BPMSG maintenance completed.

The maintenance on Apr 21, 2016, included an update of the PHP version. Please feedback in case of any problems.

Thank You

Share on Facebook

BPMSG down for an hour Apr 21st, 10:00 UTC

Due to scheduled maintenance, please expect a downtime of  bpmsg.com today, April  21st, for 1 hour or less starting today 18:00 SGT (10.00 UTC).

The PHP version will change too, there is a small possibility that my AHP online system will have some compatibility issues. I will try to bring it back as soon as possible.

Thanks for your understanding.

Share on Facebook

How to make your Synology Disk station (NAS) more secure?

Introduction

Recently I bought the network attached storage (NAS) DS1513+ from Synology and integrated it into my home network in order to have a central place to store and access my data. This NAS has several server functions, making it convenient to access data remotely, but also making it vulnerable to unauthorized intrusion. So the question arises, how to mitigate this risk without restricting the remote functionality of the NAS. There is a lot of information available in the web; yet for me it took some time to identify and understand the most important modifications and to implement them:

  1. VPN Virtual Private Network – to remotely access the local area home network
  2. SSH Secure Shell – for secure login as root user or admin to fully access the (embedded) operating system
  3. SSL/TLS – to secure traffic between website and browser (HTTPS)
  4. Enable 2-Step Verification for DSM web access
  5. Store all critical data (certificates and private keys) on an encrypted memory card

1. VPN Virtual Private Network

Whenever possible, use VPN to access your NAS. I decided for the openVPN protocol, as it will work under Windows and iOS and allows for a flexible configuration of ports, protocol and authentications. The standard port for openVPN is 1193 UDP. I changed it to 8080 TCP  in order to have the possibility to tunnel through firewalls.

Necessary steps and modifications

  • Install Synology VPN server and use openVPN to remotely access your disk station and local network.
  • Generate your own set of certificates using EasyRSA or OpenSSL.
  • Change the VPN server configuration to make authentication with client certificates mandatory
  • Ensure verification of server certificate and server name on the client side.

Certificates

For openVPN I use self-signed certificates. All server and client certificates can be generated using EasyRSA and OpenSSL.

You need to generate a

  1. Root certificate ( self signed, will replace ca.crt), a
  2. Server certificate (to replace server.crt) with the
  3. Server key (server.key), and a
  4. Client certificate (user.crt) with the private
  5. Client key (user.key).

Root and server certificates, as well as the server key, are found in the directory /var/packages/VPNCenter/target/etc/openvpn/keys/. Login to the Synology NAS as root user, using a terminal program, change to this directory and place your own certificates and server key there. Rename the original files ca.crt, server.cer and server.key before copying, to keep them as backup.

On the client system under Windows, the client certificate can be imported with the command (“run”) certificate manager certmgr.msc, or it can be part of the openVPN client configuration file using <cert> </cert> and <key> </key> (necessary for iOS).

OpenVPN Server configuration (DSM 5.2)

Then change the authentication procedure for openVPN and make the use of a client certificate and password mandatory. The openVPN server configuration file can be found under /usr/syno/etc/packages/VPNCenter/openvpn. Use vi editor in the BusyBox build-in shell to modify the openvpn.conf file.

Replace the lines starting with cacert and key with

ca /var/packages/VPNCenter/target/etc/openvpn/keys/your_ca.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/your_server.crt
key /var/packages/VPNCenter/target/etc/openvpn/keys/your_server.key

Then comment out (#) the line client-cert-not-required:

#client-cert-not-required

OpenVPN Client configuration

On the client side use the following lines in your openVPN client configuration file:

#Root certificate (self signed)
<ca> Copy and paste your ca root certificate here </ca>
#verify type of certificate to be server authentication:
remote-cert-tls server
#verify correct server name:
verify-x509-name ‘xxx.com’ name

#either get client certificate in pkcs12 format from an encrypted memory card:
pkcs12 Y:/pki/private/[user name].p12

#or get client certificate using Microsoft crypto api for windows PCs:
cryptoapicert “THUMB:XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX”

#or for iOS devices copy/paste public and private part of the client certificate:
<cert> copy/paste client certificate here </cert>
<key> copy paste your client key here </key>
auth SHA1

#login with user name – password
auth-user-pass
auth-nocache

2. SSH – Secure Shell

With SSH root login you have full access to the embedded OS and can modify any configuration of the NAS. Therefore, if you really need to allow SSH access remotely, you should always be extremely careful and verify the correct connection. In addition the login should be changed from user name/password authentication to RSA key authentication. SSH works under windows with Pageant/Putty, on iOS devices I use iTerminal Pro.

