Difference between revisions of "Synology"

From wiki
Jump to navigation Jump to search
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
=Package management=
 +
;/usr/syno/bin/synopkg list
 +
:List all packages
 +
 +
;/usr/syno/bin/synopkg restart MariaDB10
 +
:Restart a package
 +
 +
=Services management=
 +
 +
==For DMS7==
 +
;/usr/bin/nginx -s reload
 +
:Reload the nginx configuration
 +
 +
==For DSM6 and older==
 +
;/usr/syno/sbin/synoservice --status
 +
:List al services and their status
 +
;/usr/syno/sbin/synoservice --restart <service>
 +
:Restart a service
 +
 +
;nohup synoservicectl --restart sshd  &
 +
:Restart ssh deamon (in background as you will be thrown out).
 +
 
=Hardening=
 
=Hardening=
  
Line 15: Line 37:
 
* Disabled admin account
 
* Disabled admin account
  
 +
==2FA==
 +
To reset 2FA for a user:
 +
# login to the shell as admin
 +
# cd /usr/syno/etc/preference/<username>
 +
# rm google_authenticator
  
 
=Autoblock=
 
=Autoblock=
Line 21: Line 48:
 
<syntaxhighlight lang=bash>
 
<syntaxhighlight lang=bash>
 
sqlite3 /etc/synoautoblock.db
 
sqlite3 /etc/synoautoblock.db
.header on
+
sqlite> .header on
select * from AutoBlockIP;
 
 
sqlite> select * from AutoBlockIP;
 
sqlite> select * from AutoBlockIP;
 
sqlite> delete from AutoBlockIP where IP = “xxx.xxx.xxx.xxx”;
 
sqlite> delete from AutoBlockIP where IP = “xxx.xxx.xxx.xxx”;
.exit
+
sqlite> .exit
 
</syntaxhighlight>
 
</syntaxhighlight>
 
On DSM 6 the record looks like:<br>
 
On DSM 6 the record looks like:<br>
 
<code> IP | RecordTime | ExpireTime | Deny | IPStd | Type | Meta </code><br>
 
<code> IP | RecordTime | ExpireTime | Deny | IPStd | Type | Meta </code><br>
<code> <ip>| <epoch>  |0=never    |0=deny|<IPv6> |  0  |      </code>
+
<code> <ip>| <[https://www.epochconverter.com/ epoch]>  |0=never    |0=deny|<IPv6> |  0  |      </code>
  
 
=Syslog=
 
=Syslog=
Line 43: Line 69:
 
echo "select msg from logs where host = '<hostname>' and prog = '<program>' and ldate = '<YYYY-mm-dd>' and ltime = '<HH:MM:SS>';" | sqlite3 <DBfile>
 
echo "select msg from logs where host = '<hostname>' and prog = '<program>' and ldate = '<YYYY-mm-dd>' and ltime = '<HH:MM:SS>';" | sqlite3 <DBfile>
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
 +
=Mount remote filesisystem=
 +
Mounting things the unix way works as expected. Modifying /etc/fstab works only until the next system reboot.
 +
 +
The synology way is:
 +
In File Station; Tools - Mount Remote Folder - NFS Shared Folder 
 +
 +
=Locations=
 +
;mysql/mariadb command line interface
 +
:/volume1/@appstore/MariaDB10/usr/local/mariadb10/bin/mysql
 +
 +
;Maria10db configuration files
 +
:/usr/local/mariadb10/etc/mysql/my.cnf  (customizations)
 +
:/var/packages/MariaDB10/etc/my.cnf (synology)
 +
 +
;PHP configuration file for command line invocation
 +
:/usr/local/etc/php74/cli

Latest revision as of 00:05, 23 January 2023

Package management

/usr/syno/bin/synopkg list
List all packages
/usr/syno/bin/synopkg restart MariaDB10
Restart a package

Services management

For DMS7

/usr/bin/nginx -s reload
Reload the nginx configuration

For DSM6 and older

/usr/syno/sbin/synoservice --status
List al services and their status
/usr/syno/sbin/synoservice --restart <service>
Restart a service
nohup synoservicectl --restart sshd &
Restart ssh deamon (in background as you will be thrown out).

Hardening

The certificates are stored in /usr/syno/etc/certificate/_archive. The INFO file defines what applications the certificates are used for. The certificates are in subdirectories with a yet unknown naming convention.


This page has some good hardening tips.

Some of the things I did:

  • 2 factor authentication on the web interface
  • Moved ssh to a high port on my router (NAT xxxx -> synology:22) (and disabled from the internet when not needed)
  • Disable HTTP access
  • Installed another webserver as frontend as I doubt synology publishes all security updates in time.
  • Set home directory protection from 755 to 700
  • Disabled admin account

2FA

To reset 2FA for a user:

  1. login to the shell as admin
  2. cd /usr/syno/etc/preference/<username>
  3. rm google_authenticator

Autoblock

The autoblock feature blocks access from IPaddreses from which too many failed login attempt are done. If the GUI is not available the blocked IPs can be managed from sqlite3 

sqlite3 /etc/synoautoblock.db
sqlite> .header on
sqlite> select * from AutoBlockIP;
sqlite> delete from AutoBlockIP where IP = “xxx.xxx.xxx.xxx”;
sqlite> .exit

On DSM 6 the record looks like:
IP | RecordTime | ExpireTime | Deny | IPStd | Type | Meta
<ip>| <epoch> |0=never |0=deny|<IPv6> | 0 |

Syslog

The syslog databases are in the location you specified for archiving (<path>/<system>/SYNOSYSLOGDB_<system>.DB, use sqlite3 to query it.

The records look like:
id | host | ip | fac | prio | llevel | tag | utcsec | r_utcsec | tzoffset | ldate | ltime | prog | msg 

select msg from logs where host = '<hostname>' and prog = '<program>' and ldate = '<YYYY-mm-dd>' and ltime = '<HH:MM:SS>';

echo "select msg from logs where host = '<hostname>' and prog = '<program>' and ldate = '<YYYY-mm-dd>' and ltime = '<HH:MM:SS>';" | sqlite3 <DBfile>

Mount remote filesisystem

Mounting things the unix way works as expected. Modifying /etc/fstab works only until the next system reboot.

The synology way is: 

In File Station; Tools - Mount Remote Folder - NFS Shared Folder

Locations

mysql/mariadb command line interface
/volume1/@appstore/MariaDB10/usr/local/mariadb10/bin/mysql
Maria10db configuration files
/usr/local/mariadb10/etc/mysql/my.cnf (customizations)
/var/packages/MariaDB10/etc/my.cnf (synology)
PHP configuration file for command line invocation
/usr/local/etc/php74/cli
Retrieved from "https://wiki.antiperfect.org/index.php?title=Synology&oldid=1368"