SSL – Check your cypher suites and SSL rating

For any website running SSL and HTTPS with a security certificate you can check your public facing rating by using a handy tool from Qualys.

Check HTTPS Website rating

this domain is currently A rated, yay!!!

I have achieved this by making sure I am using more secure and strong cipher suites with the server that is running the site (disabling the less secure cipher suites on the server).  I have also disabled all protocols on my server other than TLS 1.2 (SSL3, TLS 1.x etc is not secure at all!!)

Using only TLS1.2 mitigates a few attacks like POODLE, Zombie and GOLDENDOODLE.

This makes the SSL much more compliant and secure. All website owners should check what cipher suites and protocols are enabled on their servers and get them changed for better security all round.

ssl rating 800x444 - SSL - Check your cypher suites and SSL rating

 

 

Adding Security Headers to a WordPress Blog

After reviewing the default wordpress headers that are sent in a browser they are not secure enough for my liking.

To modify wordpress that you host yourself, served by an apache web server, logon to your server and navigate to the .htaccess file in your wordpress directory. If you cant see one (they are hidden files), maker sure to enable view hidden files in WINSCP or whatever software your using for the file system of your server. I also force my site from http to https for good measure (but make sure that you can already access your site on https before doing this lol)

add the following lines into your .htaccess file at the end –

———————————————————————————————–

#ADD SECURITY HEADERS TO ALL PAGES

Header always append X-Frame-Options SAMEORIGIN

Header set X-XSS-Protection “1; mode=block”

Header set X-Content-Type-Options nosniff

Header set Strict-Transport-Security “max-age=10886400; includeSubDomains; preload”

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

———————————————————————————————–

Now you can check how secure your blog is now, by visiting this website to check it – Security Headers Checker and enter your public facing website url.

As you can see from the below image, guypearce.co.uk is now A rated and much more secure. Have fun securing your own wordpress blog (or any other website running on Apache for that matter, all websites should have these options as a matter of course!!!!)

securityheaders 790x800 - Adding Security Headers to a Wordpress Blog

If you notice in the image above, you will see there are two other security headers also – Content-Security-Policy and Feature-Policy.

Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

Feature Policy is a new header that allows a site to control which features and APIs can be used in the browser.

You can also add those policies in the same manner as the code I shared above for your .htaccess file. This would make your site have even better security policies coming from its pages.

Have fun with security.

Slow data transfer speeds on a synology NAS

Transferring files to and from my synology NAS over SMB protocol seemed very slow to me on the shares I have.

After a little bit of investigation I found that the SMB settings by default are only using SMB2 and not SMB3!!!!

Boom, now transfer speeds are super fast between PC and Synology NAS, yay!!

SMB3 Tranfer Speed - Slow data transfer speeds on a synology NAS

Instructions to change the advanced settings here =

Login to the Synology NAS and click on Control Panel:

nas control panel - Slow data transfer speeds on a synology NAS

Click the enable SMB service checkbox then head into advanced settings –

nas smb1 800x312 - Slow data transfer speeds on a synology NAS

In advanced settings, set the maximum SMB protocol to SMB3, the minimum to SMB 2, and I disabled transport encryption mode as I am running in my home network only for SMB (you can set this to either dependant on your situation). I also enabled opportunistic locking.

nas smb2 - Slow data transfer speeds on a synology NAS

After using these settings it took my file transfres from around 7 MB/s to around 100 MB/s – nice…. :O)

Accessing Synology NAS with SSH: Windows

To access the synology NAS using a tool such as Winscp on Windows and to access ALL files on the NAS (root access), we normally need to use sudo in Linux. There is no way to add this command fully to winsc to allow this to happen – or is there?

As it happens there is and after these instructions you can then connect and manage your synology NAS via SSH and WinSCP to manage the files, yay.

Instructions here –

WinSCP (GUI) for DSM6 * and higher:

Note: Config File Editor only works if you are logged in as user admin. 