Necessary steps and modifications

  • Always verify server fingerprint of your SSH host
  • Change SSH standard TCP port 22 to a high port number
  • Replace user- password log in with RSA key authorization

SSH Host

The ssh server (host) keys can be found in the directory /etc/ssh. By default there are key pairs for DSA, ECDSA and RSA. The public key files have the extension .pub. Note down the fingerprint of the host keys using the command ssh-keygen -l -f [public key file name], for example ssh_host_rsa_key.pub

When you call the SSH terminal program and the server key is not cashed, you will be prompted with the fingerprint of the server key to trust the server. To delete a cashed fingerprint under Windows using PuTTY

  1. Open the registry (regedit)
  2. Go to HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys

Delete the cashed key.

SSH Client

First generate an RSA key pair (public and private) with the program puttygen. I use an SSH2-RSA key with 2048 bits. By default the public key of the root user is expected to be found in the directory /root/.ssh/ under the file name authorized_keys.

#AuthorizedKeysFile .ssh/authorized_keys

So you need to create the directory .ssh and put the public key, generated with puttygen, into this directory under the name authorized_keys.

In order to disable password login for the root user, you then need to modify the file sshd_config in the directory /etc/ssh. Change the line

#PasswordAuthentication yes to
PasswordAuthentication no

3. SSL Secure Sockets Layer – to secure traffic between website and browser (HTTPS)

Though SSL does not protect from unauthorized access, it helps to avoid eavesdropping of your data when using the web interface. Most critical is the web access to the disk station manager with admin rights. The standard access ports are 5000 (HTTP) and 5001 (HTTPS).

Steps and modifications

  • Disable standard admin user account
  • Allow access via HTTPS only
  • Use a really strong password with 15 characters or more

For administration via web interface disable the standard admin account and use a different user name first. Then allow DSM login under https (default port 5001) only, in addition you could use port forwarding in your router to change to a high port number). The most important measure is to use a really strong password. The password should be at least 15 characters long and consist of a mixture of small/capital letters, numbers and special chars.

4. Enable 2-Step Verification for DSM web access

DSM allow to introduce a second layer of authentication. You can enable 2-step verification for the admin user. A good step-by-step description can be found 2-step-authentication.

5. Storage of critical Data

All measure shown above will be useless, if the private keys are not kept secret. Your passwords, key pairs and certificates should never be made accessible to any unauthorized users. Here I use a mountable encrypted memory card. When leaving the computer I can unmount the card or take it with me.

6. Useful links

How to connect to Synology’s VPN Server using a Windows PC or Mac http://www.synology.com/en-us/support/tutorials/592

Incoming search terms:

  • HowtomakeyourSynologyDiskstation(NAS)moresecure?|BPMSG
  • secure diskstation
  • securing admin access to synology
  • synology ssh keys
  • VPN on Synology
  • HOW TO CREATE SECURITY ON SYNOLOGY NAS
Share on Facebook

LinkedIn and email security

Read this. Enough for me to close my account there. Feel free to contact me via my BPMSG blog here.

www.bishopfox.com/blog/2013/10/linkedin-intro/

Share on Facebook

Is my Internet Address clean?

After some hours of programming and testing I have added this on-line check to my BPMSG link.

It reads your IP address and checks it for past suspicious activities. You could get a bad result, if your computer was formerly infected by a malicious program or used by a spammer.

Check it out!

Incoming search terms:

  • clean ip address
  • clean my ip
  • how to clean ip address
  • how to clean ip adress
Share on Facebook

Fighting Spam

honey-potOperating your own website or blog, you will soon realize lots of comments with nonsense content and embedded links to obscure websites. These are comment spammers making your life difficult. Everyday you have to clean up or moderate all comments. In the past I used a wordpress plugin “spam free wordpress” to protect my blog, and for long time it was working fine without any problems. Writing a comment to my postings, you were asked to copy and paste a password from one to another field in the comment form. Suddenly it was not working any longer, and I found out that the developer changed his policy: I have to pay a license fee. Maybe I also should change my policy, and ask for a license fee to download my AHP excel template? So I was searching for a new free plugin. I installed SI Captcha Anti-Spam from Mike Challis, but still spam comments were coming through. So I enabled the honeypot spambot trap and it seems to work.

What is a honey pot spambot trap?

