-
-
Notifications
You must be signed in to change notification settings - Fork 183
Synology DSM
Synology Disk Station Manager or short DSM is an Linux-based operating system shipped with various devices made by Synology. This guide currently covers DSM 7.2 version branch.
Connect to a Synology device with DSM 7.2 via its web interface in order to apply these options:
- Open the Control Panel
- On the bar, scroll down to Connectivity and click on Terminal & SNMP
- On the tab Terminal tab check if Enable SSH service is enabled
- If yes, click on Advanced Settings
- Select the security level Customize
This opens a window Customize encryption mode, which contains 3 rows: Cipher, KEX and MAC, configure them as follows:
Leave the following ciphers enabled and disable the remaining ones if you are on DSM 7.2.2 or later:
aes128-ctr
[email protected]
aes192-ctr
aes256-ctr
[email protected]
[email protected]
DSM versions earlier than 7.2.2: In order to work around CVE-2023-48795, disable [email protected].
Leave the following key exchange algorithms (KEX) enabled and disable the remaining ones:
curve25519-sha256
[email protected]
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
Leave the following message authentication codes (MAC) enabled and disable the remaining ones:
Click on Save to close the window Customize encryption mode, returning back to the windows Advanced Settings. There click on Save again to close this window, finally back in the Control Panel, click on Apply.
Hint: If you get an error saying not changes have been made when applying the changed configuration - even though you actually did change ciphers - DSM doesn't detect changed options in "customized ciphers". In order to apply them nonetheless, do the following steps as a workaround:
- Note the currently-configured SSH port (default:
22) - Change its value to something else such as i.e.
222, then click Apply - Then revert the port setting to the previous value and click on Apply once more.
At least DSM version 7.2 doesn't allow you reaching a perfect score, since neither host keys, nor host-key algorithms can be updated or modified in a supported way other than by manually modifying /etc/ssh/sshd_config. Also those manual changes are likely to get overwritten by i.e. system updates or other configuration changes via the DSM web interface.
| DSM | ssh-audit |
|---|---|
| DSM 7.2.2-72803 | master @ 9049c8476ad75494f03941c1d2ff77206a2846c6 |
| DSM 7.2.1-69057 Update 4 | master @ fe65b5df8a2d36fb85747f600685091487837c0d |
| DSM 7.2.1-69057 Update 3 | master @ c8e075ad13516b59ab30461d2590c3403e3379e8 |
| DSM 7.2.1-69057 | master @ 02ab487232de438c0811116f2676cb1c9b5f3d62 |
| DSM 7.2-64570 Update 3 |