Git
/
ssh-audit
mirror of https://github.com/jtesta/ssh-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Page: Synology DSM
Pages
ArubaOS Switch (AOS S) 16.11 Dropbear 2022.83 Fortinet FortiOS FreeBSD OpenSSH Hardening Guide ‐ FreeBSD Blog FreeBSD Home Mikrotik RouterOS OPNsense 20.7 and newer Proxmox VE 7.3 6 SSH Hardening Guides Index Synology DSM Ubuntu 22.04 LTS Client Linux Mint 21 Client Void Linux Windows 11 macOS 13 (Ventura) & 14 (Sonoma)
18 Synology DSM
Mathieu Simon edited this page 2024-01-24 07:41:26 +01:00
Table of Contents

Synology Disk Station Manager or short DSM is an Linux-based operating system shipped with various devices made by Synology. This guide currently covers DSM 7.2 branch.

DSM 7.2

Connect to a Synology device with DSM 7.2 via its web interface in order to apply these options:

  • Open the Control Panel
  • On the bar, scroll down to Connectivity and click on Terminal & SNMP
  • On the tab Terminal tab check if Enable SSH service is enabled
  • If yes, click on Advanced Settings
  • Select the security level Customize

This opens a window Customize encryption mode, which contains 3 rows: Cipher, KEX and MAC, configure them as follows:

Customize encryption mode

Cipher

Leave the following ciphers enabled and disable the remaining ones:

aes128-ctr
aes128-gcm@openssh.com
aes192-ctr
aes256-ctr
aes256-gcm@openssh.com

In order to work around CVE-2023-48795 chacha20-poly1305@openssh.com is disabled until Synology eventually provides a patched version of OpenSSH with DSM. Last checked against: DSM 7.2.1-69057 Update 4.

KEX

Leave the following key exchange algorithms (KEX) enabled and disable the remaining ones:

curve25519-sha256
curve25519-sha256@libssh.org
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512

MAC

Leave the following message authentication codes (MAC) enabled and disable the remaining ones:

hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
umac-128-etm@openssh.com

Applying the settings

Click on Save to close the window Customize encryption mode, returning back to the windows Advanced Settings. There click on Save again to close this window, finally back in the Control Panel, click on Apply.

Hint: If you get an error saying not changes have been made when applying the changed configuration - even though you actually did change ciphers - DSM doesn't detect changed options in "customized ciphers". In order to apply them nonetheless, do the following steps as a workaround:

  • Note the currently-configured SSH port (default: 22)
  • Change its value to something else such as i.e. 222, then click Apply
  • Then revert the port setting to the previous value and click on Apply once more.

Limitations

At least DSM version 7.2 doesn't allow you reaching a perfect score, since neither host keys, nor host-key algorithms can be updated or modified in a supported way other than by manually modifying /etc/ssh/sshd_config. Also those manual changes are likely overwritten by i.e. system updates or other configuration changes via the DSM web interface.

Validated versions

DSM ssh-audit
DSM 7.2.1-69057 Update 4 master @ fe65b5df8a2d36fb85747f600685091487837c0d
DSM 7.2.1-69057 Update 3 master @ c8e075ad13516b59ab30461d2590c3403e3379e8
DSM 7.2.1-69057 master @ 02ab487232de438c0811116f2676cb1c9b5f3d62
DSM 7.2-64570 Update 3