Use SNMP to monitor your home network by LibreNMS

Recently I spent some time tried different solution to monitor home network and systems. Initially, I tried Cacti on Raspberry Pi but not working really well together with Pi-Hole. So I moved Cacti into a docker container on Synology NAS. But Cacti eats up lot of NAS resources and itself is not that user-friendly. So many issues with poller, and the performance is not good.

Then finally, I found LibreNMS which surprised me with easy deployment and very nice look and feel. So go straight to the deployment guide of LibreNMS to monitor home network via SNMP.

Continue reading “Use SNMP to monitor your home network by LibreNMS”

Mikrotik RouterOS Dynamic Update Script for OpenDNS

There is a need to provide some level of parent control and kids safe Internet access at home. Using OpenDNS is a easy and cost free solution.

To customize the web security filtering policies for your own case, you need to update home Internet public IP to OpenDNS so that the customized your policy will be applied. In a dynamic IP situation, it is essential to keep telling OpenDNS the latest correct Internet IP. Instead of install OpenDNS updater client on MAC/WIN/LINUX, we can use Mikrotik RouterOS scripts to update the IP directly.

Continue reading “Mikrotik RouterOS Dynamic Update Script for OpenDNS”

Mikrotik RouterOS work with Cisco Aironet AP

Background:

I have a spare Cisco Aironet 3702i but I do not have Cisco Wireless Controller to manage it. But I do like its wireless capability and I want it to replace ASUS RT-AC68U as home main wireless access point.

I also have a Mikrotik hex POE 960PGS router to provide both connectivity and power to surveillance camera.

I want to fully utilize the gears I have and just use a cost effective solution to achieve secure home wireless network.

Target:

  • Multiple SSIDs with different VLANs, different encryption and authentication methods
  • Each SSID network needs to be segregated with others
  • One SSID needs to be in the same subnet of local wired network

Continue reading “Mikrotik RouterOS work with Cisco Aironet AP”

Synology Letsencrypt DNS-01 cert issue and install

Install the acme.sh Client

  • SSH to Synology DiskStation.
  • sudo -i to root login.
  • Install acme.sh manually. 
    $ wget https://github.com/Neilpang/acme.sh/archive/master.tar.gz
$ tar xvf master.tar.gz
$ cd acme.sh-master/
$ ./acme.sh --install --nocron --home /usr/local/sbin/acme.sh

Logout and login back again. so install is done :)

  • next step is to do the configuration:
    $ cd /usr/local/sbin/acme.sh

export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export CF_Email="[email protected]"
  • Issue and install the certs. The code below to reflect your own path and domain name.
./acme.sh  --issue -d YOURDOMAIN.TLD --dns dns_cf --certpath /usr/syno/etc/certificate/_archive/PATH/cert.pem --keypath /usr/syno/etc/certificate/_archive/PATH/privkey.pem --fullchainpath /usr/syno/etc/certificate/_archive/PATH/fullchain.pem --capath /usr/syno/etc/certificate/_archive/PATH/chain.pem --reloadcmd "/usr/syno/etc/rc.sysv/nginx.sh reload"
  • Configure Crontab for root
$ vi /etc/crontab
Add the following line to the crontab. Remember to use tab for spacing.
0    10    2    *    *    root    root /usr/local/sbin/acme.sh/acme.sh --cron --home /usr/local/sbin/acme.sh/

Continue reading “Synology Letsencrypt DNS-01 cert issue and install”

Synology Cloudflare DDNS Script

Run commands in Synology

  1. Download cloudflareddns.sh from this repository to /usr/local/sbin/cloudflaredns.sh
wget https://raw.githubusercontent.com/joshuaavalon/SynologyCloudflareDDNS/master/cloudflareddns.sh -O /usr/local/sbin/cloudflaredns.sh

If you put the script in other name or path, make sure you use the right path.

  1. Give others execute permission
chmod +x /usr/local/sbin/cloudflaredns.sh
  1. Add cloudflareddns.sh to Synology
cat >> /etc.defaults/ddns_provider.conf << 'EOF'
[Cloudflare]
        modulepath=/usr/local/sbin/cloudflaredns.sh
        queryurl=https://www.cloudflare.com/
EOF

queryurl does not matter because we are going to use our script but it is needed.

Get Cloudflare parameters

  1. Go to your domain overview page and get the Zone ID.
  2. Go to your account setting page and get API Key.
  3. Get record id using Cloudflare API.
curl -s GET "https://api.cloudflare.com/client/v4/zones/[Zone ID]/dns_records" \
	-H "X-Auth-Email: [Email]" \
	-H "X-Auth-Key: [API Key" \
	-H "Content-Type: application/json" \
	| jq '.result[] | {name, id, zone_id, zone_name, content, type}'

You need to replace with [] with your parameter. Then, you get the id in result which is you Record ID.

