DSM5 - network backup over custom port

Discuss backup and restore functions of the DiskStation with respect other DiskStations, USB/eSATA, network backup, or other rsync clients.
Forum rules
This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
as1974
I'm New!
I'm New!
Posts: 6
Joined: Tue Apr 01, 2014 4:20 pm

Re: DSM5 - network backup over custom port

Postby as1974 » Thu Apr 03, 2014 2:55 pm

I got at least a workaround working, not from DSM dialogues, but as a cronjob from command line.

The full command is:

rsync --log-file=/var/log/remote_rsync_log.txt --syno-prog=/var/log/remote_rsync_progress_bar.txt --progress --compress -avze 'ssh -p 5555' [sourcepath/] [user]@[remote_ip]:[targetpath/] && synodsmnotify @administrators "Remote-Backup" "success." || synodsmnotify @administrators "Remote-Backup failed" "No success."


Selfexplaining:
rsync [or better: /usr/syno/bin/rsync when used in crontab]


Probably not necessary, I am currently using it during tests...:
--log-file=/var/log/remote_rsync_log.txt


Same here:
--syno-prog=/var/log/remote_rsync_progress_bar.txt


Shows progress while running (speed & %-Progress per file):
--progress


Selfexplaining:
--compress


Thats the interesting part. For a, v & z check manpage, but: option 'e' allows to pass on a bash command - the 'e' must be placed right before the command used, here: ssh and target port for the command:
-avze 'ssh -p 5555'


Path to source files:
[sourcepath/]


And path to target files:
[user]@[remote_ip]:[targetpath/]


Finally some DSM notifications in case of success:
&& synodsmnotify @administrators "Remote-Backup" "Success."


..or failure:
|| synodsmnotify @administrators "Remote-Backup failed" "No success."


Finally, I put the full command into a file, chmod+x the file, and put it into /etc/crontab (!rsync full qualified is /usr/syno/bin/rsync - found out by this little very helpful command called which, e.g. 'which rsync').

To access target Synology from source Synology I use SSH authentification for auto-logon without password promt (e.g. a german how to can be found here: http://www.synology-wiki.de/index.php/S ... C3.BCsseln)

P.S. the option "--inplace" might cover "Enable block-level backup"..
BratMokstrof
I'm New!
I'm New!
Posts: 8
Joined: Thu Apr 10, 2014 7:41 pm

Re: DSM5 - network backup over custom port

Postby BratMokstrof » Thu Apr 10, 2014 7:50 pm

I would really like this as well, ... Has Synology indicated if or when this will be implemented?
as1974
I'm New!
I'm New!
Posts: 6
Joined: Tue Apr 01, 2014 4:20 pm

Re: DSM5 - network backup over custom port

Postby as1974 » Fri Apr 11, 2014 5:19 pm

So here is the feedback I received from support:
Sie haben zwar über die Konsole die Einstellung in DSM 4.x für Ihren Zweck angepasst, dies war jedoch auch dort nicht vorgesehen und hat zB dazu geführt daß dort das interne Backup mit aktiviertem SSL nicht mehr funktioniert hätte.

Basically this says:
..you changed standards, which has not been intended and caused e.g. that internal backup with activated SSL would not work..

Hm: do not know how SSH and SSL are related - and what does a "backup with activated SSL" mean?

Next paragraph says:
Von Seiten der Sicherheit ist eine Änderung der Ports nicht sinnvoll, da ein echter Angreifer (nicht die üblichen "script-kiddies" die lediglich sogenannte "hackersoftware" in irgendwelchen Foren finden) einfach einen Portscan über Ihr System laufen lässt. Die dabei noch einfachste Methode ist ein sogenannter TCP-SYN-Scan, die allgemein nur von IDS bzw. einer Firewall mit integriertem IDS erkannt wird. Verwenden Sie zum Schutz eine Autoblock-Funktion, die die anfragende IP bei einigen fehlerhaften Logins blockiert. Damit erhalten Sie eine erheblich höhere Sicherheit als einen nicht standardisierten Port zu verwenden.


Means:
..from a security perspective, it does not make any sense to change port, because real hackers (not script-kiddies) would run a port scan on your system. Easiest way would be an TCP-SYN-Scan, which can be recognized by an IDS (Intrusion detection system) or by a firewall with integrated IDS. We recommend to use autoblock-function to block IP after unsuccessful logins. By that, you receive a significant higher security level compared to using a non-standard port.


