Two Security Approaches You Should Be Taking on Your Network

Routers these days are very sophisticated in regards to what they can do and you should take the time to configure yours to provide robust security. While not meant to be in any way comprehensive as to everything you should be doing from a security perspective on your router, this post offers 2 security approaches you should be implementing with your devices and router(s):

  1. Use the guest network for anything that doesn't need to talk to other devices on the network.

    Actually, if your router supports VLANs, using a VLAN for anything that doesn't need to talk to other devices on the nework is even better than using the guest network. For more information on this, see this excellent post.. But that post points out, most home routers do not, as of this writing, support VLANs. As such, utilizing a guest network is your best option on most home routers.

    A guest network sounds like something you would use only for your guests' devices, but this is too limited a view of a guest network; instead, you should think of your guest network as the place to put any device that doesn't need to talk to other devices on the network.

    These days there are all sorts of IoT (Internet of Things) devices that we don't access directly but rather we interact with via a cloud services. Got a smart thermostat on your network? How about a smart plug? Maybe a smart scale? Chances are that you don't directly access these devices but rather you access a cloud services to interact with these devices. Well, if that's the case, why would you want these devices to be able to talk to other devices on the network? Put them on your guest network: they'll still have access to the Internet, they just won't have access to other devices on the network. Now, you may be thinking "well, just because I don't need them to access other devices on the network doesn't mean I care if they can access other devices on the network." Well, you should care: unfortunately, devices do become compromised from time to time and if someone gets into one of yours, you don't want him/her to use that access to gain additional access to network traffic and/or devices on the network. So: guest network for anything that doesn't need to be able to talk to other devices on the network.

    And you know what would make it even better? If the guest network were on a completely separate router from your main network! If you really want to isolate the devices on your guest network as much as possible from your main network then you use 2 routers and the first (the one connected to the outside world, which most commonly would mean to your router) has the guest network on it and the second (which is connected to the WAN of the first) has your main network on it. Then even if a bad actor gains access to your guest network or to a device on it, he/she would have to gain access from the outside to your second router in order to compromise your main network.

  2. Disable access to/from the Internet for anything that doesn't need it.

    This one goes right along with the one above: in the same way that you don't want to give access to other devices on your network to anything that doesn't need it, you don't want to give Internet access to any device that doesn't need it. Have a printer on your network? Does it need Internet access? Chances are that it does not: chances are that you only need to be able to send print jobs to it on your local network. In the last item, I pointed out that unfortunately, devices do become compromised from time to time and in that case the point was to protect everything else on the network from a device that becomes compromised; here the goal is to protect a device from becoming compromised in the first place, which is especially important considering that if you need to talk to it (in this example, send print jobs to it) then you can't put it in the guest network which means that if it does become compromised then it's that much easier for the attack to gain additional access to network traffic and/or other devices on the network. So: turn off access to/from the Internet for anything that doesn't need it.

    Okay, great! But how do you do that? Well, the mechanism will vary from router to router, but in general the approach to use is going to be to create firewall rules. You will likely need a firewall rule that blocks all access from all ports from the outside (that is, the Internet) to a device and then a second firewall rule that blocks all access from all ports from a device to the outside. And you'll need such rules for every device on your network, so it might end up being a lot of rules. However, if you follow the guidance in my post Use a More Sophisticated IP Address Scheme on Your Network, you can create (if your router supports it) a rule for the entire octet you use for these devices.

Adding a User to the Administrators Group on a Synology Router

Background

I am a huge fan of Synology products. I started with an ioSafe disaster-proof NAS powered by Synology. I bought it because I had a very typical NAS use case: I had some very important data that I wanted to safely store and make accessible via my network. And my ioSafe NAS is amazing at doing that job for me! However, once I got it, I realized it is so much more than just network-attached storage, it's an awesome little server that does a ton of great things for me.

