Random header image

How to make read-only 'virtual' exFAT directories for FTP users on Synology NAS running DSM 6

I recently purchased a Synology NAS running DSM 6, and sharing directories via FTP is easy. In Control Panel, make sure the Shared Folder is defined, then using File Station, define access permissions (read, write, execute) for each group or user.

If you want an additional user for FTP access, you make your user (or make a group then add your user to that) then Allow access to the FTP application inside Control Panel -> Users or Groups. The permissions are inherited, UNIX style, to effectively restrict rights over folders and their files.

So far, so simple; this works great for everything on the NAS' internal storage, because by default it uses EXT4 filesystem which supports file & directory permissions and ACLs. On the terminal, a plus symbol at the end of an ls directory listing denotes the file or directory has additional ACLs applied, which can overrule standard UNIX permissions.

However, on any external drives connected to the Synology, for example a large USB3 drive for temporary storage of additional material, those drives may use file systems other than EXT4 so they're accessible by, say, Windows PCs. In this case, given we're probably also dealing with very large files, exFAT is a sensible choice - and the Synology does support exFAT, albeit there's a long story about that. tl;dr - pay $4 and just get the official exFAT Access package from Synology through the Package Manager, it's zero-hassle and has full read/write support. More info on supported external devices here.

One thing exFAT volumes lack when used through the Synology is support for any UNIX file and directory permissions. Normally that's acceptable, but if you're sharing files to other users, either via NFS, SMB or FTP, you may wish to use permissions to prevent accidental deletion - and on an exFAT volume, this means you can't.

But we can do read-only access with exFAT! It just requires some creative thinking...

Click to read the article and find out how

Canon Pixma owners: this one simple trick makes your printer's feed rollers able to grab paper again!

I have a cheap Canon Pixma MG5750, a Currys PC World purchase when I needed a cheap multifunction printer fast. Was handy at £45 (another set of genuine ink for it costs the same, go figure) but obviously I never expected it to be perfect.

Unfortunately, one of the fundamental requirements of any printer - to be able to take in paper successfully - was a little lacking with this unit. Resarch indicates it's sadly a common issue with this range of Canon printers.

Soon after buying mine, the paper feed (take-up of paper from the tray into the mechanism) started to behave irregularly; soon after that I ended up having to nudge each sheet of paper in to the printer, it was unable to take in paper itself. Not convenient.

I put up with this for a while but an attempt to print some documents evening pushed me into investigating. The fix, as it turns out, is really simple!

Click to read more and see photos of the paper feed roller fix

Dear mailserver operators: PLEASE stop using SSLv3!

I look after a few email servers and after implementing much stricter encryption settings at the start of the year, I noticed some emails were never making it to accounts - being rejected at the negotiation stage (where the remote server sending the email agrees an encryption protocol and cipher with the local server).

I was puzzled by this. TLS is hardly new, yet these servers were only ever attempting to use SSLv3 and then failing to 'upgrade' to TLS - not even TLS1.0. Poor show.

This isn't unique either - I periodically run a script which reports the spread of protocols and ciphers of incoming email connections; here's a sample from one server for the last hour...

...The stats don't make for pretty reading:

Quickly install DiG on Windows without a full BIND9 install

Today I needed to use - and install - DiG (Domain Information Groper!) on a Windows 10 box. Of course, Windows is useless when it comes to CLI tools - nslookup is past its prime and not even Windows 10 includes much by way of useful tools for DNS queries. It's shipped as part of the BIND9 DNS software from ISC.

So, let's see about DiG... Good news, everyone! - BIND9 is available for Windows, but I don't want to install the whole thing, ain't nobody got time for that. So, let's see about excerpting just the DiG executable and getting it so you can use it without specifying its full path every time, which will require setting its location in the PATH variable.

There's quite a few guides and tutorials to installing DiG on Windows. The simplest one I found was from Websistent, who recommended downloading their own zip of DiG and its necessary DLL dependencies, dropping those into windows\system32 (urk?) and using as normal.

We can do better than that:

Click to see how simple it is!

Fail2ban 0.10 on CentOS6 - yes we can! And my notes on successful manual upgrades

Fail2ban's official compile for CentOS6 has never advanced beyond 0.9.6-1.el6.1. While 0.9.6 works, it's old and has a few major inconveniences:

  1. No IPv6 support 🙁
  2. A tendency for the daemon to die when parsing many logs or a high volume of activity
  3. Quite slow to parse logs when restarting after a config change

So, what can we do? Well, compile from source and upgrade with the supplied python script! It's easier than I anticipated, but there's still a few things you need to watch out for.

Read more
I footnotes