1 – Download ConfigFileEditor-noarch-14 and unzip it.
2 – Install it manually in Package Center. 
3 – Start Config File Editor and choose the file “Config File Editor”: 

index.php?action=dlattach;ts=1477342656;topic=21215 - Accessing Synology NAS with SSH: Windows

4 – At the end of that file, add:

/etc/sudoers,sudoersand Save: 

index.php?action=dlattach;ts=1477342657;topic=21215 - Accessing Synology NAS with SSH: Windows

5 – Exit Config File Editor. 
6 – Put the Config File Editor package in Package Center and restart. 
7 – Open Config File Editor again and choose the file sudoers. 
8 – Add:

admin ALL = NOPASSWD: ALL

Save and close Config File Editor (only then will the file be saved). 

8.1 User admin (above) can / may also be another user with administrator rights. 

index.php?action=dlattach;ts=1477342657;topic=21215 - Accessing Synology NAS with SSH: Windows

9 – Download: http://winscp.net/eng/download.php
10 – Install WinSCP 
11 – Make sure SSH Service is on in DSM: Control Panel> Terminal. 
12 – Start WinSCP click on new 
13 – File protocol: SCP 
14 – Target computer address: <NAS-IP> 
15 – Port number: 22 
16 – Username: as specified in point 8 
17 – Root only: Advanced -> SCP / Shell and type in: sudo -i 
17.1 – Not root: Advanced -> SCP / Shell and type in: / bin / sh 
18 – Save
19 – Log in with Password of the relevant user, see point 8 / 8.1. 

NOTE (only for root): There is a high chance that you will have to repeat the above Config File Editor section after a DSM6 * update or upgrade. 

WinSCP also has PuTTY (Linux knowledge required) built in, if you also have PuTTY installed: 

index.php?action=dlattach;ts=1416066714;topic=21215 - Accessing Synology NAS with SSH: Windows

DSM6 and higher: If you only want PuTTY (CLI: Linux / DSM knowledge required):
1 – Ensure that SSH-Service is switched on in DSM: Control Panel> Terminal. 
2 – Download putty.exe 
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
3 – Start putty.exe 
4 – Enter your NAS’s IP address 
5 – Make sure SSH clicked is 
6 – Save …. enter a name in “Saved Sessions” 
7 – Click on Open 
8 – You get Putty screen with “login as:” 
9 – Enter: admin <enter> (PS:
10 – password: <admin password> <enter> 
11 – to become root, give the following command: sudo -i 
12 – password: same password as in 10. 

 

Enjoy managing your synology NAS via SSH unrestricted!!

OpenVPN and better security with a Synology NAS

I originally found this on a Netherlands forum and translated it. I wanted VPN on a Synology NAS to be much more secure so followed this great guide and it works great!!

Credit to = https://www.synology-forum.nl/vpn-server/beter-beveiligde-openvpn/

Translated here =

The main reason for writing this manual was that Synology does not make the OpenVPN Server package as secure as possible. It is namely sensitive to a M an I n T he M iddle attack because there is no verification of certificates from both the Server and the Client (s).
Authorization therefore only takes place by username / password. To counteract the MITM risk, I have changed a number of things in the OpenVPN Server package. However, the change does not only concern the MITM attack.It is written in a “click this click that” way to keep following the steps as simple as possible. It is not very difficult to implement, but you have to sit down for it. It describes the steps to build a VPN tunnel from an Android phone, but it also works with other clients such as Windows, Apple, Linux, etc.

It works in such a way that a relatively secure connection is created.
At least 90% comes from the OpenVPN documentation and the OpenVPN manual 2.3 .

The OpenVPN Server (Package VPN Server) has a “hidden” option to use its own configuration, which is used in this manual. This option is not officially supported by Synology.
This also ensures that the configuration is not overwritten by an update or restart. From DSM 5.0 to the present I can say that it hasn’t happened to me yet. Nevertheless it may happen that we do, we do not know what changes Synology will make with future updates.
The own configuration option means that you can no longer make any settings in the OpenVPN Server screen and at the bottom you get the message in blue: OpenVPN configuration is adjusted The adjustment is arranged in such a way that the certificates generated in this manual are only for OpenVPN being used. Purchased / free / Let`s encrypt / etc. SSL certificates that are imported into DSM will continue to function even if they have already been imported.
index.php?action=dlattach;topic=21402 - OpenVPN and better security with a Synology NAS

In short, OpenVPN is separated from the rest of the system in this regard, as it should be.

