PDA

View Full Version : Setting up https



jcr1
31-08-2011, 12:58 PM
I have a synology server.
I have it set up for remote connections etc; using http and ftp. Works well, but my son thinks I should improve the security with these actions.
I can change to sftp (I think) simply by blocking port 21 and forwarding port 22. Mind you with my Thomson router, it's a bit of a trick, but doable.
Https, has me a bit stumped, I need to obtain ssl certificates etc. How do I do this?

I have an account with Dyndns, which enables me to use a static ip with a dynamic ip; this also works very well, but at a glance they charge bigtime annually for generating the appropriate certificate etc.. I have a feeling this can be done with no cost.

Being able to log on to my server remotely, is very useful. Particularly when I'm away and can upload photos etc.

Any thoughts on any of the above?

Whew! new look to the site:stare:

fred_fish
31-08-2011, 06:52 PM
No idea what a synology server is but ...

SFTP uses your ssh server instead of FTP and is much more secure.
I would recommend using a high port rather than 22 to avoid constant hammering by bots.

What webserver does it run? Apache? Or IIS (shudder)?

HTTPS requires opening port 443 and getting a SSL cert. You can buy one from a CA or generate your own. Self-signed certs generate security warnings in most browsers, but that is due to not being able to verify the signor, the encryption is identical.

somebody
31-08-2011, 08:01 PM
Is this a Synology diskstation?

If so, forwarding port 22 to port 22 on the NAS would be fine - it runs a version of Linux, and as such you can connect to it using SFTP/SCP (and even SSH to it if you want to mess with its internals).

How are you doing the HTTP component of it?

jcr1
31-08-2011, 08:05 PM
Thanks Fred,
basically this is what my Synology server is;

http://www.synology-distribution.de/en/disk-station-ds108j-overview.html

it does run Apache:thumbs:

How do I go about generating my own ssl cert? I don't think I'd be too worried about the security warnings from a self generated one.....maybe.

fred_fish
31-08-2011, 08:19 PM
http://www.debian-administration.org/articles/349

That is the fairly basic procedure, but there may be some hoops to jump through depending on the synology configuration.

Edit: the 'security warning' is bogus, it just means you haven't paid the tax to get into the browsers "trusted" authority chain. That trust has recently been shown to be dubious, as one (or more) CA's have been compromised, also the Iranian govt has been reported to be successfully faking google certs to keep an eye on gmail users.

somebody
31-08-2011, 08:33 PM
http://www.debian-administration.org/articles/349

That is the fairly basic procedure, but there may be some hoops to jump through depending on the synology configuration.

Edit: the 'security warning' is bogus, it just means you haven't paid the tax to get into the browsers "trusted" authority chain. That trust has recently been shown to be dubious, as one (or more) CA's have been compromised, also the Iranian govt has been reported to be successfully faking google certs to keep an eye on gmail users.

You shouldn't try something like that on the DiskStations - they run a cut down Linux distribution with some code from Synology to give you the nice web UI management console. If you mess with the stuff under the hood too much, you could break things.

jcr1
31-08-2011, 10:04 PM
Is this a Synology diskstation?

If so, forwarding port 22 to port 22 on the NAS would be fine - it runs a version of Linux, and as such you can connect to it using SFTP/SCP (and even SSH to it if you want to mess with its internals).
How are you doing the HTTP component of it?

Thanks somebody.
I'm a bit dubious of mucking around with this machine too much. It does a pretty good job, as it is. I just want to extend its functionality a bit.
Port 22 is what I thought I should use.
I've opened up port 80 for http and port 5000 for remote admin, also port 7000 for the file station; I guess if I used https I would be a lot more secure with all this. Although using a client like Filezilla with SFTP is a compelling option - so good for moving files around.
Another option with the NAS, is WebDAV, do you know anything about this?

