Run iotop tcpdump etc. on Synology DiskStation or RackStation with Synogear

When you need tools like iotop or tcpdump on you Synology DiskStation or RackStation, you doens't need to itall it via ipkg. Synology had a build in way to install the tools.

  • Connect via SSH to your NAS
  • Run sudo synogear install
  • Now you could use the tools from the list below

The package "Diagnosis Tool" are now also visible in the package center. You could also uninstall it from here, but a installation from package center is not possible.

addr2name
arping
bash
cifsiostat
clockdiff
dig
domain_test.sh
file
fix_idmap.sh
free
fuser
gcore
gdb
gdbserver
iftop
iostat
iotop
iperf
iperf3
kill
killall
ldd
log-analyzer.sh
lsof
ltrace
mpstat
name2addr
ncat
ndisc6
nethogs
nfsiostat-sysstat
nmap
nping
nslookup
peekfd
perf-check.py
pgrep
pidof
pidstat
ping
ping6
pkill
pmap
prtstat
ps
pstree
pwdx
rarpd
rdisc
rdisc6
rltraceroute6
rview
rvim
sa1
sa2
sadc
sadf
sar
sid2ugid.sh
slabtop
sockstat
speedtest-cli.py
strace
sysctl
sysstat
tcpdump
tcpdump_wrapper
tcpspray
tcpspray6
tcptraceroute6
telnet
time
tload
top
tracepath
traceroute6
tracert6
uptime
vim
vimdiff
vmstat
w
watch
xxd

Add languages to PHP Docker Container

Recently I have noticed that the output of the following code shows the month in the wrong language (English instead of German):

date_default_timezone_set('Europe/Berlin');
setlocale(LC_ALL, 'de_DE.utf8');
$date_now = date('Y-m-d');
echo strftime('%B %Y', strtotime($date_now));

This can be solved by installing the required language in the docker container. Unfortunately there is a bug which prevents that the languages can be easy activated by locale-gen <lang-code>. So you have to enable them in /etc/locale.gen first and then generate them with locale-gen. This code solves the problem:

FROM php:7-apache

[...]

# install localisation
RUN apt-get update && \
    # locales
    apt-get install -y locales

# enable localisation and generates localisation files
RUN sed -i -e 's/# de_DE ISO-8859-1/de_DE ISO-8859-1/' /etc/locale.gen && \ # to uncomment the lange
    sed -i -e 's/# <your lang code from locale.gen>/<your lang code from locale.gen again>/' /etc/locale.gen && \
    locale-gen

[...]

Or you could install all available languages:

FROM php:7-apache

[...]

# install localisation
RUN apt-get update && \
    # locales
    apt-get install -y locales locales-all

[...]

If you perform a dry run in the container, you must restart Apache for see the changes.

Preparing a Root-Server and install Docker-CE

This is my personal note list for preparing a root server. The list is not complete and may contain errors.

Network setup

  • Install OS as usual or use image from Control Panel

Network setup

  • Set/check fixed ip
  • Set the "Reverse DNS" entry in Control Panel
  • Add local user 
    
usermod -aG sudo <username>```
  • Set hostname
    sudo hostnamectl set-hostname <hostname>
  • Edit the /etc/hosts file
  • Edit the /etc/cloud/cloud.cfg file if exists (preserve_hostname: false to true)
  • Edit the /etc/netplan/50-cloud-init.yaml to add/set fixed IPv4/IPv6 adresses

SSH

  • Add pubkey to ~/.ssh/authorized_keys
  • Disable SSH login with password and permit root login in /etc/ssh/sshd_config file 
    PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
  • Restart SSH Daemon
    service sshd restart

VIM

  • VIM Color open ~/.vimrc and add 
    colorsheme desert
syntax on

Enable unattended upgrades

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

Docker

  • Install docker-ce here
  • Install docker-compose
    sudo apt-get install docker-compose-plugin
  • Install docker-compose here
  • Install docker-compose command completion here
  • add username to docker group (source)
    sudo usermod -aG docker $USER

Logrotate for Docker

  • Create Logrotate config file for Docker containers under /etc/logrotate.d/docker-container with the following content: 
    /var/lib/docker/containers/*/*.log {
rotate 8
weekly
compress
missingok
delaycompress
copytruncate
}
  • Test it with: logrotate -fv /etc/logrotate.d/docker-container

Docker Compose aliases

  • Create or append to ~/.bash_aliases: 
    alias dc='docker compose'
alias dcl='docker compose logs -f --tail=200'
alias dce='docker compose exec'
alias dcb='docker compose up --build -d'
alias dcu='docker compose up -d'
alias dcul='docker compose up -d && docker-compose logs -f --tail=50'
alias dcd='docker compose down --remove-orphans'
alias dcdu='docker compose down --remove-orphans && docker compose up -d'
alias dcdul='docker compose down --remove-orphans && docker compose up -d && docker compose logs -f --tail=50' 
alias dcdb='docker compose down --remove-orphans && docker compose up --build -d'
alias dcdbl='docker compose down --remove-orphans && docker compose up --build -d && docker compose logs -f --tail=50'

