Search the Community

Showing results for tags 'firewall'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • General
    • Readers News & Rumours
    • The Noob Lounge
    • Information and Feedback
  • XPEnology Project
    • F.A.Q - START HERE
    • Loader Releases & Extras
    • DSM Updates Reporting
    • Developer Discussion Room
    • Tutorials and Guides
    • DSM Installation
    • DSM Post-Installation
    • Packages & DSM Features
    • General Questions
    • Hardware Modding
    • Software Modding
    • Miscellaneous
  • International
    • РУССКИЙ
    • FRANÇAIS
    • GERMAN
    • SPANISH
    • ITALIAN
    • KOREAN
    • CHINESE
    • HUNGARIAN

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


About Me

Found 3 results

  1. GeoIP Region Blocking using Synology Firewall I noticed internet performance issues today and was checking my router logs, I found excessive logs showing: Jun 18 20:55:48 dropbear[5405]: Child connection from <My Synology IP>:40894 Jun 18 20:55:49 dropbear[5405]: Exit before auth: Exited normally Jun 18 20:55:49 dropbear[5411]: Child connection from <My Synology IP>:40896 Jun 18 20:55:51 dropbear[5411]: Exit before auth: Exited normally I searched and found it was related to numerous invalid login attempts to the synology login page. This lead me to login to the cli of my synology and check logs for failed attempts. When checking the logs I found the most concerning log was /var/log/httpd/apache22-error_log 2018-06-18T19:28:42-06:00 nas [Mon Jun 18 19:28:42 2018] [error] [client 193.106.30.99] File does not exist: /var/services/web/wp-rdf.php 2018-06-18T20:11:16-06:00 nas [Mon Jun 18 20:11:16 2018] [error] [client 27.29.158.10] script not found or unable to stat: /var/services/web/login.cgi 2018-06-18T21:51:26-06:00 nas [Mon Jun 18 21:51:26 2018] [error] [client 172.18.0.2] File does not exist: /var/services/web/apple-touch-icon-precomposed.png 2018-06-18T21:51:26-06:00 nas [Mon Jun 18 21:51:26 2018] [error] [client 172.18.0.2] File does not exist: /var/services/web/apple-touch-icon.png 2018-06-18T21:51:26-06:00 nas [Mon Jun 18 21:51:26 2018] [error] [client 172.18.0.2] File does not exist: /var/services/web/apple-touch-icon-precomposed.png This lead me to consider blocking all geographical regions except my own. Most brute force attempts and vulnerability attacks are outside of my home country, this will reduce the attack surface significantly. My first attempt at implementing the geoip blocking was problematic, I attempted a "deny all" entry after the "allow local network range" and "allow my region" rules, but this ended up blocking all access to the services I had running. I thought I'd share how I implemented it for others wanting to reduce the surface area for attacks. Enable firewall Open Control Panel Select Connectivity -> Security Go to Firewall tab Check Enable firewall Add "Allow" Rules for internal network Select Edit Rules for the default Firewall Profile (Disregard existing rules in screen shot, these will be created in the following steps) Create rule to allow your internal/home network Add "Allow" Rules for your country/countries Create rule to allow specific locations Set network interface to deny if rules are not matched Select the network interface that is default to your synology (mine is LAN 1, you can find your interface under Connectivity -> Network -> Network Interface) ***This was the secret to getting the deny all after the allow rules to work*** Set "if no rules were matched: Deny Access" Click OK and Apply Test reaching your synology on your internal network and from external networks in your region. You can also validate if the firewall is blocking by using a Tor browser to send traffic from a different country to see if your firewall rules are working properly.
  2. Bonjour à tous, voilà, j'ai un petit soucis avec la configuration du NAT sur ma livebox. j'ai fait une installe qui fonctionnait bien et j'ai voulu l'améliorer en apportant un vrai nom de domaine à mon syno. J'ai acheté le nom chez OVH, j'ai configuré mes redirecteurs, tout fonctionne, je n'ai plus besoin de mettre le numéro de port pour accéder à distance sur mon syno. Sauf que maintenant, mon certificat Let's Encrypt arrive à expiration et je n'arrive pas à faire en sorte qu'il se renouvelle... je pense que le soucis vient de la configuration de ma livebox voici comment elle est configurée : configuration NAT/PAT livebox Application/service Port Interne Port Externe Protocole Equipement SYNO-HTTP 5000 80 TCP SYNO SYNO-HTTPS 5001 443 TCP SYNO J'ai le pare-feu de mon synology qui est aussi activé et qui est ouvert pour les ports liés aux applications "Web Mail, HTTPS, Reverse Proxy" (port 80 et 443) qui sont configurés pour communiquer uniquement avec les adresses IP française et celles des USA (1ère règle) et uniquement sur l'adresse IP public de ma box (2ème règle). Je me dis que ça joue peut être sur le blocage du renouvellement de mon certificat ?! En fait, mon objectif à terme c'est de pouvoir utiliser le reverse proxy et de pouvoir utiliser toutes mes applications sans avoir à renseigner le port au bout de l'adresse, mais là, à court terme ça reste le renouvellement de mon certificat de sécurité 😁 Je ne sais pas si j'ai été très clair ou même si je suis au bon endroit, en tout cas je vous remercie à tous d'avance pour l'aide que vous pourrez m'apporter. bonne journée/soirée à vous tous 😊 Vlaneo
  3. Hello, Does anybody know how to setup DSM as a firewall/router? Thank you