Well..: auto-block is on anyways. So "significant" is not the point.

To me it seems like: don't bother about script kiddies, they would not hack you anyways as long you are using a strong password.

Means:
1 - consider using port 22 and change your password to a really strong password
2 - Reading this mail, I do not expect Synology to change the DSM behaviour
rfederspiel
I'm New!
I'm New!
Posts: 2
Joined: Tue Jan 28, 2014 9:40 pm

Re: DSM5 - network backup over custom port

Postby rfederspiel » Fri Apr 11, 2014 9:56 pm

from my point of view the first thing every admin is doing is changing the ssh server port to something different than 22 because the chance of being hacked is decreased enormous. independent of strong passwords. the same like not allowing user "root" to login via ssh.
synology shall not have the power telling us how to secure our systems. this is just a shame. the most secure way I see right now is to use the rsync command directly like already posted before.
kamaradski
Student
Student
Posts: 71
Joined: Fri Mar 01, 2013 3:31 pm
Location: Germany
Contact:

Re: DSM5 - network backup over custom port

Postby kamaradski » Sat Apr 12, 2014 11:53 am

Thanks as1974, It appears to be fixed and working on a alternative port now. not sure if synology support fixed it, or if one of the updates did, (didn't got any feedback on my ticket) and also not sure if this will survive any DSM update. But for now it works again !! YAY :) For the record, I have updated all packages and DSM including the heartbleed update.

-=-

To me the reply they gave you above does not make much sense, as the people we have to fear most are the script kiddies. A real hacker doesn't have the interest of scanning millions of synology nas devices, take the effort of hacking in, and than only find a bunch of illegally downloaded videos that they could get from bittorrent themself (i'm assuming this is 90% the case) Real hackers go for more profitable and carefully selected targets.

Also the autoblock feature will not stop a real hacker, as they would simply change exit node and try again. Also most a so called real hacker knows exactly how to get in, before trying, and will not even be detected by the security features in place... In addition they most likely will not damage my box, just copy the data they need.

Changing ports is a logical first line of defense that stops the morons that have time to try wipe my box or do all sort of other damage I cannot fix or replace without data loss. Security is not about making it impossible for people to get in, but more to make it as hard as possible. Something simple as a port change is part of that package.

In addition: since I opened my ports for synology support to connect, my autoblock list grew the size of a average law-book, spamming my email in the process, and increasing the change that one of these IP's are actually needed by a real user. Thanks to dynamic ip's this change is pretty real.

What we need is to know where to manually change the port for the backup software. or a feature in the web-interface to just change the default behavior of all software utilizing port 22 and rerouting it to a user configurable alternative port without the use of console after every single DSM update.
qbn
I'm New!
I'm New!
Posts: 2
Joined: Sat Apr 12, 2014 8:20 pm

Re: DSM5 - network backup over custom port

Postby qbn » Sat Apr 12, 2014 8:27 pm

Is this already solved?
My custom ssh ports still dont work :(
hans_lenze
Rookie
Rookie
Posts: 34
Joined: Tue Dec 20, 2011 1:04 am

Re: DSM5 - network backup over custom port

Postby hans_lenze » Sat Apr 12, 2014 9:36 pm

Just out of curiosity: has any of you tried to set the custom port by changing the /root/.ssh/config file?

Executing the following command should do the trick

Code: Select all

echo "port 2222" > /root/.ssh/config


On the receiving end, make a portforward in the router that forwards external port 2222 to port 22 on the NAS and you're done. All the synology initiated ssh connections should use the custom port.
DS411 (3x 2TB RAID5, 1x 256GB SSD), 2x HP Proliant ML110g6 ESXi 5.5
User avatar
windar
Sharp
Sharp
Posts: 160
Joined: Wed May 28, 2008 12:35 pm

Re: DSM5 - network backup over custom port

Postby windar » Wed Apr 16, 2014 4:29 pm

hans_lenze wrote:Just out of curiosity: has any of you tried to set the custom port by changing the /root/.ssh/config file?

Executing the following command should do the trick

Code: Select all

echo "port 2222" > /root/.ssh/config


On the receiving end, make a portforward in the router that forwards external port 2222 to port 22 on the NAS and you're done. All the synology initiated ssh connections should use the custom port.