Setup DDNS

  1. Enter the parameters to the cloudflareddns.sh.
  2. Login to your DSM
  3. Go to Control Panel > External Access > DDNS > Add
  4. Select Cloudflare as service provider. Enter your domain as hostname, your Cloudflare account as Username/Email, and API key as Password/Key

Customize Namecheap DDNS script for Synology

sudo -i
wget https://www.xfelix.com/wp-content/uploads/2017/06/namecheap.zip
unzip namecheap.zip
Extract and move namecheap.php to /usr/syno/bin/ddns/

Grant privilege
sudo chmod 755 /usr/syno/bin/ddns/namecheap.php

Edit DDNS Provider list
sudo vi /etc.defaults/ddns_provider.conf
Insert
[Namecheap]
modulepath=/usr/syno/bin/ddns/namecheap.php
queryurl=https://dynamicdns.park-your-domain.com/

In the DSM web interface, open the DDNS menu
Hostname: example.com
Username/Email: www
Password: nameCheap DDNS passkey

 

Some Cyber Security tips

Trust Is Tops

  • Only use trusted apps or software.Download apps directly from trusted app stores such as iTunes and software from well-known sites. Be especially careful of apps or software you’ve never heard of or malware posing as legitimate apps. If you’re unsure if an app is legitimate, check the ratings and reviews in the app store. If it’s a major retailer and it only has one review or a low rating, it might be a copycat.
  • Don’t trust every search result.Just because you get dozens of search results for “free golf handicap spreadsheet calculator” doesn’t mean you should download each one to try them all.
  • Office documents and spreadsheets are notorious for hosting malware within embedded macros. If you frequent forums or communities of interest, ask what software others have used.
  • Beware of extras when installing software.Even legitimate software or browser add-ons can be accompanied by malware. Remember that every new app or software you install is a new potential entry point for cybercriminals. Be sure to uncheck extra software options unless you really need them.

Don’t Click That

  • Beware of unexpected emails. IBM X-Force has observed scammers using fraudulent package tracking emails, for example, to spread malware such as Locky ransomware. Be cautious and wary of unsolicited emails.
  • Double-check links. Scrutinise links in emails and social media posts. Hover over the URL to make sure a link directs to a legitimate website before clicking it.

Protect Your Passwords

  • Don’t save your info. Yes, it’s a pain to retype your info every time you want to order something online, but you should never save your password or credit card information in retail or bill payment sites, especially those you don’t frequent.
  • Use a special shopping email address and password. Have a separate email address just for retail websites and create unique passwords for each account. Use a password wallet to store your login credentials.
  • Get creative with password reset questions.When filling out account information, opt for the password reset question that doesn’t involve public information. For example, don’t use your high school mascot, since that could be found online. Instead, pick a subjective question (favourite dessert, favourite song, etc.) and enter answers that only you would know.
  • You can also create unique answers to each question and store them securely in a password wallet.

Control Your Credit Cards

  • Opt for credit over debit cards. Use credit cards instead of debit cards whenever possible. Credit card providers offer protection if your card is compromised and won’t dock your checking account if there’s an issue.
  • Use one-time credit cards. You may want to consider a one-time credit card when buying from a nontrusted or entirely new retailer. That way, you can avoid putting your personal card data at risk.

Add TransmissionBT task from iOS devices

Till now, there is no official iOS app to add/manage torrent tasks of TransmissionBT. The only working application is iControlbits which is available to Jailbroken iOS users.
So there is not much choice left for non-jailbroken users to manage Tranmission tasks. We can use Safari web browser to view and delete the downloading task but no way to add torrent file as iOS has a very strictly privilege control on file dealing. It is impossible to download a torrent file and upload it via Safari browser.
Continue reading “Add TransmissionBT task from iOS devices”

Some Security Links

SSL / TLS / HTTPS

  1. Is TLS fast yet – A great site debunking the myths of SSL/TLS speed cost
  2. Firesheep – A watershed moment for SSL by demonstrating the ease with which unprotected traffic can be intercepted and sessions hijacked
  3. Qualys SSL Labs – Tests a variety of attributes of the SSL implementation by pointing it at any URL
  4. CloudFlare – Get SSL for free on any website
  5. Let’s Encrypt – It’s coming, and it promises to fix the current mess that is CAs and configuring certs
  6. Betsy’s free wifi – Shows a young girl standing up a rogue wifi hot spot
  7. Chromium HSTS preload list – All the sites submitted for HTTP strict transport security preload (a depressingly small number of them)
  8. HTTP Shaming – Sensitive data sent insecurely? Name and shame!

Continue reading “Some Security Links”