Skip to content

June 13, 2014

6

Dome9 Package for Synology NAS

dome9_iconI own a Synology DS413j NAS, and without wanting to write a whole review about it, these things are awesome, the management UI is great, and you can run all kinds of packages on them. One thing I like to do with mine is run an OpenVPN server so that I can VPN into home and do cool stuff.

But I was a bit concerned about the notion of having my NAS internet-facing, even if it was only OpenVPN’s UDP port. So, powering through with my love for all things Dome9 (I swear they don’t pay me), I wrote my own little package that installs the Dome9 Agent onto a Synology NAS and allows you to control its firewall (and make dynamic access requests) through the Dome9 service. Now I can make pretty much any of my NAS’ services available to the internet, and not have to worry about random attackers discovering those services. Similar to Single Packet Authorization (although easier to set up and use), Dome9 allows you to dynamically open one or more ports to a given IP for a period of time, and so while the port is available to you, the services remain completely invisible to everyone else.

This is the first release of the Dome9 package, and while it may need more work to support other VPN protocols, it’s ready for testing. If you do use this package, I’d be keen to hear from you, as I’ve yet to find another Synology-owning Dome9 user!

To install this package, simply download the dome9.spk file (below) and use the Manual Install option in the Package Center in DSM. You will need to have a Dome9 account and enter your pairing key to allow the agent to pair with the Dome9 service.

Download: Synology Dome9 Package v0.1.1 (dome9.spk)

6 Comments Post a comment
  1. mike
    Jun 17 2014

    Does your package just do iptables rules, or does it also do file integrity monitoring with dome9?

  2. Jun 17 2014

    Hi Mike,

    Great question, I hadn’t even thought of the FIM. As the package installs the full Dome9 Agent, you should have full FIM functionality as well which would indeed come in very handy. I’m currently testing this to confirm.

  3. mike
    Jun 17 2014

    Thanks for the information. I’ve been using OSSEC for log collection and analysis. The OSSEC agent doesn’t run on the box, so I dump the logs to syslog and use OSSEC to analyze them. I’m really interested in the file integrity monitor because then I can tell if files are added, removed, or modified from the partition.

  4. Jun 18 2014

    Hi Mike,

    After some investigation and conversations with Dome9, it appears the D9 source (which I use for this package) doesn’t include the OSSEC agent. The OSSEC agent is usually installed together with Dome9 when you install from a repo… which we both know doesn’t quite work for Synology.

    The next step is really just to figure out if we can get OSSEC to compile on Synology, and it should then integrate perfectly with Dome9.

  5. Will
    Oct 15 2014

    I’m running a DS213j, which has been my entry point into the world of securing servers and the like. I recently got interested in the idea of Port Knocking (so I could allow SSH service without endless bots trying to break in), but it seems extremely hard to do on the Synology DSM OS.

    THIS, however, looks like it’s ideal — and even a bit of an upgrade. I just wanted to check first and see if there were any additional requirements other than the SPK and a (free) Dome9 account. Must I access through VPN? Or is that just an additional layer for your own purposes?

    Thanks very much for any info — I’ll def report back any experiences I have with the package.

  6. Oct 15 2014

    Hi Will,

    Please do let me know! I recently re-packaged my package as the latest DSM seemed to be complaining about something. You can download the latest version here: https://github.com/securitygeneration/synology-dome9/releases/tag/v0.1.1

    If you look around my site you’ll find that I’m very much into port knocking and single packet authorization (the newer, more secure form of port knocking). I’ve been looking at putting together a package that allows you to install fwknop onto Synology NAS, but I haven’t gotten around to it yet. Dome9 works very well for my purposes, and is very reliable.

    You are correct that you don’t need a VPN. I just use this to protect my VPN service.

    Let me know how you get on, it’s really easy to set up with Dome9!

    Thanks.

Share your thoughts, post a comment.

(required)
(required)

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

css.php