Difference between revisions of "Synology"

From wiki
Jump to: navigation, search
(Syslog)
 
(One intermediate revision by the same user not shown)
Line 18: Line 18:
 
=Autoblock=
 
=Autoblock=
 
The autoblock feature blocks access from IPaddreses from which too many failed login attempt are done.
 
The autoblock feature blocks access from IPaddreses from which too many failed login attempt are done.
If the GUI is not available the blocked IPs can be managed from sqllite3
+
If the GUI is not available the blocked IPs can be managed from sqlite3
 
<syntaxhighlight lang=bash>
 
<syntaxhighlight lang=bash>
 
sqlite3 /etc/synoautoblock.db
 
sqlite3 /etc/synoautoblock.db
Line 24: Line 24:
 
select * from AutoBlockIP;
 
select * from AutoBlockIP;
 
sqlite> select * from AutoBlockIP;
 
sqlite> select * from AutoBlockIP;
 
IP|RecordTime|ExpireTime|Deny|IPStd
 
<ip>|<epoch>|<0=never>|<[01]>|<IPv6>
 
 
 
sqlite> delete from AutoBlockIP where IP = “xxx.xxx.xxx.xxx”;
 
sqlite> delete from AutoBlockIP where IP = “xxx.xxx.xxx.xxx”;
 
.exit
 
.exit
 
</syntaxhighlight>
 
</syntaxhighlight>
 
On DSM 6 the record looks like:<br>
 
On DSM 6 the record looks like:<br>
<code> IP | RecordTime | ExpireTime | Deny | IPStd | Type | Meta </code>
+
<code> IP | RecordTime | ExpireTime | Deny | IPStd | Type | Meta </code><br>
 +
<code> <ip>| <epoch>  |0=never    |0=deny|<IPv6> |  0  |      </code>
  
 
=Syslog=
 
=Syslog=
The syslog databases are in the location you specified for archiving. Use sqlite3 to query it.
+
The syslog databases are in the location you specified for archiving (<path>/<system>/SYNOSYSLOGDB_<system>.DB, use [[SQL#SQlite|sqlite3]] to query it.
  
 
The records look like:<br>
 
The records look like:<br>
Line 42: Line 39:
 
<syntaxhighlight lang=sql>
 
<syntaxhighlight lang=sql>
 
select msg from logs where host = '<hostname>' and prog = '<program>' and ldate = '<YYYY-mm-dd>' and ltime = '<HH:MM:SS>';
 
select msg from logs where host = '<hostname>' and prog = '<program>' and ldate = '<YYYY-mm-dd>' and ltime = '<HH:MM:SS>';
 +
</syntaxhighlight>
 +
<syntaxhighlight lang=bash>
 +
echo "select msg from logs where host = '<hostname>' and prog = '<program>' and ldate = '<YYYY-mm-dd>' and ltime = '<HH:MM:SS>';" | sqlite3 <DBfile>
 
</syntaxhighlight>
 
</syntaxhighlight>

Latest revision as of 22:19, 17 July 2019

Hardening

The certificates are stored in /usr/syno/etc/certificate/_archive. The INFO file defines what applications the certificates are used for. The certificates are in subdirectories with a yet unknown naming convention.


This page has some good hardening tips.

Some of the things I did:

  • 2 factor authentication on the web interface
  • Moved ssh to a high port on my router (NAT xxxx -> synology:22) (and disabled from the internet when not needed)
  • Disable HTTP access
  • Installed another webserver as frontend as I doubt synology publishes all security updates in time.
  • Set home directory protection from 755 to 700
  • Disabled admin account


Autoblock

The autoblock feature blocks access from IPaddreses from which too many failed login attempt are done. If the GUI is not available the blocked IPs can be managed from sqlite3

sqlite3 /etc/synoautoblock.db
.header on
select * from AutoBlockIP;
sqlite> select * from AutoBlockIP;
sqlite> delete from AutoBlockIP where IP = “xxx.xxx.xxx.xxx”;
.exit

On DSM 6 the record looks like:
IP | RecordTime | ExpireTime | Deny | IPStd | Type | Meta
<ip>| <epoch> |0=never |0=deny|<IPv6> | 0 |

Syslog

The syslog databases are in the location you specified for archiving (<path>/<system>/SYNOSYSLOGDB_<system>.DB, use sqlite3 to query it.

The records look like:
id | host | ip | fac | prio | llevel | tag | utcsec | r_utcsec | tzoffset | ldate | ltime | prog | msg

SELECT msg FROM logs WHERE host = '<hostname>' AND prog = '<program>' AND ldate = '<YYYY-mm-dd>' AND ltime = '<HH:MM:SS>';
echo "select msg from logs where host = '<hostname>' and prog = '<program>' and ldate = '<YYYY-mm-dd>' and ltime = '<HH:MM:SS>';" | sqlite3 <DBfile>