fred_fish
31-08-2011, 10:46 PM
Thanks somebody.
I'm a bit dubious of mucking around with this machine too much. It does a pretty good job, as it is. I just want to extend its functionality a bit.
Port 22 is what I thought I should use.
I've opened up port 80 for http and port 5000 for remote admin, also port 7000 for the file station; I guess if I used https I would be a lot more secure with all this. Although using a client like Filezilla with SFTP is a compelling option - so good for moving files around.
Another option with the NAS, is WebDAV, do you know anything about this?
You are opening these to the world? :stare:

Hope they've fixed these http://www.google.com/search?q=Synology+diskstation+exploit

You would be MUCH more secure forwarding it all through a single ssh connection (on a non-standard port).
...assuming it runs a standard ssh server.

jcr1
31-08-2011, 11:06 PM
You are opening these to the world? :stare:.

Not anymore. I got worried about it and just blocked all those ports until I can figure a better method.
I'd have to install an ssh server, which from the tutorials looks kind of complicated.
I'll think about this; I might not even proceed.

fred_fish
31-08-2011, 11:15 PM
http://forum.synology.com/wiki/index.php/Enabling_the_Command_Line_Interface

Get puTTY

Set the required forwards under SSH - Tunnels

Secure access from anywhere.:D


This may help:
http://pcloadletter.co.uk/2011/02/06/synology-ssh-tunnelling/

somebody
01-09-2011, 07:40 AM
Not anymore. I got worried about it and just blocked all those ports until I can figure a better method.
I'd have to install an ssh server, which from the tutorials looks kind of complicated.
I'll think about this; I might not even proceed.

SSHD is running by default - at least it is on the version we have at the office. Just try connecting to port 22 using PuTTY from within your internal network, and see if you get a login prompt. If so, log in as "root" with the password you specified for the "admin" user in the web interface.

For HTTPS access, there's mention of an SSL version of the FileStation service running on port 5001. Ref: http://forum.synology.com/wiki/index.php/How_to_Access_Data_on_the_Synology_Server_Remotely

jcr1
01-09-2011, 09:40 AM
SSHD is running by default - at least it is on the version we have at the office. Just try connecting to port 22 using PuTTY from within your internal network, and see if you get a login prompt. If so, log in as "root" with the password you specified for the "admin" user in the web interface.

That works with PuTTY. But not when I try to connect with Filezilla. Mind you I've blocked those ports.

jcr1
02-09-2011, 08:33 AM
Hope they've fixed these http://www.google.com/search?q=Synology+diskstation+exploit

Apparently they've been fixed from release DSM3.0-1337. I have 3.2, so that's been a bit of consolation.

nedkelly
02-09-2011, 09:35 AM
so as long as you dont have Slingshot for isp ssh should be good

jcr1
02-09-2011, 12:17 PM
I'm really getting nowhere with setting up https etc. generating keys and certificates appears complex or costly (as it probably should be).
Port 80 is the normal internet port anyway, so what risk would I run, running my photostation off this?
Port 5000 is admin and it has to be logged into by username and password. I am dubious about forwarding this one to the server.
I wonder if it would be better just to set up a server with a full fledged linux server os, which, with a bit of work, would do what the synology one does, plus be more easily configurable for what I want (at least I could use nano, I find vi hopeless).

jcr1
03-09-2011, 07:49 AM
I've been trying to get to grips with this and a common statement, in reply to others with a similar dilemma, on other forums is; "if you don't understand this you probably shouldn't be doing it".
So maybe I should flag it for now.
Thanks Somebody, Fred_fish and nedkelly for trying to give me some understanding.

jcr1
03-09-2011, 10:52 AM
Just another thought. Creating a virtual server on the Synology disk station and running it with say, VM Player. Using Debian and following one of the "How to Forge" tutorials. Finding out the way to make it accept persistent changes etc.
Does this sound like an option? It would certainly be more configurable.

fred_fish
03-09-2011, 01:01 PM
Sounds like hard work ...

To clarify, do you just want a secure way for yourself or for other people to connect to your diskstation?

If it's just yourself or to admin the box, an SSH tunnel is what you want. You can have the SSH server running on any machine on your LAN (OpenSSH is also available for Windows), it need not be on the diskstation itself.