Docker after dist upgrade

  • Update key
    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
  • Re-enable repo 
    
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null```
  • update the package database with the Docker packages from the newly added repo:
    sudo apt-get update
  • Make sure you are install from the Docker repo instead of the default Ubuntu repo:
    apt-cache policy docker-ce
  • upgrade packes
    sudo apt-get install docker-ce docker-ce-cli containerd.io
  • reboot

fail2ban

  • Install fail2ban with sudo apt-get install fail2ban
  • Create config file /etc/fail2ban/jail.local and add a jail for the SSH Deamon 
    
[sshd]
enabled = true
port = <ssh port>
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

[traefik]
enabled = true
filter = traefik
logpath = /var/lib/docker/containers//-json.log
banaction = docker-action
maxretry = 3
findtime = 900
bantime = 86400

[wplogin]
enabled = true
filter = wplogin
logpath = /var/lib/docker/containers//-json.log
banaction = docker-action
maxretry = 3
findtime = 900
bantime = 86400

[unifi]
enabled = true
filter = unifi
logpath = /var/lib/docker/containers//-json.log
banaction = docker-action
maxretry = 3
bantime = 86400
findtime = 900


* Creat filter for traefik /etc/fail2ban/filter.d/traefik.conf

[Definition]
failregex = ^{"log":"<HOST> - \S+ [.*] \"(GET|POST|HEAD) .+\" 401 .+$
ignoreregex =


* Create filter for wplogin /etc/fail2ban/filter.d/wplogin.conf

[Definition]
failregex = ^{"log":"<HOST> -.POST.wp-login.php.*
ignoreregex =


* Create filter for unifi /etc/fail2ban/filter.d/unifi.conf

[Definition]
failregex = ^{"log":"<HOST> - \S+ [.*] \"POST \/api\/login.+\" 400 .+$


* Create action /etc/fail2ban/action.d/docker-action.conf
Unlike the out-of-the-box action, "actionban" and "actionunban" do not affect the INPUT chain, but the docker FORWARD chain "DOCKER".

[Definition]
actionstart = iptables -N f2b-docker
iptables -A f2b-docker -j RETURN
iptables -I FORWARD -p tcp -j f2b-docker

actionstop = iptables -D FORWARD -p tcp -j f2b-docker
iptables -F f2b-docker
iptables -X f2b-docker

actioncheck = iptables -n -L FORWARD | grep -q 'f2b-docker[ \t]'

actionban = iptables -I f2b-docker -s <ip> -j DROP

actionunban = iptables -D f2b-docker -s <ip> -j DROP


[via]https://www.the-lazy-dev.com/en/install-fail2ban-with-docker/[/via]

Can’t import SVG’s to Fritzing Part Editor created with Adobe Illustrator

When I tried Fritzing for the first time today, I unfortunately had to notice that two parts are missing. A NodeMCU has already created and released squix78, thanks for that. But unfortunately I could not find a RS232-TTL converter (MAX3232). No problem, then I just create an own part. With this manual this is relatively easy. Unfortunately the part editor did not accept the SVG's I created with Adobe Illustrator. After a long time of trying I found out that the following export settings are necessary. Important is the number of decimal places:

The final part:

You could download my MAX3232 RS232-to-TTL-Converter Breakout Board here. To use it, drag and drop it into you sketch.

 

Download Fritzing for free (with out donation)

I just wanted to test Fritzing today, but it is not so easy to download the program. On the website it is only possible to download it after a PayPal donation. Unfortunately the binaries are not available on github. Please don't get me wrong, I don't have anything against donating for free software, but I don't like to force this on everyone. At the end, I found something after all:

TL;DR: Sign up for an acccount (or use bugmenot.com) and then you can select "I already paid" and download the binary for you platform. If you like Fritzing, please donate.

How to easily clone a (encrypted hard) disk over network (with dd and netcat)

The task was simple: two computers (notebooks). One - we call it A - with a working operating system (Xubuntu) and a new one - we call it B - without operating system. This is how I proceeded:

  1. Create bootable flash drive with in my case Arch-Linux
  2. In the Arch-Linux boot loader, press [TAB] and add "copytoram" to the boot command to load the squashfs image into ram. I needed this because in this case I only had a flash drive at hand. If you have two, you don't need this.
  3. List network devices: 
    ip address
  4. Assign a IP adress to computer A with: 
    ip address add <machine A ip adress> dev <ethernet device>

  5. To identify source disk, list all block devices with: 
    lslbk

  6. Prepare the copy operation (do not execute yet!) with 
    dd if=/dev/<source block device> bs=32M status=progress | nc <machine B ip adress> <random port number>

  7. Boot machine B from the same or different flash drive
  8. Assign different IP adress
  9. Identify target device
  10. Prepare the receiving copy operation with 
    nc -l -p <same port number as A> | dd of=/dev/<destination block device> bs=32M status=progress

  11. Execute the command on Machine B
  12. Then execute the command on Machine A
  13. Wait until the copying process is completed.
  14. Use at least the Sync command to synchronize corresponding file data in volatile storage and permanent storage
  15. Restart the machine, you are done

How it works/remarks
dd reads the source drive bit by bit into the normal output stream. The output stream is piped to netcat, which sends it over the network to a receiving netcat process (server with -l). Therefore the server must be started first. The server receives the bits and piped them back to dd, which writes them to the target on machine B.

