NetworkAntics provides Synology IT support in San Diego. Our consultants can configure the basics or advise on more advance configurations. Here’s a little quick guide to get you started or contact us for on-site technical support today!
Discovering your Diskstation on the Network
Go to http://find.synology.com for discovering the device and initiating setup. Defaults include:
- Create user admin account that is not “admin” and possibly a backup admin account to that. IMPORTANT: Disable “admin” for security purposes
- No share folders on setup on the volume unless default packages are installed
Required Packages for Media and Syncing
- Videos Station – Installs “video” share folder containing home video, TV shows, and movies. *Create a service account called “media” if you plan to install this. The service account will be used for network devices that will connect to the Synology.
- Cloud Station – Creates file and folder sync. It requires you enable “user home folder” service
Creating Users
- Add two administrator accounts as a CYA measure and disable the default admin.
- When adding users, do not assign to groups, shared folders, and applications unless they are already setup.
Notes for later: - Assign share folder permissions to “homes” with “read-only” permissions
- Drop “everyone” from folder permissions of user’s “homes” folder
***The admin account has a strong possibility of getting hacked as you enable more remote services. Please limit your remote services and create additional admin accounts as a backdoor. Two Factor authentication will also help secure each account but reduce ease of use for the end users.
Groups
- Groups are not assigned to shared folders upon initial setup because shares should not be present. Same goes for Applications.
- Once groups are set, add new users to place in the corresponding groups. Administrators will need permissions to access Group folders.
- Go back to “users” to add to the correct “groups”
Folders
Enable user homes service to create a personal home folder for each user, except for guest. All users can access their own home folder via CIFS, AFP, FTP, or File Station.
Users belonging to the administrators group can access all personal folders located in the homes default shared folder. The name of home folder is the same as the user account.
To enable the user home service:
- Check Enable user home service.
*Users, advance tab… 2-step verification located there too. It’s great security but annoying and sometime unreliable login process. - If there are multiple volumes, select where you want the homes folder to be stored.
- Click Apply.
Additional Folder created:
- Homes – Personal user home folder
![Synology Share Folders]()
- Home – It’s a link to the user homes folder. Do not give readable permissions for users to “homes”
*The User Home feature automatically creates a “home” folder for every user account (except “guest”), which not only provides each user with a private space to store data that is only accessible by the user and DSM administrators, but also eliminates the time and efforts spent in repeatedly creating “home” folders for all accounts. More folders are created under each user name as more services are installed that require personal access.
Documents folder is added for windows folder redirection. This works well in a desktop environment but can be a mess in a laptop environment. Microsoft Folder Sync in a workgroup environment does not help the remote cause just simply adds more frustration.
Remote Accessibility and The Most Secure Options
There several options to connect remotely:
1) https://ip:5001
2) https://custom_DSM_name.synology.me
3) https://QuickConnectID4) https://custom_DSM_name.your_domain_name.com
Three is the easiest but does not secure your data. Four is the most secure and intuitive naming convention if you purchase the third party SSL mentioned above. 2) Is the free and relatively secure option. The web browser still prompts you with that scary “this server is not secure” message but otherwise you are good to go. It doesn’t confirm with a third party database saying this is indeed the server you should be talking to and not some crazy man in the middle attack.
- Enable services like DynDNS or Synology.me in control panel, external access, DDNS.
- DSM – Disk Station Manager – Allows users to remote in on their desktops from a remote location.
- QuickConnect:
Register QuickConnect ID. Quickconnect is essential service for avoiding poking holes in the firewall. ***Please Note***
QuickConnect is not encrypted. Sensitive data could be exposed.
Enabling QuickConnect triggers the following services active:
- Cloud Station and DS Cloud
- Mobile Applications accessibility
Cloud Station
- Privileges – Services Account enabled. Deem one user account for Cloud Station purposes.
*change to read/write for service account - Folders – Share and sync specific folders (see picture below) to be shared amongst Synology devices
Note: Cloud Station app runs poorly on the PC. Files on the diskstation are located /homes/username1/cloudstation
Cloud Station
Share and Drive Mappings
Create shares not NFS files and folders unless necessary.
- Share data or contents shouldn’t be revealed unless authenticated \\diskstation
- User home folder appears under \\diskstation\home (windows) if authenticated with that user and is a link from path /homes/user_names on Synology
- \\DISKSTATION\home
-Remove credentials in windows manager
-From command line, check net view
-From command line, check net use. Net use * /delete to remove legacy network connections
- Map below after all old network connections have been removed. Diskstation_name\user_name
Backup Options ***Complete command line instructions and http authorization
Crashplan and Synology Backup – Not recommended
Option 1
iDrive Backup – Synology iDrive App
If you have logged in to the System as a different user other than Admin, you could face this issue. You should go to vi /etc/passwd file, change /sbin/nologin to /bin/sh corresponding to your username, and then refresh the application browser. Read more.
