OpenVPN configuratie Synology VPN server

Client configuration settings: 

remote <dns or ip address>  1194

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

redirect-gateway def1

When the local network of the OpenVPN client is the same as the local network of the OpenVPN server than you can add the following line to the ovpn configuration file.

route <ip address> 

for example both networks have the same local network: 192.168.1.0/24 and traffic is not sent inside the VPN tunnel you can add to reach 192.168.1.10 on the local network of the VPN server 

route 192.168.1.10 

When you have problems with DNS for example with the DNS servers of Ziggo who only allow queries from their own network. You can change your DNS settings to the nameservers of Google. Name servers are 8.8.8.8 and 8.8.4.4 

Warning message in the log file: 

WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

You see this message when you connect with a standard OpenVPN server from Synology and is showed because of the way Synology implemented their OpenVPN server. 

Synology DNS server en dnsmasq

When stopping the DNS server running on the Synology NAS  I notice that port 53 is still open. 

Running netstat -anp  on the Synology NAS reveals dnsmasq to have port 53 open. 

Stopping the DCHP server in control panel stops dnsmasq from running on port 53. 

 

Synology beste instellingen voor Quick Connect

Use a public DNS server (For example Google DNS servers):

Control Panel, Network, General, Select Manually configure DNS server, Preferred DNS server: 8.8.8.8, Alternative DNS server: 8.8.4.4

Turn off IPv6:

Control Panel, Network, Network Interface, Select connected LAN interface, edit, IPv6, IPv6 setup off

Manual IP Address:

Control Panel, Network, Network Interface, Select connected LAN interface, edit,IPv4, use manual configuration. Don't fill in a DNS server. Fill in IP address, Subnet Mask, Gateway. If configurable uncheck jumbo frame option. 

Time:

Control Panel, Regional Options, Synchronize with NTP server: 

For example  Server address: pool.ntp.org 

Check correct local time. 

Synology mount volume als read-only

Always contact Synology support first for help. If you like to try on your own risk: 

after a crashed volume which is not recoverable from the GUI you can try to mount the volume as read-only in a terminal. 

Make terminal ssh connection to Synology NAS. 

cat /etc/fstab

fdisk -l 

cat /proc/mdstat

mdadm --detail /dev/<mdX, check cat /proc/mdstat> 

check md not listed. For example md9 

use at own risk:

mdadm -A -R /dev/<md not listed> /dev/<disk not crashed> /dev/<disk not crashed> 

-A, --assemble Assemble a pre-existing array

-R, --run Attempt to start the array even if fewer drives were given than are needed for a full array. Normally if not all drives are found and --scan is not used, then the array will be assembled but not started. With --run an attempt will be made to start it
anyway.

command should return the message "mdadm: /dev/<md not listed>  has been started with x drives."

lvm vgscan : take note of volume group name

vgchange -a y <volume group name, for example:vg1000>

-a, --activate 

The command to mount the volume as read-only in order:

mount -o ro,noload /dev/<volume group name>/lv /volume1

volume group must exists on your system. 

the volume should be reachable in the terminal session. 

To see the data in DSM using File Station or Windows File Service (SMB) 

synospace --map-file -d

synocheckshare

Synology check health harde schijven

Storage Manager, HDD/SDD

Select disk and expand information.

Check Status: Normal

Check S.M.A.R.T status: Normal 

Check Bad sector count: 0

Select disk and health info, overview

Disk Reconnection Count, Bad Sector Count and Disk Re-identification Count indicate the total quantity of events that have occurred on your disk or system.

Your data are still safely stored on the disk. Although these parameters provide early warning and information about disk health trends, they do not directly imply imminent disk failure.

Disk Reconnection Count display the sum of S.M.A.R.T. Attribute “UItraDMA CRC Error Count” and other interface issues detected by the system. If this parameter increases abruptly compared to general tendency, it may indicate that the disk or some hardware components are aging.

Select disk and health info, S.M.A.R.T test

Run Quick and Extended test. Check results. 

Select disk and health info, S.M.A.R.T info 

Use https://en.m.wikipedia.org/wiki/S.M.A.R.T. for reference 

check status: OK

Important attributes:

01 Read Error Rate:

(Vendor specific raw value.) Stores data related to the rate of hardware read errors that occurred when reading data from a disk surface. The raw value has different structure for different vendors and is often not meaningful as a decimal number.

