I am trying to set up a Lets Encrypt cert for my Synology NAS

[G+_Tyson Vanover]

I am trying to set up a Lets Encrypt cert for my Synology NAS. I live in a hostile location (near a Technical High School with a Fiber connection), and every time I change my Wifi Password I have about 3-4 weeks before my known devices balloons from 25 to 200 and I start seeing a lot of torrent traffic. And I have seen more than one Cantenna in a window when walking through the neighborhood and am assuming some of the kids are cracking my WPA password.

 

The router is Synology RT1900ac with WPA2-Personal and I try and keep the firmware up to date.

 

So I have disabled file sharing on all my computers and my NAS and Router are set to HTTPS to prevent firesheep sniffing admin passwords. However this means I have to train the household to ignore the bad certificate warning. On the Router, fine, I am the only one using it. But for the NAS I think I will need a real cert. I would prefer to use a Lets Encrypt cert and not a self signed cert. Or a cert I have to install on all my clients.

 

I have a domain name for the house, so all the NAS is assigned subdomains off of voh.haus and I have set up a DNS Master zone on the router to handle name to ip. The NAS isn't publicly routable outside my network, and I would like to keep it that way. Any thoughts?

[G+_Randy Widell]

Let’s Encrypt has to be able to talk to itself with the given domain name, otherwise it has no way to verify you control the domain. So, if the NAS is not accessible, it can’t verify the domain. Now, I’m not sure if that’s one time or if it does it every time it renews.

 

But... You really want to keep them out of the network all together. Nothing else will really make a difference if they are in your network.

 

Is it WPA or WPA2? Firmware up to date? How strong is your password?

[G+_Randy Widell]

A nuclear option to use if you can’t keep them out and you only access the Internet via WiFi is to segment the WiFi into a VLAN that has no access to the LAN, only the WAN. At least that way they can’t see any devices. I know that’s a poor option.

[G+_Steve Martin]

Switch to a wired network. Put Wireless on a separate network and only put on there things that absolutely need connectivity via wireless. Make a VPN to your wired network for the wireless to access those devices.

[G+_Ben Reese]

I'm torn on the best solution here, but I agree that securing your network should be goal #1.

*1st, I wouldn't expect a strong WPA2 password using AES encryption would be easy to hack. I'd definitely try a 28-character random password.

If you don't want to make it random, make it seem random. For example, open your favorite book and use the first character of each line mixing in numbers and special characters. Or use mispelled phrases.

*2nd, make sure all forms of WPS are disabled. WPA2 should be extremely hard to hack, but WPS is known to be a big weakness.

*3rd, make sure your router and/or access point are up to date. If there's not recent firmware, it is probably time for an upgrade.

[G+_Ben Reese]

As for the cert... CAs have to verify that you control the domain or at least the server the domain points to. The easiest way to do this with a script is by posting a file to a known location on the server and that location has to be accessible by LetsEncrypt. Synology and many other free tools will do that for you.

 

There is another way, however, and I believe LetsEncrypt supports it. The CA can give you a random key to add as a TXT record on your domain. The CA can query that and verify you're the owner. I don't know if that would work for Synology or not though.

 

Once you get the TLS cert, you'll have one more problem. That cert is only valid for one domain name. Unless you have an internal DNS server or can update the host file for all your devices, nothing will be able to connect on that domain name. Not saying it's impossible, but something to be aware of.

 

Good luck!!!

[G+_Marco van Laerhoven]

I agree: your first action should be to keep the visitors out of your LAN !

With Local access to your machines, you have more to worry about then just the login passwords or being able to remotely login to the NAS (they can already do that when they're inside the network).

 

If your router supports it I would:

- ensure router firmware is up to date

- setup a strong, and long, WPA2 password

- setup MAC address restrictions (it is not real security, as MAC addresses can be spoofed, but it raises the bar)

- define separate WIFI VLAN and setup firewall rules to only allow known clients to your "sensitive devices" like the NAS

 

If it doesn't - I recommend you buy one that does - unfortunately your neighborhood requires you to invest (time and money) to keep your family network safe and secure.

 

To get back to your certificate question: Let's Encrypt (LE) is built-in on the latest releases of DSM (the OS running on Synology NAS's).

 

In previous versions, it required you to open port 80 for LE to do some confirmations but that is required anymore (the LE certbot will go out and renew itself every 3 months) - although you do need to setup QuickConnect and DDNS for it to work.

 

If you don't want to allow external access - you can manually refresh the cert, instead of waiting for the certbot on the NAS to do it.

That way you can have external access disabled all the time, then when you want to refresh the cert you

- briefly enable quick connect, then

- refresh the cert and

- disable quickconnect again.

 

As said, the LE certs are valid for three months, so that's only required 4 times per year.

 

 

[G+_Jason Marsh]

I have heard of people setting up a VPN for access to their LAN from their own WLAN. I think that's what you'll want to do. That means you'll likely want to have a separate NAT router for your LAN and your WLAN.

 

Imagine Steve Gibson's 3 Dumb Routers.

Router 1 = modem/gateway device. Wireless disabled. Only other routers are connected to it.

