bobpeers -> blog

After toying with the idea of getting a static IP address so I can connect to my Disk Station from the internet I took the plunge and ordered one.
My next thought was securing my Disk Station since I currently log in via SSH using a password and I’d rather only allow logins using a secure key to prevent brute force attacks.
The guide here is distilled from two pages (see below) and works from my Fedora9 box to my Disk Station.

References:

1. http://www.synology.com/enu/forum/viewtopic.php?f=36&t=5475
2. http://fedoranews.org/dowen/sshkeys/

Enable SSH

I won’t cover enabling SSH since there are patches supplied from Synology for this purpose and the process is very simple.
I should mention that it’s a good idea to use the telnet patch to enable telnet so you don’t get locked out if something goes wrong.

Make SSH only accept login using keys

You need to login to your box via SSH and edit the file /etc/ssh/sshd_config as shown here to accept keys to log in.

#RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Also change the following line to prevent passwords being used to log in.

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

While were here we’ll also change the default SSH port from 22 to something else to stop most attacks targeted at port 22. Uncomment the line at the top of the file and change the port number.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 99

Create the Key Pairs

On you host computer (not the diskstation) open a terminal and run the following command, do NOT do this as root.

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/bobpeers/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa
Your public key has been saved in id_rsa.pub
The key fingerprint is:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX bobpeers@freja

The id-rsa key is you private key and should be kept on the computer you connect from. The id_rsa.pub is the public key that should sit on the server (or servers) that you wish to connect to. If you choose a passphrase you will be prompted for that on login so if you wish to use automated scripts you should not use a passphrase.

The public key needs to be copied to the Disk Station. Back in the SSH terminal:

# cd /root
mkdir .ssh
touch .ssh/authorized_keys
vi .ssh/authorized_keys

Since scp is not enabled you cannot just copy the key so we need to open the id_rsa.pub file on the host, copy the contents and paste them into the file on the Disk Station (in a terminal paste is ctrl + shift + v).

Edit the file permissions

On the Disk Station we need to secure the authorized_keys file, in the SSH terminal type:

chmod 700 .ssh
chmod 644 .ssh/authorized_keys

Reboot and login

Reboot the Disk Station (type reboot in the SSH terminal, this will of course kill your session). Next on the host computer login in again but if you old login was:

$ ssh root@123.4.5.6

You should now use:

$ ssh root@123.4.5.6 -p 99

Where -p 99 is the port you used for SSH in the sshd_config file. You should now login to the Disk Station using your passphrase, if you chose one, or else you will be immediately logged in if you used an empty passphrase.

The normal command I use to shutdown a Linux box would be to run something like this as root:

# /sbin/shutdown -h now

If you have Telnet or SSH access to your Disk Station then you will find this command is not available. Instead you should run the command:

# poweroff

Or to reboot

# reboot

For a full list of the commands see the Basic Commands Synology Wiki page

I bought a Synology DS-106e last year and I’ve been very impressed by the device. It’s certainly not the cheapest NAS device on the market but in my opinion it’s well worth the money considering it’s performance and features. I installed a  320GB Seagate Barracuda 7200.10 hard drive in mine since I’m mainly backing up data files and don’t use large multimedia files.

The performance is great but the best part is the support provided by Synology. Even though my Disk Station is last years model they continue to release firmware upgrades that can be applied to any model.

For example they recently released a new management interface that supports, amongst other things, SSL/TLS over FTP and HTTPS web connections. On top of that there’s a patch available on their support page that enables SSH or Telnet connections into the Disk Station.

I’ve just been testing the SSH support that this evening, backing up some data using rsync over SSH, also connecting directly over SSH to tidy up some files and it works like a dream.

Synology seems to be one company that, unlike many others, allows advanced users open access to the product instead of locking down the system. Even though my server only has 32MB of RAM it essentially means that I have my own Linux box at a cut down price with none of the hassle of making my own server.

On top of that it uses very little power and is almost silent in use, just a slight hum from the hard drive. In the future I’ll definitely consider upgrading to a two disk device that supports RAID1 for extra security.