Maybe this is not the best and/or most efficient way, but transfer speed in my case of 75MB/s (poor performance on screenshots is from a setup with two vm's) is in IHMO very good for this simple setup.

Thanks to pmenke for his support.

IPsec VPN between Sophos UTM and AVM Fritz!Box (LTE) with a dynamic IP-Adresss

Use the following settings to configure a Fritz!Box - also a LTE version - to connect to a Sophos UTM (v9.7)

  • Sophos UTM Settings
  • Fritz!Box VPN VPN-Configfile
vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "Sophos IPsec";
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = AAA.BBB.CCC.DDD; // Change to Sophos External IP
                remote_virtualip = 0.0.0.0;
                localid {
                        fqdn = "my.fqdn.net"; // No change needed. Is ignored from the UTN
                }
                remoteid {
                        ipaddr = "AAA.BBB.CCC.DDD"; // Change
                }
                mode = phase1_mode_idp; // Main Mode
                phase1ss = "dh14/aes/sha";
                keytype = connkeytype_pre_shared;
                key = "MySecr3tPassw0rd!"; // has to be changed
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.0.1; // change to local network
                                mask = 255.255.255.0;   // change to local subnet
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 172.16.0.0; // change to remote network
                                mask = 255.255.255.0; // change to remote subnet
                        }
                }
                phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
                accesslist = "permit ip any 172.16.0.0 255.255.255.0"; // to remote network
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}

 

Could not find any disk on this device. PRTG error code: PE188

I got this error when I tried to add a SNMP HP ProLiant Physical Disk Sensor for HP Proliant DL 380 G7 with Windows 2012 R2 in our monitoring solution from Paessler (PRTG). The SNMP HP ProLiant System Health, Network and Storage Controller Sensor works fine.

HPE Insight Management Agents and HPE Insight Management WBEM Providers for Windows are installed.

An SNMP walk against OID 1.3.6.1.4.1.232.3.2.5 (used by Paessler for this sensor) works without errors but also without result.

I found some guys with the same probleme and a solution: The problem was the disk (controller) driver. Installed was v8.0.4.0, which seems to be a standard Microsoft driver. With the original HPE controller driver (for us 62.28.0.64) it works.

 

How to easily migrate a Synology EXT4 volume to Btrfs without data loss

Today I switched from a Synology DS215play to a DS918+. Perfect time to change the file system - the DS215play didn't support Btrfs. The migration also works with only one device. So I wrote down both ways.

Steps if you haven't changed your DiskStation

  • Backup your data! If you switch to a device with new drives like me, you still have a copy of your data, but if you migrate without new drives, you don't have a copy! In germany we say: No backup - no pity.
  • Shut down the DS, remove drive 2.
  • Format drive 2 with your computer.
  • Insert drive 2.
  • Turn the DS back on and DO NOT repair the fault volume.
  • Create a new volume (SHR and Btrfs) in the Storage Manager on drive 2.
  • For each shared folder, change the location to the new volume. You can only do this for one shared folder at a time and the move may need several hours depending on the size of your shared folders.
  • When you have moved all the shared folders, shut down your DS and remove drive 1.
  • Format drive 1 with your computer.
  • Turn on your DS and go to the Package Center. Repair all apps.
  • Expand your new volume to drive 1 and wait until RAID Resync is complete. You're done.

Steps if you are switching to a new DiskStation with new drives (my situation)

  • Turn off your old DS, remove drive 2.
  • In the new DS, place the new drives in slot 1 and 2. Place the (old) drive 2 in slot 3.
  • Turn on the new DS. Open your browser and navigate to the new DiskStation. In my case, the DS got a new IP address. I looked them up in my router DHCP table.
  • Follow the Migration Wizard and wait until the DS restarts.
  • Create a new volume (SHA and Btrfs) in the Storage Manager on drive 1 and 2. It is now recommended to change the RAID Resync speed to Fast and wait until RAID synchronization is complete.
  • Now for each shared folder, change the location to the new volume. You can only do this for one shared folder at a time and may need several hours depending on the size of your shared folders.
  • When you have moved all shared folders, shut down your DS and remove drive 3.
  • Turn on your DS and go to the Package Center. Repair all apps. You're Done.