The global (echo "Port 2222" > /etc/ssh/ssh_config) but similar version of this solution has worked for me for some time up until DSM 5.0 Update 2 (last week) which has broken it.

You can check tcpdump traces of the connections being made by network backup, they are sequentially made on the following destination ports : 873 (rsync port), 22 (ssh default port), 2222 (custom port).
As port 22 isn't forwarded on the other end (totally the point of choosing a custom ssh port), network backup on custom port now fails...
Jungle Power !
User avatar
windar
Sharp
Sharp
Posts: 160
Joined: Wed May 28, 2008 12:35 pm

Re: DSM5 - network backup over custom port

Postby windar » Tue Apr 22, 2014 10:38 am

Feedback from support : this issue should be fixed in an update coming this week.
Jungle Power !
User avatar
windar
Sharp
Sharp
Posts: 160
Joined: Wed May 28, 2008 12:35 pm

Re: DSM5 - network backup over custom port

Postby windar » Thu Apr 24, 2014 8:22 pm

Fixed in DSM 5.0-4482 ! :)
Jungle Power !
Bond007
Trainee
Trainee
Posts: 12
Joined: Thu Apr 24, 2014 2:46 pm

Re: DSM5 - network backup over custom port

Postby Bond007 » Fri Apr 25, 2014 3:12 pm

Newbie questions please. Sorry.
:)

This document,
http://www.synology.com/en-global/support/faq/299

Says that for standard backups use port 873 and TCP, but for encrypted backups use port 22 and TCP.

Question 1
But in DSM5.0 there is no longer an option to encrypt the data of the backup as it is transmitted.
Can we assume it is now always encrypted?
Or did I miss something?

Question 2
If so which port should we be looking at 873 or 22?

Question 3
I understand there is an update coming this week that allows the use of another port, other than port 22 for the backup.
Would this be for the GUI or the command line?

Thanks!
User avatar
windar
Sharp
Sharp
Posts: 160
Joined: Wed May 28, 2008 12:35 pm

Re: DSM5 - network backup over custom port

Postby windar » Fri Apr 25, 2014 4:25 pm

Bond007 wrote:Question 1
But in DSM5.0 there is no longer an option to encrypt the data of the backup as it is transmitted.
Can we assume it is now always encrypted?
Or did I miss something?


You missed it, it is configured in the Backup Task (and not in the Backup Destination), if the associated Backup Destination supports encryption.
When you create a Backup Destination, DiskStation will try both rsync (TCP 873) and encryption (TCP 22) capabilities of the remote server you've just declared and then propose them to you when creating a Backup Task using this Backup Destination.

Question 2
If so which port should we be looking at 873 or 22?


By default, 873 is unencrypted and 22 is encrypted.

Question 3
I understand there is an update coming this week that allows the use of another port, other than port 22 for the backup.
Would this be for the GUI or the command line?


The update came out yesterday, and it is more like a fix regarding this issue because it previously worked.
This cannot be configured in GUI, it has to be done in command line.
If, for instance, you wish to use port 2222 (instead of port 22) for encryption, connect to your DiskStation in SSH/Telnet and type this :

Code: Select all

echo "Port 2222" >> /etc/ssh/ssh_config
Jungle Power !
kornelis
I'm New!
I'm New!
Posts: 3
Joined: Sun May 26, 2013 7:20 pm

Re: DSM5 - network backup over custom port

Postby kornelis » Sat Apr 26, 2014 10:33 pm

Hi Windar,

Great work, previously I was editing the port in "/etc/services". Any way to restart the SSH daemon through telnet or do I need to restart the Synology for this to take effect?
User avatar
windar
Sharp
Sharp
Posts: 160
Joined: Wed May 28, 2008 12:35 pm

Re: DSM5 - network backup over custom port

Postby windar » Sat Apr 26, 2014 10:43 pm

The changes take effect immediately no need to restart anything.
The SSH daemon has nothing to do with this.
Jungle Power !
kornelis
I'm New!
I'm New!
Posts: 3
Joined: Sun May 26, 2013 7:20 pm

Re: DSM5 - network backup over custom port

Postby kornelis » Sat Apr 26, 2014 11:56 pm

Awesome, thanks!

Return to “Backup/Restore for DiskStation to DiskStation/USB/eSATA/Off-site backups”

Who is online

Users browsing this forum: No registered users and 3 guests