After performing the steps, the VPN connection to the NAS, the devices in the network where the NAS / VPN Server is located, can be accessed via their IP.

Tested:
Every DS model.

DSM 5 and higher.

Clients:
Android 4 to 9
Android 6 The energy saving function may need to be switched off for the VPN App, see here and here . This is an Android issue and is separate from this manual.

Quote

Samsung 6.x VPN is reported not to work unless the VPN app is excempted from Powersave features

OpenVPN Connect for Android up to and including version 3.0.5
OpenVPN for Android (Arne Schwabe) up to and including version 0.7.8 (recommended on Android 5.1 and higher)

Any DS model.

Windows 7 to 10
OpenVPN client for Windows :
Windows installer (NSIS, from Vista) – openvpn-install-2.4.7-I607.exe
Windows XP is no longer supported.

pfSense (FreeBSD) 2.2 and higher
Debian 8.7 jessie and higher
Ubuntu 14.04 LTS and higher
Linux Mint 18 and higher
MX Linux 18 and higher
System76 Pop! _OS 18.04
Puppy Linux (XenialPup and higher (UbuntuLTS16.04))
OpenATV 5.1 and higher
OpenPLi 5 and higher

The goal is:
User / Password – Standard
Client identification by certificate (server identifying client) – Non-standard
Server identification by certificate (client identifying server) – Non-standard
Diffie Hellman Perfect Forward Secrecy with 4096 bits encryption – Standard 1024/3072 bits, version dependent
Stronger encryption
tls-auth – Non-standard – Offers protection against DoS attacks, UDP port flooding / scanning and more

Added value:
Own root Certificate Authority exclusively for OpenVPN
Client identification through certificate
Server identification through certificate
DH Perfect Forward Secrecy 4096 bits
Stronger encryption for control and data channel
tls-auth (also called HMAC firewall)

What do we need:
Windows machine with XCA on it, download is here . Also available for Linux and MAC.
VPN Server to be found in the Package Center
WinSCP 
PuTTY 
How to use WinSCP and PuTTY
Android phone
Official client App OpenVPN Connect

Step 1

cert, key and DH files

We start by generating the certificates, key`s and the Diffie Hellman file.
We will do this with XCA.

With XCA we can set up a CA (Certificate Authority), generate and sign Server and client certificates / keys.
The certificates with associated private keys are stored in a database and then we export them for use on the server and client (s).

To save the files that we are going to create, we will create a folder named Database.

1. Create a
database.

Start XCA and click on File -> New DataBase.
Save the database with the name OpenVPN and enter a password.
We also need this password to be able to open the database again later if we still need it.

* Edit:
Templates added. First
download the XCA templates for this manual.
Then import it on the Templates tab in XCA before following the following steps.
*

What if we want to generate more certificates for the benefit of multiple clients?
For that we will have to repeat the steps to generate and export client certificates and client keys.
These are steps 4. 8. 9.
For each client, enter the exact username that he / she has in DSM, in the commonName and Internal name fields , commonName is a requirementInternal name is for recognisability.
Each of the clients must also be a user in DSM and must have the rights to use VPN, you set this in the VPN Server under Rights.

2.
Generate CA.

Click on the Certificates -> New Certificate tab.
On the Source tab we select:
Create a self signed certificate with the serial 1
Signature algorithm SHA 256
CA
Click Apply all.

On the Subject tab, we enter CA for Internal name and commonName.
Click Generate a new key.
The following screen: CA, RSA, 4096 bit and click Create.

On the Extensions tab we set the Time range to 10 Years and click Apply.

On the Key usage tab we select on the left:
Digital Signature
Key Encipherment
Data Encipherment
Key Agreement
Certificate Sign
CRL Sign
On the right we do not select anything.

On the Netscape tab, we only remove the comment and click on Ok.

