From ff1abe64a01debd96932bc44d10bfbab840c61ce Mon Sep 17 00:00:00 2001 From: Mathieu Simon Date: Thu, 31 Aug 2023 15:36:52 +0200 Subject: [PATCH] Add an initial poge for Synology DSM --- Synology-DSM.md | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 Synology-DSM.md diff --git a/Synology-DSM.md b/Synology-DSM.md new file mode 100644 index 0000000..1e0da59 --- /dev/null +++ b/Synology-DSM.md @@ -0,0 +1,52 @@ +Synology Disk Station Manager or short **DSM** is an Linux-based operating system shipped with various devices made by Synology. + +Connect to a Synology device via its web interface in order to apply these options: + +* Open the **Control Panel** +* On the bar, scroll down to **Connectivity** and click on **Terminal & SNMP** +* On the tab **Terminal** tab check if **Enable SSH service** is enabled +* If yes, click on **Advanced Settings** +* Select the security level **Customize** + +This opens a window **Customize encryption mode**, which contains 3 rows: Cipher, KEX and MAC, configure them as follows: + +## Cipher + +Only leave the following ciphers enabled: + +``` +aes128-ctr +aes128-gcm@openssh.com +aes192-ctr +aes256-ctr +aes256-gcm@openssh.com +chacha20-poly1305@openssh.com +``` + +## KEX + +Only leave the following key exchange algorithms enabled: + +``` +curve25519-sha256 +curve25519-sha256@libssh.org +diffie-hellman-group16-sha512 +diffie-hellman-group18-sha512 +``` + +## MAC + +Only leave the following MACs enabled: + +``` +hmac-sha2-256-etm@openssh.com +hmac-sha2-512-etm@openssh.com +umac-128-etm@openssh.com +``` + +Finally in click on **Save** to close this window, returning back to the windows **Advanced Settings** where you need to click on **Save** again. Finally back in the Control Panel, click on **Apply**. + + +## Limitations + +At least DSM version 7.2 doesn't allow you reaching a perfect score, since neither host keys, nor host-key algorithms can be updated or modified in a supported way other than by manually modifying ``/etc/ssh/sshd_config``. Also those manual changes are likely overwritten by i.e. system updates or other configuration changes via the DSM web interface. \ No newline at end of file