Search the Community

Hi, After changing static ip address, I lost access to dsm, ssh, everything... My server is completely inaccessible. I forgot to temporarily disable the firewall (DSM). The firewall rules are very strict. Is there a way to reset network settings? Adding a comment in grub for it? Otherwise, I'll try forced_junior mode. Otherwise, mount the system partition (TinyCore) and modify the interface file, but I don't have the knowledge: it's 2 bonded ethernet in XOR bond. If I manage to modify the address in an accepted range, I will have access again. @Peter Suh@flyride@pocopico @IG-88? My bootloader is TCRP v9.4.x, dsm 7.1.1u3. No friend & Jun-mode option. Physical acces to the box : OK THANKS

GeoIP Region Blocking using Synology Firewall I noticed internet performance issues today and was checking my router logs, I found excessive logs showing: Jun 18 20:55:48 dropbear[5405]: Child connection from <My Synology IP>:40894 Jun 18 20:55:49 dropbear[5405]: Exit before auth: Exited normally Jun 18 20:55:49 dropbear[5411]: Child connection from <My Synology IP>:40896 Jun 18 20:55:51 dropbear[5411]: Exit before auth: Exited normally I searched and found it was related to numerous invalid login attempts to the synology login page. This lead me to login to the cli of my synology and check logs for failed attempts. When checking the logs I found the most concerning log was /var/log/httpd/apache22-error_log 2018-06-18T19:28:42-06:00 nas [Mon Jun 18 19:28:42 2018] [error] [client 193.106.30.99] File does not exist: /var/services/web/wp-rdf.php 2018-06-18T20:11:16-06:00 nas [Mon Jun 18 20:11:16 2018] [error] [client 27.29.158.10] script not found or unable to stat: /var/services/web/login.cgi 2018-06-18T21:51:26-06:00 nas [Mon Jun 18 21:51:26 2018] [error] [client 172.18.0.2] File does not exist: /var/services/web/apple-touch-icon-precomposed.png 2018-06-18T21:51:26-06:00 nas [Mon Jun 18 21:51:26 2018] [error] [client 172.18.0.2] File does not exist: /var/services/web/apple-touch-icon.png 2018-06-18T21:51:26-06:00 nas [Mon Jun 18 21:51:26 2018] [error] [client 172.18.0.2] File does not exist: /var/services/web/apple-touch-icon-precomposed.png This lead me to consider blocking all geographical regions except my own. Most brute force attempts and vulnerability attacks are outside of my home country, this will reduce the attack surface significantly. My first attempt at implementing the geoip blocking was problematic, I attempted a "deny all" entry after the "allow local network range" and "allow my region" rules, but this ended up blocking all access to the services I had running. I thought I'd share how I implemented it for others wanting to reduce the surface area for attacks. Enable firewall Open Control Panel Select Connectivity -> Security Go to Firewall tab Check Enable firewall Add "Allow" Rules for internal network Select Edit Rules for the default Firewall Profile (Disregard existing rules in screen shot, these will be created in the following steps) Create rule to allow your internal/home network Add "Allow" Rules for your country/countries Create rule to allow specific locations Set network interface to deny if rules are not matched Select the network interface that is default to your synology (mine is LAN 1, you can find your interface under Connectivity -> Network -> Network Interface) ***This was the secret to getting the deny all after the allow rules to work*** Set "if no rules were matched: Deny Access" Click OK and Apply Test reaching your synology on your internal network and from external networks in your region. You can also validate if the firewall is blocking by using a Tor browser to send traffic from a different country to see if your firewall rules are working properly.

Bonjour à tous, voilà, j'ai un petit soucis avec la configuration du NAT sur ma livebox. j'ai fait une installe qui fonctionnait bien et j'ai voulu l'améliorer en apportant un vrai nom de domaine à mon syno. J'ai acheté le nom chez OVH, j'ai configuré mes redirecteurs, tout fonctionne, je n'ai plus besoin de mettre le numéro de port pour accéder à distance sur mon syno. Sauf que maintenant, mon certificat Let's Encrypt arrive à expiration et je n'arrive pas à faire en sorte qu'il se renouvelle... je pense que le soucis vient de la configuration de ma livebox voici comment elle est configurée : configuration NAT/PAT livebox Application/service Port Interne Port Externe Protocole Equipement SYNO-HTTP 5000 80 TCP SYNO SYNO-HTTPS 5001 443 TCP SYNO J'ai le pare-feu de mon synology qui est aussi activé et qui est ouvert pour les ports liés aux applications "Web Mail, HTTPS, Reverse Proxy" (port 80 et 443) qui sont configurés pour communiquer uniquement avec les adresses IP française et celles des USA (1ère règle) et uniquement sur l'adresse IP public de ma box (2ème règle). Je me dis que ça joue peut être sur le blocage du renouvellement de mon certificat ?! En fait, mon objectif à terme c'est de pouvoir utiliser le reverse proxy et de pouvoir utiliser toutes mes applications sans avoir à renseigner le port au bout de l'adresse, mais là, à court terme ça reste le renouvellement de mon certificat de sécurité 😁 Je ne sais pas si j'ai été très clair ou même si je suis au bon endroit, en tout cas je vous remercie à tous d'avance pour l'aide que vous pourrez m'apporter. bonne journée/soirée à vous tous 😊 Vlaneo

Hello, Does anybody know how to setup DSM as a firewall/router? Thank you