Now we have generated a CA with which we can sign the server and client (s) certificates.
This CA now appears under the Certificates tab.

3.
Generate server certificate.

On the Certificates -> New certificate tab.
On the Source tab we select:
Use this Certificate for signing CA
Signature algorithm SHA 256
SERVERCERT
Click Apply all.

On the Subject tab, we fill in Internal name and commonName Server.
Click Generate a new key.
The following screen: Server, RSA, 4096 bit and click Create.

On the Extensions tab we set the Time range to 5 Years and click Apply.

On the Key usage tab we select on the left:
Digital Signature
Key Encipherment
On the right we only select TLS Web Server Authentication.

On the Netscape tab, we de-select everything and remove the comment and click OK.

Now we have generated a Server certificate that will be placed on the OpenVPN Server.
On the certificates tab, click on the arrow next to the CA so that it appears.

4.
Generate client certificate. (Repeat for multiple clients)

On the Certificates tab -> New certificate.
On the Source tab we select:
Use this Certificate for signing CA
Signature algorithm SHA 256
CLIENTCERT
Click Apply all.

On the Subject tab, we enter the Internal name and the CommonName client. (For multiple clients, enter the username)
Click Generate a new key.
The following screen: username, RSA, 4096 bit and click Create.

On the Extensions tab we set the Time range to 5 Years and click Apply.

On the Key usage tab we select on the left:
Digital Signature
Key Agreement
On the right we only select TLS Web Client Authentication.

On the Netscape tab, we deselect everything and remove the comment and click OK.

Now we have generated a client certificate that will be placed on the OpenVPN client.

5.
Export CA.

On the Certificates tab, select CA and click Export.
Choose the Database folder that we created earlier.
Export Format PEM and click Ok.

6.
Export server certificate.

On the Certificates tab, select Server and click Export.
Choose the Database folder that we created earlier.
Export Format PEM and click Ok.

7.
Export server private key.

On the Private Keys tab, select Server and click Export.
Choose the Database folder that we created earlier.
Export Format PEM and click Ok.

8.
Export client certificate. (Repeat for each client)

On the Certificates tab, select client and click Export.
Choose the Database folder that we created earlier.
Export Format PEM and click Ok.

9.
Export client private key. (Repeat for each client)

On the Private Keys tab select client and click Export.
Choose the Database folder that we created earlier.
Export Format PEM and click Ok.

10.
Generate Diffie Hellman parameters.

Click on Tools -> Generate DH parameter (XCA version older than 1.3.2 under File)
DH parameter bits 4096 and click on Ok.
This will take a while, let it go, have a drink and wait …..
Have a drink …..
…..
….

..
Choose the Database folder that we created earlier and click Ok.

If it went well, we now have in the database directory the following files:

Openvpn.xdb
ca.crt
client.crt (or <username> .crt)
client.pem (or <username> .pem)
dh4096.pem
server.crt
Server.pem
Rename client.pem to client.key (or <username> .key)
Rename Server.pem to Server.key

xca-templates download here.

Step 2

Install and set up the VPN Server.

In the Package Center we find the VPN Server under Utilities.
After it has been installed and started, we will do some settings.

Open Main Menu and click on VPN Server.
In the screen we now see the overview.

Under Rights we now first distribute the rights.

Under PPTP and L2TP we do not give anyone any rights unless you use it too.
Click Apply.

Go to OpenVPN, left in the menu.

In this screen we check:
Enable OpenVPN server Enable
compression on the VPN link
Clients give access to the LAN server

Dynamic IP address: 192.168.160.1
Click Apply.

The rest can stay that way.

Now stop the VPN Server in the Package Center.

******************************************************** ******************************************************** ************

Avoid IP / route conflicts. 
We are dealing with three subnets:
1. The network where the VPN Server / DS is located (local network)
2. The Dynamic IP address of the VPN (tunnel network)
3. The remote network from which you connect to a VPN client (Telephone, Laptop, Tablet, etc.)
These must be separate subnets. 