I learned some new things about spam, and also found an interesting project “Project Honey Pot” on the web. There you can find out more about harvesters, spammers, dictionary attackers and honey pots. You can participate in the project, install a honey pot or implement a quick link to fight spam. A honey pot is a – for humans invisible – link to a dynamic website providing “fake” e-mail addresses and forms for spam programs. If the form is submitted or an e-mail sent to one of addresses provided there, then you can be sure it is a spammer and record/block his IP address. Here an example of a quick link (opens in a separate window, don’t submit.) Usually this link is hidden -only visible for bots, spider programs etc.

Project Honey Pot also provides a useful service HTTP Blacklist to check IPs against a list of known harvesters, comment spammers, and other suspicious visitors to websites.

project_honey_pot_button

Now I can monitor  suspicious activities on my website: within only two days I could see more than 100 attacks!

List of recent suspicious visitors listed in project honeypot.

Check your own IP address.

Share on Facebook

Video Editing Workflow – Canon XA-10

Source

Camera settings depend on the type of recorded video. The Canon XA-10 has only two full HD (1920×1080) recording modes: FXP and MXP. Based on these, most of my videos are recorded in FXP mode as it is a good trade-off between quality and file size.

Recording Modes of Canon XA-10

Edit and Archive

For video editing I use Adobe Premier Elements 10. Editing is done without changing codec (H264), resolution, interlacing, etc. As I have the PAL version of the XA-10, the Adobe project settings are AVCHD Full HD 1080i 25 under PAL. Once the video is edited, I  render the clip with the highest quality settings (2 Pass VBR, Render at max. depth, Macro block Adaptive Frame-Field Coding), and a maximum bitrate corresponding to the source (FXP: 17 Mbps) for archiving. In Adobe Premier Elements 10 and for XA-10 FXP mode the settings are:

Archive settings in Adobe Premier Elements 10 for XA-10 FXP mode

Target Media

Depending on the target media the clip to be published is adjusted in codec, resolution etc. I have predefined settings for:

  • Standard clips to be watched on a PC:
    MP4 – PAL DV Widescreen SD – HiQ (576p, VBR 3/6 MBps)
  • Tablet/phones:
    MP4 – PAL DV Widescreen SD – LoQ (576p, VBR 1.3/2.6 Mbps)
  • Youtube as basic HD clip:
    MP4 – HD 720p 25 (720p, VBR 2.5/5 Mbps)

Calculation of Video Bitrates in Excel

I use a simple excel template to calculate the bitrate for the target medium. As input you simply select:

  • Codec (H264, MPEG-2)
  • Standard (PAL, NTSC, FILM)
  • Definition (VCD, SD, HD 720, HD, full HD)
  • Channel (PC/Web, Disk/TV)
  • Action/Motion (low, normal, medium, high)

and as a result you get the recommended bitrate for rendering your video clip.

Comments and feedback are welcome!

Incoming search terms:

  • canon ax10
  • what is the difference between mxp and fxp
  • canon xa10 settings
  • Mxp Video
  • yhsm-inucbr_001
Share on Facebook

Practical Experience with Canon XA-10

XA-10

Since a few months I use the Canon XA-10 camcorder to take the videos on this website, and when traveling. The video about the diversity index as business KPI, and the trip to the Philippines, visiting Bohol Island and Lake Taal, I shoot with the XA-10.

Overall I am quite o.k. with it, but a few details – like for example the tiny custom assignable buttons – are less satisfying. Now I am working on a review to share my experience. Stay tuned – and thanks for visiting.

Incoming search terms:

  • canon xa10
  • Canon XA10 Camcorder
Share on Facebook

Lake Taal -Philippines

Taal Lake is a freshwater lake in the province of Batangas, on the island of Luzon in the Philippines. The lake fills a large volcanic caldera formed by eruptions between 500,000 and 100,000 years ago. That crater lake is the world’s largest lake on an island in a lake on an island, and it in turn contains its own small island, Vulcan Point.

Enjoy Watching! If you like the video, leave a comment below.

Share on Facebook

Exploring Bohol, Philippines

ChocolateHillsBohol is a smaller island in the island grouping of the Visayas, Philippines, a nice place to spend your holidays. Beside the famous chocolate hills and the trasier conservation area, the video shows Bolo knife forging, the Loboc river cruise with a local rondalla music group, dancing the traditional Tinikling dance, dolphin watching with a visit to Balicasag and Virgin island, as well as the Baclayon church, Tagbilaran market and the Hinigdanan cave in Dauis. Enjoy watching!

if you like the video, leave a comment below.

Share on Facebook