Key Points:
- Enable admin account for a moment while using root access. SSH and Admin should be disabled after making command line adjustments
- You should be a part of the http user group and ensure the read/write permission is enabled on the web folder.
Option 2
•Back up data to Amazon Glacier (China Region and all global regions except GovCloud US)
•Restore backup task at the file-level
•Perform file-level incremental backup
•Schedule backup tasks
•Supports file-based deduplication within the same backup task
•When deleting data which has been uploaded within the past 90 days, a task will be scheduled to automatically carry out deletion 90 days after the file uploading time. This reduces the total cost charged for deleting data that is less than 90 days old.
https://www.synology.com/
But do catch – Why can’t I perform network backup from an rsync compatible server to my Synology product? https://www.synology.com/e
Security – Measures for consideration
– Maintain latest s/w patch release and timely hotfixes rollout including software (firmware) of your Modem/Router, web service and DiskStation.
– Use your administrators account to administer and use an user account to use your DiskStation.
https://www.synology.com/e
– Strengthen authentication with strong passphrase – can see my EE sharing
http://www.experts-exchang
Restrict connectivity
e.g. Open only the ports on your Modem/Router that are required by the services you are going to provide. If you stop the service, close the ports immediately.
e.g. Open a port that is not an internet default port (being used by users with unknown origin) you have to use other ports on the internet than the default for the specific service. Use the NAPT to translate the port internally
e.g. Enable the firewall on your DiskStation and configure it to only allow traffic that you want to have. Decline all other.
e.g. Only allow encrypted connections to your DiskStation to eliminate eavesdropping. Your DiskStation already has a certificate installed to be able to encrypt traffic.
e.g. For gaining remote access to delicate services you should use VPN instead of directly opening ports to the services from the internet.
Security Quicksheet
- Disable the default admin account permanently
- Enable 2 factor authentication
- Enable HTTPS and Redirect HTTP
- Enable DOS attack protection
- Enable port forwarding – portforward.com
Note: Change external port # for increased anonymity of the port service
Remote Access Security
Synology remote access requires a key component called a SSL certificate for securing your data. Webpage warnings can be avoided by adding the domain as a security exception, allowing you to access DSM normally. However, to verify the identity of the Synology NAS and ensure the connection is truly secure, you will need to a third-party certificate from a trusted certificate authority. The less secure alternative is a self signing cert. Below is instructions for a third-party certificate authority such as GoDaddy.
To obtain a third-party certificate for your Synology NAS, please make sure you have a registered domain name. You must also pay any expenses required by the certificate authority.
Certificate Setup:
- Note the import cert is as below. Indeed they are the .key and gd issued crt, and you need the gd1 intermediate bundle.
- On the Import Certificate screen, click browse and import the following files.
Private Key: Select the server.key file that you saved on your computer earlier
Certificate: Select the signed certificate that you received from the certificate authority. The file name should be something like server.crt or yourdomainname.crt.
Intermediate Certificate: This field is optional. If the certificate authority provided an intermediate certificate, please import it here
Detailed Certificate Setup Explanation
Get the CSR
1. Download server.csr to your computer. *Save the Synology Zip as Synology_CSR.zip
2. Open server.csr with text editor and copy the text
Obtain a Certificate (GoDaddy Specifics)
Take the CSR to a Certificate Authority (CA) such as Godaddy.
Purchase a SSL Certificate (CRT).
Request or generate the CRT; you will need your CSR.
Godaddy requires that you request the CRT and will prompt you for your CSR. Paste in the text from the server.csr Godaddy has a certificate manager page when you log in to your account on their website.
*Make sure you have the correct common name. ie diskstation.domainname.com It may show up under the key but there may be an extra step to enter the FQDN.
Download the CRT.
*This is either through an email or DNS text record edit.
You may receive some additional files, but the CRT is the one that you really need.
The files may be zipped. If so, expand the files.
Download the server.key you created earlier to your computer. *GoDaddy account retains zip for the length of certificate
Log in to DSM->Control Panel->DSM Settings->HTTP Service Tab
Click enable HTTPS connection
Click import certificate
Private key enter location of server.key
Certificate enter location of domain.crt you received from GoDaddy
Intermediate certificate enter location of the gd_bundle.crt you received from GoDaddy
Click OK
Click Apply
More Packages
Surveillance Station *Service won’t work unless ports are open. Surveillance Station is a web-based application that can manage IP cameras to safeguard your home or office environment. It can watch and record live view videos, schedule, and playback.
Cloudstation Sync for Windows and Mac *Service won’t work unless ports are open
- Enable TCP port 6690. DDNS will work properly once enabled.
PhotoStation *Service won’t work unless ports are open
- General, Enable personal photo station service under admin and select HTTPS Redirect
- Enable Person photo Station server under options of DSM for regular user account (this creates \home\photo folder for that particular user
- Add https web services and certificate
Again, this is no easy task getting the Synology up and running. Purchase below and contact Network Synology IT support in San Diego today!!
The post NetworkAntics provides Synology IT support in San Diego appeared first on Network Antics.