If you see any non-zero raw values for ID 1 (for WD and Samsung disks) in the disk S.M.A.R.T. info, the disk is defective.

05 Reallocated Sectors Count : 0

09 Power-on Hours:

Count of hours in power-on state. The raw value of this attribute shows total count of hours (or minutes, or seconds, depending on manufacturer) in power-on state.

By default, the total expected lifetime of a hard disk in perfect condition is defined as 5 years (running every day and night on all days). This is equal to 1825 days in 24/7 mode or 43800 hours.

10 Spin Retry Count: 0 

184 End-to-End error / IOEDC: 0

187 Reported Uncorrectable Errors: 0

188 Command Timeout: 0

196 Reallocation Event Count: 0

197 Current Pending Sector Count: 0

198 (Offline) Uncorrectable Sector Count: 0 

201 Soft Read Error Rate or TA Counter Detected: 

Volgens Synology:

If you see any non-zero raw values for ID 1 (for WD and Samsung disks) and ID 5/197/198 (for all disks) in the disk S.M.A.R.T. info, the disk is defective.

Synology terminal S.M.A.R.T rapportage

smartctl --scan

smartctl -a -d sat -T permissive /dev/sda

/dev/sda is the drive

-aPrints all SMART information about the disk.

-d satSpecifies device type. “Sat” is SCSI to ATA Translation (SAT) that is required with Synology.

 -T permissiveDefines tolerance type. “Permissive” tells to ignore failure(s) of mandatory SMART commands and is required with Synology.
 
The commando also shows Hardware disk information:
 
Model Family:     

Device Model:     

Serial Number:   

LU WWN Device Id:

Firmware Version: 80.00A80

User Capacity:    

Sector Sizes:     

Device is:       

ATA Version is:   

SATA Version is:  

Local Time is:    

SMART support is: 

SMART support is: 

 

To run a short S.M.A.R.T test: 

smartctl -d sat -t short /dev/sda

Synology weerbaar maken

Synology DSM 6.1 hardening settings:

  • Control Panel, security, advanced, TLS/ SSL Cipher Suites, Select Modern compatibility 
  • Control Panel, user, advanced, Password Settings, Apply password strength rules, select; 
    • Exclude name and description of user from password. 
    • Include mixed case
    • Include numeric characters
    • Include special characters
    • Exclude common password
    • Minimal password length: 8
    • Password history (times): 3
  • Control Panel, user, advanced,Password Expiration, select;
    • Enable password expiration 
    • Maximum password valid duration (days): 183 (except administrator users) 
    • Minimum password valid duration (days): 1
    • Prompt users to change password upon login before expiration (days): 14
    • Send expiration notification emails; sent at 12:00, Days before the expiration; 14,10,5,3,2,1 
  • 2-Step Verification,select
    • Enforce 2-step verification for the following users, all users
  • Control Panel, Terminal & SNMP, Terminal, (in case) SSH service, advanced settings, High
  • Control Panel, Security, Selecteer:
    • Improve protection against cross-site request forgery attacks
    • Improve security with HTTP Content Security Policy (CSP) header.
    • Do not allow DSM to be embedded with iFrame.
    • Clear all saved user login sessions upon system restart. 
  • Control Panel, Network, DSM settings, Selecteer Automatically redirect HTTP connections to HTTPS ( Web Station and Photo Station excluded )

 

Synology DSM 6 LDAP beveiliging

Use an LDAP editor like LDAPadmin.

Connect to LDAP server running on Synology NAS.

Host: Synology Nas server

Port: 389

base: cn=config

Simple authentication

TLS selected or deselected

Username: cn=config

password= same as root user LDAP server

After logging in

select cn=config and edit entry

add attribute or change value attribute olcTLSCipherSuite with your values. 

Synology DSM 6 SMB beveiliging

SSH connection:

for example admin@server

sudo -i

vi /etc/samba/smb.conf

Under global section:

server signing=mandatory
client signing=mandatory

min protocol=SMB2
max protocol=SMB3

De SMB connectie met macOS wordt gecontroleerd met het volgende commando in een terminal sessie.

check of er een SMB verbinding is (smbfs);

mount

check welke versie SMB gebruikt wordt (SMB_version);

smbutil statshares -a

 

1 2 3 4