The maintenance on Apr 21, 2016, included an update of the PHP version. Please feedback in case of any problems.
Thank YouShare on Facebook
Due to scheduled maintenance, please expect a downtime of bpmsg.com today, April 21st, for 1 hour or less starting today 18:00 SGT (10.00 UTC).
The PHP version will change too, there is a small possibility that my AHP online system will have some compatibility issues. I will try to bring it back as soon as possible.
Thanks for your understanding.Share on Facebook
Recently I bought the network attached storage (NAS) DS1513+ from Synology and integrated it into my home network in order to have a central place to store and access my data. This NAS has several server functions, making it convenient to access data remotely, but also making it vulnerable to unauthorized intrusion. So the question arises, how to mitigate this risk without restricting the remote functionality of the NAS. There is a lot of information available in the web; yet for me it took some time to identify and understand the most important modifications and to implement them:
Whenever possible, use VPN to access your NAS. I decided for the openVPN protocol, as it will work under Windows and iOS and allows for a flexible configuration of ports, protocol and authentications. The standard port for openVPN is 1193 UDP. I changed it to 8080 TCP in order to have the possibility to tunnel through firewalls.
Necessary steps and modifications
You need to generate a
Root and server certificates, as well as the server key, are found in the directory /var/packages/VPNCenter/target/etc/openvpn/keys/. Login to the Synology NAS as root user, using a terminal program, change to this directory and place your own certificates and server key there. Rename the original files ca.crt, server.cer and server.key before copying, to keep them as backup.
On the client system under Windows, the client certificate can be imported with the command (“run”) certificate manager certmgr.msc, or it can be part of the openVPN client configuration file using <cert> </cert> and <key> </key> (necessary for iOS).
Then change the authentication procedure for openVPN and make the use of a client certificate and password mandatory. The openVPN server configuration file can be found under /usr/syno/etc/packages/VPNCenter/openvpn. Use vi editor in the BusyBox build-in shell to modify the openvpn.conf file.
Replace the lines starting with ca, cert and key with
Then comment out (#) the line client-cert-not-required:
On the client side use the following lines in your openVPN client configuration file:
#Root certificate (self signed)
<ca> Copy and paste your ca root certificate here </ca>
#verify type of certificate to be server authentication:
#verify correct server name:
verify-x509-name ‘xxx.com’ name
#either get client certificate in pkcs12 format from an encrypted memory card:
pkcs12 Y:/pki/private/[user name].p12
#or get client certificate using Microsoft crypto api for windows PCs:
cryptoapicert “THUMB:XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX”
#or for iOS devices copy/paste public and private part of the client certificate:
<cert> copy/paste client certificate here </cert>
<key> copy paste your client key here </key>
#login with user name – password
With SSH root login you have full access to the embedded OS and can modify any configuration of the NAS. Therefore, if you really need to allow SSH access remotely, you should always be extremely careful and verify the correct connection. In addition the login should be changed from user name/password authentication to RSA key authentication. SSH works under windows with Pageant/Putty, on iOS devices I use iTerminal Pro.
Necessary steps and modifications
The ssh server (host) keys can be found in the directory /etc/ssh. By default there are key pairs for DSA, ECDSA and RSA. The public key files have the extension .pub. Note down the fingerprint of the host keys using the command ssh-keygen -l -f [public key file name], for example ssh_host_rsa_key.pub
When you call the SSH terminal program and the server key is not cashed, you will be prompted with the fingerprint of the server key to trust the server. To delete a cashed fingerprint under Windows using PuTTY
Delete the cashed key.
First generate an RSA key pair (public and private) with the program puttygen. I use an SSH2-RSA key with 2048 bits. By default the public key of the root user is expected to be found in the directory /root/.ssh/ under the file name authorized_keys.
So you need to create the directory .ssh and put the public key, generated with puttygen, into this directory under the name authorized_keys.
In order to disable password login for the root user, you then need to modify the file sshd_config in the directory /etc/ssh. Change the line
#PasswordAuthentication yes to
Though SSL does not protect from unauthorized access, it helps to avoid eavesdropping of your data when using the web interface. Most critical is the web access to the disk station manager with admin rights. The standard access ports are 5000 (HTTP) and 5001 (HTTPS).
Steps and modifications
For administration via web interface disable the standard admin account and use a different user name first. Then allow DSM login under https (default port 5001) only, in addition you could use port forwarding in your router to change to a high port number). The most important measure is to use a really strong password. The password should be at least 15 characters long and consist of a mixture of small/capital letters, numbers and special chars.