Because you hardly ever have any influence on the IP address that your client gets from the remote network, it is therefore wise to choose the network where the VPN Server / DS is located as well as Dynamic IP address somewhere in the middle.
For the local network eg: 192.168.150.xxx (instead of the standard subnets that router manufacturers use, see list below )
For the Dynamic IP address, for example: 192.168.160.1
The chance that the remote network from which you connect with the client to the VPN Server / DS, uses the same subnet, becomes smaller.

Useful private subnets are:
Class A: 10.0.0.0 – 10.255.255.255 (10.0.0.0/8)
Class B: 172.16.0.0 – 172.31.255.255 (172.16.0.0/12)
Class C: 192.168.0.0 – 192.168.255.255 ( 192.168.0.0/16)

The list below are standard subnets that manufacturers use, ie as far as I have been able to find.
You do not want to use it as a local network or Dynamic IP address.

Code: [Select]


10.0.0
10.0.1
10.1.1
10.1.10
10.2.0
10.8.0
10.10.1
10.90.90
10.100.1
10.255.255

169.254 # APIPA #

172.16.0
172.16.16
172.16.42
172.16.68

172.19.3

172.20.10 # IPhone built-in hotspot #

192.168.0
192.168.1
192.168.2
192.168.3
192.168.4
192.168.5
192.168.6
192.168.7
192.168.8
192.168.9
192.168.10
192.168.11
192.168.13
192.168.15
192.168.16
192.168.18
192.168.20
192.168.29
192.168.30
192.168.31
192.168.33
192.168.39
192.168.40
192.168.42 # Android USB tethering #
192.168.43 # Android built-in hotspot #
192.168.50
192.168.55
192.168.61
192.168.62
192.168.65
192.168.77
192.168.80
192.168.85
192.168.88
192.168.98
192.168.99
192.168.100
192.168.101
192.168.102
192.168.111
192.168.123
192.168.126
192.168.129
192.168.137 # Windows Phone built-in hotspot #
192.168.168
192.168.178
192.168.190
192.168.199
192.168.200
192.168.220
192.168.223
192.168.229
192.168.240
192.168.245
192.168.251
192.168.252
192.168.254

200.200.200

 

******************************************************** ******************************************************** ************

In the router, UDP port 1194 must be forwarded to the NAS.
Register on the forum for the router and possibly the firewall because this is specific to everyone.

If you do not yet use “Automatic blocking”, it is now time for that.
Control panel -> Security -> Automatic blocking

Each DS model has a maximum number of VPN users that you will find in the specifications of your model.

Now we leave the VPN Server and go “under the hood”.

Step 3

Adjust the VPN Server.

Now we are going to put the certificates and keys that we created in Step 1 in the right place.
We are also going to make a ta.key that is needed on the server and client for extra protection.

First a summary of what that reads:

/ usr / synonym / etc / packages / VPNCenter / VPNcerts
ca.crt
server.crt
server.key
dh4096.pem
ta.key

/ usr / synonym / etc / packages / VPNCenter / openvpn
Here you will find openvpn.conf.user.

1. WinSCP

Navigate to: / usr / syno / etc / packages / VPNCenter
Create a new folder named:
VPNcerts

Copy the newly created CA.crt, Server.crt, Server.key and dh4096.pem to the folder.
Permissions as follows:
0400 for CA.crt, Server.crt, Server.key
0400 for dh4096.pem We set

permissions in WinSCP with right-mouse-button-> properties on the relevant file.

2. PuTTY (Terminal is also present in WinSCP. See menu Commands -> Open Terminal)

SSH to the NAS and type the following one after the other:

Code: [Select]

cd /usr/syno/etc/packages/VPNCenter/VPNcerts
Depending on the DS model, there may not be an Apparmor present.
To generate the ta.key we must first stop Apparmor:

Code: [Select]

/usr/syno/etc.defaults/rc.sysv/apparmor.sh stop
generate ta.key:

Code: [Select]

openvpn --genkey --secret ta.keyThere is now a ta.key in the VPNcerts folder.
Permissions (with WinSCP) as follows:
0400 for ta.key
The ta.key will also be needed in the OpenVPN Connect App.
Handy if you now copy it to the Database folder with WinSCP.

