitable for use over the Internet.

LDAP is designed to support a wide range of applications, from email systems to network resource directories. It’s a powerful tool for managing data in a hierarchical directory structure, known as the Directory Information Tree (DIT). The DIT organizes data into entries, each of which is uniquely identified by a Distinguished Name (DN).

LDAP is not just a protocol; it’s a system for managing, organizing, and accessing data. It’s a cornerstone of many modern network systems, including those running on Linux.

Why LDAP is important for Linux systems

In the world of Linux, LDAP is a powerful ally. Linux systems are known for their reconfigurability and adaptability, and LDAP fits right in. LDAP allows Linux systems to manage user information in a convenient, centralized manner.

Linux LDAP authentication serves as a central authority for user management, reducing the need for multiple, separate user databases. It simplifies administration and enhances security by centralizing user credentials and access control. This means less time spent managing individual user accounts and more time focusing on critical tasks.

Moreover, LDAP is platform-independent. This means you can use the same LDAP server to authenticate users on a variety of operating systems, not just Linux. This cross-platform compatibility further simplifies administration and helps maintain a consistent user experience across different systems.

Understanding LDAP Authentication in Linux

LDAP authentication in Linux involves using an LDAP server to validate a user’s credentials. This process is crucial for controlling access to resources and maintaining security. When a user attempts to log in, the system sends a request to the LDAP server with the user’s credentials. The server then checks these credentials against its database. If they match, the server confirms the user’s identity and authorizes access.

However, implementing LDAP authentication in Linux requires a careful approach. It involves setting up an LDAP server, configuring the client systems, and managing the LDAP directory. While this can be complex, the payoff in terms of security and efficiency is well worth it.

Short Guide to Linux LDAP Configuration

How to Install an LDAP Client on Your Linux System

Configuring OpenLDAP Client on Linux

Navigating LDAP Commands for Synology NAS

Troubleshooting Common LDAP Configuration Issues in Linux

Best Practices for LDAP Configuration in Linux with Synology NAS

John