But this post isn't about working with Synology NAS devices, it's about working with Synology routers. So moving on to routers: I've been through a bunch over the years. Quite some time back, I was all about installing DD-WRT onto Linksys routers because DD-WRT allowed the hardware to do so much more than the native firmware and that was useful to me. But when Synology announced they would be releasing their first router, the now-discontinued RT1900ac, I was interested in checking it out and I eagerly snapped it up as soon as it was available. And I loved it, and so when they released their next-generation router, the RT2600ac, I got it as soon as it was available, and I migrated to it from the RT1900ac to get even better range and performance.

One of the great things about Synology's management software for their NAS devices and their routers is that they let you create your own administrator account and give it any user name. This is huge because it means you can disable the default administrator account, which is a security best practice (if an attacker trying to login to a system has to guess at not only the account password but also the account user name, it's that much harder for that attacker to gain access to that system).

You can create a new administrator account on a Synology router using SRM (Synology Router Manager, the GUI for administrating Synology routers) during initial setup of the router. In fact, I believe you actually must set up a new administrator account during initial setup of the router; it's really great that they implemented it that way (though if I'm remembering correctly, it's still up to you to go disable the default administrator account). However, when I started with Synology routers, it didn't work that way: I don't believe that I even had the option to create an administrator account during setup and I certainly wasn't required to do it.

So for all these years that I've had these routers, I have been using the default administrator account. But recently, someone with IP addresses in Russia tried to gain unauthorized access to my Synology NAS (fortunately, they were unsuccessful), and thereafter I decided I needed to step up my security game. There were several measures I took, and one of them was to create a new account, add that account to the administrators group, and then disable the default administrator account on my router as well as on my NAS.

Creating a new account is easy in SRM as well as in DSM (DiskStation Manager, the GUI for administrating Synology NAS devices). Disabling an account (in this case, the default administrator account) is also easy in both SRM and DSM. However, administrating groups, while easy in DSM, is not functionality provided in SRM, which created a major snag in my plan. I was able to work around it by utilizing SSH, and that's what I will show you how to do here. As well as I can tell, no one else has both figured out how to do this process and commented about it on the web and that meant I had to dig in and figure it out, which was a time-consuming process, and I'm writing this in the hopes it can help you get it done a lot faster.

So let's get started!

The steps

  1. Create a backup of your router's configuration settings. If something goes sideways here, you're going to want to have a backup of your router's configuration settings. If you need more information on how to do this, check out this SRM Help Article.
  2. Create the account you want to add to the administrators group. That is to say, create your new administrator account, only it won't be an administrator account when you create it, it will just be a regular user account. But you have to create it and then after you create it, you'll be able to add it to the administrators group. Note that it's possible to create a new account via SSH, but since it's easy in SRM, I recommend you go the SRM route, but it's your call.

    To create a new account in SRM, launch Control Panel, choose User from the menu on the left, press the + button above the list of users, and then fill in the user form (provide values for Name, Password, and Confirm password) as shown in the following screenshot. It goes without saying (but I'll say it anyway) that the Password and Confirm password values need to be the same. But an important note: it's best if the Name value does not include spaces because if you include spaces, the SSH commands in the following steps won't work as written.

    Note that I'm using newadmin for the value of Name, but you'll want to instead use the value you want to use for your new administrator account. Also note that in this and many of the screenshots that follow, I have redacted the user name of accounts I have created on my router.

    When you have filled in the user form, press the Apply button and your new account will be created as shown in the following screenshot.

    You will notice that the new account does not bear the little gold medal with a red ribbon on the user icon like the default administrator account does, which means that the account is not at this time part of the administrators group (adding it to the administrators group is what we'll do next using SSH). Note that I have already gone through and created a new account and added it to the administrators group, so what I'm doing for this exercise is creating yet another account and adding it to the administrators group; as such, there are a couple of differences in my screenshot and what you'll see: the little gold medal with a red ribbon on the user icon isn't showing on the default administrator account because I've disabled that account, but you can see that it is showing on my actual new administrator account (the user name of which I have redacted in the screenshot).

    It's a good idea to press the Edit button to for your new account and then, in the dialog that appears, enter in a Description and Email for the new user (and then when you're done you'll of course need to press the OK button to save those changes).