DSM allow to introduce a second layer of authentication. You can enable 2-step verification for the admin user. A good step-by-step description can be found 2-step-authentication.
All measure shown above will be useless, if the private keys are not kept secret. Your passwords, key pairs and certificates should never be made accessible to any unauthorized users. Here I use a mountable encrypted memory card. When leaving the computer I can unmount the card or take it with me.
How to connect to Synology’s VPN Server using a Windows PC or Mac http://www.synology.com/en-us/support/tutorials/592
After some hours of programming and testing I have added this on-line check to my BPMSG link.
It reads your IP address and checks it for past suspicious activities. You could get a bad result, if your computer was formerly infected by a malicious program or used by a spammer.
Check it out!
Operating your own website or blog, you will soon realize lots of comments with nonsense content and embedded links to obscure websites. These are comment spammers making your life difficult. Everyday you have to clean up or moderate all comments. In the past I used a wordpress plugin “spam free wordpress” to protect my blog, and for long time it was working fine without any problems. Writing a comment to my postings, you were asked to copy and paste a password from one to another field in the comment form. Suddenly it was not working any longer, and I found out that the developer changed his policy: I have to pay a license fee. Maybe I also should change my policy, and ask for a license fee to download my AHP excel template? So I was searching for a new free plugin. I installed SI Captcha Anti-Spam from Mike Challis, but still spam comments were coming through. So I enabled the honeypot spambot trap and it seems to work.
I learned some new things about spam, and also found an interesting project “Project Honey Pot” on the web. There you can find out more about harvesters, spammers, dictionary attackers and honey pots. You can participate in the project, install a honey pot or implement a quick link to fight spam. A honey pot is a – for humans invisible – link to a dynamic website providing “fake” e-mail addresses and forms for spam programs. If the form is submitted or an e-mail sent to one of addresses provided there, then you can be sure it is a spammer and record/block his IP address. Here an example of a quick link (opens in a separate window, don’t submit.) Usually this link is hidden -only visible for bots, spider programs etc.
Project Honey Pot also provides a useful service HTTP Blacklist to check IPs against a list of known harvesters, comment spammers, and other suspicious visitors to websites.
Now I can monitor suspicious activities on my website: within only two days I could see more than 100 attacks!
List of recent suspicious visitors listed in project honeypot.
Check your own IP address.Share on Facebook
Camera settings depend on the type of recorded video. The Canon XA-10 has only two full HD (1920×1080) recording modes: FXP and MXP. Based on these, most of my videos are recorded in FXP mode as it is a good trade-off between quality and file size.
For video editing I use Adobe Premier Elements 10. Editing is done without changing codec (H264), resolution, interlacing, etc. As I have the PAL version of the XA-10, the Adobe project settings are AVCHD Full HD 1080i 25 under PAL. Once the video is edited, I render the clip with the highest quality settings (2 Pass VBR, Render at max. depth, Macro block Adaptive Frame-Field Coding), and a maximum bitrate corresponding to the source (FXP: 17 Mbps) for archiving. In Adobe Premier Elements 10 and for XA-10 FXP mode the settings are:
Depending on the target media the clip to be published is adjusted in codec, resolution etc. I have predefined settings for:
I use a simple excel template to calculate the bitrate for the target medium. As input you simply select:
and as a result you get the recommended bitrate for rendering your video clip.
Comments and feedback are welcome!
Since a few months I use the Canon XA-10 camcorder to take the videos on this website, and when traveling. The video about the diversity index as business KPI, and the trip to the Philippines, visiting Bohol Island and Lake Taal, I shoot with the XA-10.
Overall I am quite o.k. with it, but a few details – like for example the tiny custom assignable buttons – are less satisfying. Now I am working on a review to share my experience. Stay tuned – and thanks for visiting.
Taal Lake is a freshwater lake in the province of Batangas, on the island of Luzon in the Philippines. The lake fills a large volcanic caldera formed by eruptions between 500,000 and 100,000 years ago. That crater lake is the world’s largest lake on an island in a lake on an island, and it in turn contains its own small island, Vulcan Point.
Enjoy Watching! If you like the video, leave a comment below.Share on Facebook
Bohol is a smaller island in the island grouping of the Visayas, Philippines, a nice place to spend your holidays. Beside the famous chocolate hills and the trasier conservation area, the video shows Bolo knife forging, the Loboc river cruise with a local rondalla music group, dancing the traditional Tinikling dance, dolphin watching with a visit to Balicasag and Virgin island, as well as the Baclayon church, Tagbilaran market and the Hinigdanan cave in Dauis. Enjoy watching!
if you like the video, leave a comment below.Share on Facebook