 

Router 2 = Trusted net. Wireless disabled. This is your LAN. Everything you want on a network is wired to this one. This is where you host a VPN for your mobile devices to connect to. I imagine there's a good VPN app for Synology that makes setup easy peasy.

 

Router 3 = Untrusted net. Wireless on. WPS disabled. WPA2 (AES) enabled. Wireless Isolation on. MAC filtering on, deny all except those you add. Perhaps even a captive portal would be a nice addition, at least slowing anyone who doesn't have this week's secret.

 

So, the basic idea is that your mobile devices will each be configured to use the VPN all the times, so they will connect to your trusted network no matter where they connect from. Since your mobile devices are using a VPN, their traffic is useless to any sniffing lurker.

 

This could also be done with only two routers; router 1 as modem/gateway/untrusted wifi, and router 2 as trusted (wired-only) LAN.

[G+_Jason Marsh]

The angry side of me says fight back somehow. I'm not going to suggest plumbing a microwave oven magnetron to a yagi, but I'd sure as heck be trying anything to thwart them. Imagine logging in to their router that's acting as a Client , and changing the admin credentials, then disabling the reset button, boot wait, wireless, dhcp server, NAT, and anything else you want, and give it a reboot. It won't be bricked, but it'll be close enough that they won't we able to recover without a JTAG or some other wizardry. They'll learn not to mess with your network again.

 

...Or just put up a bunch of honeypot routers that don't connect to anything at all, using the same SSID as your home router, and turn off your real wifi when you're not at home. That way they keep seeing "your" network as a dead-end and give up messing with it.

 

... Or just pay them a visit and tell them you know what they're doing and you hope they enjoy the gonorrhea and anal warts they get in prison.

[G+_Travis Hershberger]

First of all, get on WEP2. It has known vulnerabilities, but it's the best you can get. Anything less they'll get in without much fuss.

 

Second of all, block all unknown MAC addresses from the network.

[G+_Tyson Vanover]

+Randy Widell +Ben Reese It is WPA2 and a synology nas with up to date firmware. And I use Last pass to generate and distribute the password to family users. The problem is effectively unlimited time and faster cracking with a Krack running on a raspi with a cantenna.

 

+Jason Marsh I donate to their fund drives for for RasPi's and components, and I have helped out at their mini-make faire showing how to make cantennas. And considering what I did with what I got off of BBS's back in the day, so I can't complain too much. They are not destructive, just more of an annoyance at this point.

[G+_Ben Reese]

Tyson Vanover Maybe I'm wrong, but I didn't think Krack could expose a WPA2 password - only allow the 3rd party to sniff the traffic of the victim device. Perhaps it could be pivoted to imitate that victim device on a network? The only sure way I've seen to actually get the WPA2 password is through bruit force hacking. Definitely possible I misunderstood the vulnerability though.

[G+_Marcus Hall]

You might switch to WPA Enterprise and use the synology as a radius server.

[G+_Marcus Hall]

security.stackexchange.com - Why is WPA Enterprise more secure than WPA2?

 

"WPA2-Enterprise is only a little bit different behind the scenes, but the security implications are severe: The client associates to the access point, authenticates to the access point, who passes this on to a backend RADIUS server (using EAP, but that's not important here, so more on that at the end). When the RADIUS server has authenticated the client, it gives the access point an OK, plus a RANDOM 256bit pairwise master key (PMK) to encrypt data traffic for the current session only"

[G+_Bill Barley]

I would also use Steve Gibson perfect paper passwords. Make the longest one your wifi router can take. Initial device configuration might be a pain if you have to type them in by hand, but I have never had one hacked via password guessing using this method. It's easy if you can copy and paste password configurations in the devices to connect. Then also use other suggestions posted to secure further. Go to grc.com to get those.

[G+_Brent Vrieze]

There was a recent vulnerability found in the WPA2 protocol. It is a problem with the protocol not the implementation of it. The only fix is to get WPA3 out there as fast as possible.

krackattacks.com - KRACK Attacks: Breaking WPA2

 

I did not listen closely enough but Steve Gibson discussed it with Leo on an episode of Security now not too long ago(within 6 months). It may have been this one: https://www.grc.com/sn/sn-670.pdf

 

So I for now the best thing to do is to use very long obscure passphrases and change them often. If the locals are recording all the wifi traffic they can use this new attack to get the data. And unfortunately this is an off line attack they don't need to be at your house to do it once they have the data.

 

Here is the new password crack: https://www.theregister.co.uk/2018/08/06/wpa2_wifi_pmkid_hashcat/

 

Safest thing is to not use wifi. If you can't do that drop the signal strength on your AP so it does not leave the house.

 

 

[G+_Ben Reese]

Brent Vrieze to the best of my knowledge, KRACK still only allows snooping on a single client and does not grant access to the network directly. I believe this is how Steve explained it on that episode too.

 

This is the first time I've seen that PMKID attack, but I don't know that it's any faster than sniffing the 4-way handshake that's previously been used. Perhaps the only advantage is that you don't have to break the FCC rules around wireless denial of service. If you're willing to hack someone's wireless network, you probably don't mind issuing the de-auth frame to disconnect someone. The real security risk is in weak passwords.

[G+_Jason]

I would also use 2FA