  3. Enable SSH. Login to SRM using your default administrator account, launch Control Panel, choose Services from the menu on the left, and then choose the System Services section at the top. You'll see the first portion of the page is Terminal and the first option listed is a checkbox labeled Enable SSH service; you want to check this box (you can leave the port at the default value of 22) then press the Apply button at the bottom of the page.

    You will then most likely get a Firewall Notification dialog asking if you want to allow Internet access to SSH; for purposes of what we're doing here, you definitely do not want this as this creates a potential attack vector for those who may wish to compromise your router. So simply hit the Cancel button.

    Remember what you did here because in the final step you're going to come back here and uncheck this box and apply that change. Even if you found that SSH was already on, I recommend you come back and disable it at the end of this process unless you have a known need to have it enabled as this will preclude any potential security concerns.

  4. Launch your SSH client. If you're on Windows, I'm going to leave this to you to research for yourself how to do this. If you're on a Mac, you simply need to launch Terminal. If you're reading this post and you're a Mac user, you most likely already know how to launch Terminal, but if you don't, check out this information.
  5. SSH into your Synology router as the root account. On a Mac using Terminal, this is the command you need to use:

    ssh -l root xxx.xxx.xxx.xxx

    Where you replace xxx.xxx.xxx.xxx with the IP address of your router (you will see that in the screenshots that follow I utilize synologyrouter.local instead of the router's IP address; if you want utilize that approach, you'll need to use xxx.local where xxx is whatever name you have listed for your router in Control PanelSystemSRM Settings). The command to use might vary slightly with another SSH client.

  6. Enter the password for your default administrator account then press the return/enter key. In Terminal (I can't speak for other SSH clients), the keystrokes for your password won't be reflected on the screen in any way until you have fully typed in the password and pressed the return/enter key. By the way, you're actually entering the password for the root account here, but on Synology routers the password for the root account is the same as the password for the default administrator account. Note that even after you have disabled your default administrator account, the password for the root account continues to be the same as the password for the default administrator account.

  7. Retrieve the current members of the administrators group. Don't overlook this step!!! Ideally, you'd be able to simply add the account you created in step 2 to the administrators group, but that's not possible; rather, when you're modifying the membership of a group, you have to specify all of the accounts you want to be members of the group. So that is to say when you're modifying the membership of a group, it's always a complete overwrite of the existing membership of the group. Therefore, before making any changes to the membership of a group, you need to know what users are currently in the administrators group so that you can specify them, along with the account you created in step 2, as the members of the group. Okay, with that, here's the command to use:

    synogroup --get administrators

    After you enter this command and press the return/enter key, you get a listing of information about the administrators group, including its current members, as shown in the following screenshot. As I mentioned previously, I have already gone through and created a new account and added it to the administrators group, so what I'm doing for this exercise is creating yet another account and adding it to the administrators group, and accordingly my administrators group already shows my new administrator account (I've redacted the user name of this administrator account in the screenshot), but I expect yours will only show admin and SynologyCMS. But regardless of exactly what accounts are shown as members of the administrators group, I recommend that you keep them all as members of the administrators group going forward (meaning you include them all in the command you'll type in the next step).

  8. Write all the members of the administrators group. That verb "write" may sound a little wonky, but I can't stress enough that what you're doing in this step is overwriting the existing membership of the administrators group with the new membership you're specifying in this step. If you mess this up, it could be very bad for you (and this is why step 1 here was to create a backup of your router's configuration settings). You must specify each and every member of the administrators group in this single command. Here's the command:

    synogroup --member administrators admin SynologyCMS newadmin

    So in the synogroup --member administrators part, you're specifying that you're writing the members of the administrators group and then after that you're including each of the accounts you want to be a part of the administrators group. You can see in the screenshot below that I'm specifying all of the accounts returned from the command in the previous step and I'm adding in newadmin, which is the name of the new account I want to add to the administrators group (you of course will need to replace newadmin with whatever account you created in step 2). Again, remember that the redacted parts are my actual new administrator account so don't worry about those, you just need to list all the existing accounts that are members of the administrators group plus the account you created in step 2.