Restart Apparmor:

Code: [Select]

/usr/syno/etc.defaults/rc.sysv/apparmor.sh start
And finally:

Code: [Select]

exit
3. WinSP

Navigate to / usr / syno / etc / packages / VPNCenter / openvpn

Download the openvpn-server.zip configuration file at the bottom of this post, unpack it and follow the instructions in openvpn.conf.user. You can open / edit the file with a double click in WinSCP.
Place openvpn.conf.user in the above folder with rights 0400.

If everything is done correctly, we are ready on the VPN Server and you can now start it via the Package Center.

If you get a message in VPN Server to check the configuration file, stop the VPN Server.
Use WinSCP to navigate to / var / log and open openvpn.log to see what the message is.

openvpn-server  config files download here.

Step 4

Put your SD card from the phone in the PC and create a folder with the name VPNcerts.
Copy the files that we created in the first step to this folder.
CA.crt, client.crt and client.key. (or CA.crt, username.crt and username.key) Also

copy the ta.key from step 3 here.

Download the openvpn-client.zip configuration file at the bottom of this post, extract it and follow the instructions in openvpn.ovpn You can open / edit the file with a double click in WinSCP.
Place openvpn.ovpn also in the VPNcerts folder and then you put the sd card back in the phone.

Download OpenVPN Connect from OpenVPN in the Play store and install it.
Open the App and import Profile from SD card.
Navigate to the VPNcerts folder on the sd card where we have stored the CA, crt, key, ta and ovpn.
Select the openvpn.ovpn profile and enter your username and password.

The rest of the files are automatically imported with the openvpn.ovpn profile.
This means that if you edit the profile, you will have to import it again.
Once the connection works you can delete the VPNcerts folder for security reasons.

There is also an option to save CA.crt, client.crt, client.key and ta.key in the ovpn profile.
Then you only have to hand over one file to a user.
This option, called “Inline file support” can be found here .

openvpn-client client side templates script download here.
After configuring all of this it all works great and I can connect more securely using OpenVPN on a Synology NAS.

Google SMTP Server – How to Send Emails for Free

Google SMTP Server – How to Send Emails for Free

Google’s Gmail SMTP server is a free SMTP service which anyone who has a Gmail account can use to send emails. You can use it with personal emails, or even with your website if you are sending emails for things such as contact forms, newsletter blasts, or notifications.

To use Gmail’s SMTP server, you will need the following settings for your outgoing emails:

  • Outgoing Mail (SMTP) Server: smtp.gmail.com
  • Use Authentication: Yes
  • Use Secure Connection: Yes (TLS or SSL depending on your mail client/website SMTP plugin)
  • Username: your Gmail account (e.g. user@gmail.com)
  • Password: your Gmail password
  • Port: 465 (SSL required) or 587 (TLS required)

It will still say the emails are from gmail.com and not your own domain name but hey, you can’t have everything for free lol!

Synology Video Station indexing with TMDb and TheTVDB

I was getting bored of updating all my movie collection manually using the Synology NAS Video Station application as when it unfortunately goes to lookup on the internet the information for the movie it pulls by default Synology movie database and their data is rubbish to say the least!

It does have more than one internet lookup database to use but it always defaults to the first one that it connects to when getting the information.

The second internet database it can use is the DB from TheTVDB, which is much more rich in data.

How to make it use this database by default?

Well, I came across a great post by gnax.io on the web.

They are suggesting we log on to the Synology NAS via SSH and on the linux command line to move the config data for the Synology database lookup to “trick it” into using TheTVDB first all the time.

If we move this folder then it does indeed actually work great! Always uses the better TheTVDB database as default!! Yay, no more manually looking up all added movies any longer 🙂

The command line is –

sudo mv /volume1/@appstore/VideoStation/plugins/syno_synovideodb /volume1/@appstore/VideoStation/plugins/temp/syno_synovideodb

Nice, this really works!

But remember that every time the Synology NAS has a firmware update and Video Station gets upgraded, we need to run this command again!!

Have fun :O)