    Just as was the case with the previous command, after you enter this command and press the return/enter key, you will get a listing of information about the administrators group, including its current members, as shown in the following screenshot. As I mentioned previously, I have already gone through and created a new account and added it to the administrators group, so what I'm doing for this exercise is creating yet another account and adding it to the administrators group, and accordingly my administrators group already shows my new administrator account (I've redacted the user name of this administrator account in the screenshot) but you can see that beyond that I'm showing exactly what I expect and what I want here: I have admin, SynologyCMS, and newadmin as members of the administrators group. And this is what you want to see too, except of course rather than newadmin you want the list to include whatever account you created in step 2; if that's what you see, you did it! Now it's time to check things out and clean things up.

  9. Terminate the SSH connection. You might want to skip ahead to the next step and check to make sure that you're seeing the account you created in step 2 as being a member of the administrators group and then come back to this one, but I'm putting it here so that I'm not switching out of Terminal and then back into it. Anyway, all you need to do here is type this command and then hit the return/enter key:

    exit

    After you do that, you can also quit your SSH client as you see fit (you won't need it any longer for what we're doing here).

  10. Login to SRM with the account you created in step 2 and disable the default administrator account. When you created the new account in step 2, you could login to SRM, but you didn't have administrator rights nor did you have access to everything, but now when you login to SRM with your this new account, you'll have full administrator rights and access to everything. And you can visually check to make sure you're set by launching Control Panel, choosing User from the menu on the left, and then looking to see if your new account now bears a little gold medal with a red ribbon on the user icon as shown in the following screenshot (here again I have redacted the user name of my actual new administrator account).

    From the perspective of improving the security of your router, it doesn't do you any good to create a new administrator account if you don't also disable the default administrator account. Obviously you don't want to do this if you haven't successfully added the account you created in step 2 to the administrators group, so it's a good thing we just checked to make sure your new account has administrator rights, isn't it? Well, yeah, but SRM won't let you shoot yourself in the foot here: you can't disable the account with which you are logged in. But you can disable the default administrator account with your new administrator account by selecting admin in the list of accounts; then pressing the Edit button; then, in the dialog that appears, checking the Disable this account box and choosing the Immediately radio button; and then pressing the OK button to save the changes.

  11. Disable SSH. See the first step where you enabled SSH and use it as a guide to disable SSH. You enabled it before with the default administrator account, now you can complete the circle by disabling it with your new administrator account.

So there you go! Pretty straightforward, but like I said, not documented in a concise manner elsewhere, so I put this together in the hopes it would help others out. If it was useful to you and you're willing to take a moment to post a comment about it, I'll appreciate that.

Performing a Mail Merge with Google Docs (To Create Documents or Emails)

Google Docs is wonderful in many ways, however, there are a couple of areas where it has limited functionality that were issues for me recently and this is the second of a two-part series of blog posts (see the first part here) on what I did to work around those limitations.

A Google Docs mail merge is not a native capability of Google Docs. Said another way, Google Docs does not natively offer the ability to do a mail merge (that is, it does not offer the ability to use a template document with special data placeholders and create a set of documents from a set of data where the data is used to populate the values for the special data placeholders in the template document). Fortunately, Google Docs does natively offer the ability to use 3rd party extensions and the excellent DocumentMerge by PandaDoc extension will allow you to do mail merges.

The instructions for how to use DocumentMerge by PandaDoc to perform a mail merge using a Google Sheet as the data source for a template Google Doc can be found at https://www.pandadoc.com/google-docs-document-merge. I won't belabor things by repeating the instructions here; the reason I'm writing this post is that for me, the DocumentMerge by PandaDoc extension wasn't easy to find when searching for a way to do a mail merge with Google Docs and I'm hoping that this blog post will bubble up in search results in the future, making it easier for others to find the extension (if this blog post is helpful to you, please take a moment to leave a comment if you're willing). To be more specific, what I was looking for was the ability to do a mail merge that produced printable documents but all I was able to find was info on how to do mail merges to create emails (which the DocumentMerge by PandaDoc extension will do as well so if that's what you're looking for, it's good for that too).

Anyway, it's a great extension for doing a mail merge with Google Docs (though for some reason it's fairly slow). You'll see that it creates a Google Doc as the output of your mail merge and from there, that document is just like any other Google Doc (meaning you can download it, print it, whatever you need to do). In addition, DocumentMerge by PandaDoc has another capability as well: if you want to email out each of the merged documents as a PDF attached to an email, you can do that directly with DocumentMerge by PandDoc which is a great feature (albeit one I haven't used since in my case I just needed to print the merged documents).

Creating a Document of a Non-standard (Custom) Size in Google Docs

To give credit where credit is due: I became aware of this technique in the post at https://productforums.google.com/forum/#!topic/docs/m-hUu90ZGI0.

Google Docs is wonderful in many ways, however, there are a couple of areas where it has limited functionality that were issues for me recently and this is the first of a two-part series of blog posts (see the second part here) on what I did to work around those limitations.

Google Docs only allows you to create documents from a set of standard page sizes; it does not allow you to create a document of a non-standard page size (custom page size) of your choosing. Fortunately, there is a workaround that will allow you to create a document of any page size. If you're printing (in my case, I was printing envelopes), working from a document that properly represents the size of your print media is at the very least helpful, if not downright critical.

The workaround is to create a document outside Google Docs (yeah, that's bad but it's what you have to do) with the proper page size (and get your margins like you want them as well because if you try to change those in Google Docs, you'll also be forced to change the page size at the same time and of course you'll be forced to change the page size to one of the standard sizes). I had success uploading a Word-type document (both .doc and .docx worked for me) but not uploading a PDF or a Pages-type document. Note, however, if you don't have Word on your machine, you can get OpenOffice for free. In addition, if you have Pages, you can create the document there and export it as a Word-type document and that works (in fact, that's what I did; for more on how to do it, see this associated post of mine).

One special note here: I encountered a bit of a strange issue with pages with a width of 7.25" (my custom size also had a height of 5.25" but I didn't investigate whether or not that was relevant to the issue). The issue was that Google Docs for some reason was inserting a blank page between every actual page on print/download. Very weird stuff. By using a document with a width of 7.75" with an additional .25" margin on left and right, Google Docs did not insert that extra blank page and for my situation, this was a suitable workaround because what I needed to be able to do was print and on my Mac, the key for printing was the center of the content (if in your situation, you ever see an issue like this but the key for printing is the left of the content then add additional width to the page and instead of dividing the additional width evenly between the left and right margin, just add all the additional width to the right margin).

Twitterfeed

Twitterfeed (http://twitterfeed.com) is a service that publishes tweets on your behalf (that is, using your Twitter account) from feeds (for instance, from your blog) you provide to it. This is cool but the really nice thing is that its name paints a more restrictive picture than is reality: Twitterfeed can also publish updates on your behalf to Facebook and LinkedIn. And each of these is optional so you can publish to any or all of Twitter, Facebook, and LinkedIn.

I've chosen to set up Twitterfeed to publish to all of Twitter, Facebook, and LinkedIn. So that means that a notification about this, my first blog post written since I began using Twitterfeed, should get published out to my Twitter account, my Facebook account, and my LinkedIn account.

Cool, huh? How do you get updates about your blog posts out to Twitter, Facebook, and LinkedIn?

Hang/Hook/Hold/Stick/Mount Portable Hard Drive to Laptop/Notebook Lid/Top/Case with Suction Cup

Eh...sorry if the title of this post is a little hard to read--it's because I really want others to be able to find this info when they do an Internet search 'cause I sure couldn't find any info about anything like this!

I wanted a way to hang/hook/hold/stick/mount/something! my portable hard drive onto the back of my MacBook Pro's lid/top/case/display/whatever. I wanted something that I could attach and remove quickly and easily and that, when removed, wouldn't leave any traces of its presence on the laptop (so no modifications of any type to the laptop). I was more open to modifying the portable hard drive case, but I wasn't wild about that. Really, that left me only 2 options: suction and hanging hooks--and what I discovered is that the best approach is a combination of both: suction for the portable hard drive and a hook to hang it all from the laptop lid. :) I found a wreath hook at Jo-Ann that is perfect! Check it out:

BlogCFC was created by Raymond Camden. This blog is running version 5.9.002. Contact Blog Owner