Synology UPS Tips and Tricks

Recently, I replaced the Uninterruptible Power Supply (UPS) connected to my Synology with an APC BX2200MI. During setup, I ran into some typical Synology shenanigans, which I managed to work around. I documented them here for anyone else who might encounter the same issues (and as a note to my future self).

Add More Than Five ‘Permitted DiskStation Devices’ (a.k.a. NUT Clients)

If you have multiple devices connected to your UPS that you’d like to shut down safely in the event of a power outage, your Synology can act as a ‘network UPS server.’ Under the hood, Synology runs Network UPS Tools (NUT), an open-source UPS monitoring tool. NUT works with thousands of UPS devices and on many operating systems. You’re therefore not limited to connecting only Synology appliances to your UPS; any machine that supports NUT can be shut down safely.

In my case, I’ve also connected a couple of servers, as the UPS has enough capacity for them. However, you need to allowlist (i.e., permit) the IP address of each “NUT client” that’s allowed to retrieve the UPS status from your Synology. Unfortunately, the Synology DSM web interface limits the number of “Permitted DiskStation Devices” to five, but this is an arbitrary Synology limit, not a NUT limit.

If you need to allowlist more than five NUT clients, you can do so by logging in to your Synology via SSH and editing the following file as root:

/usr/syno/etc/ups/synoups.conf

Add the IP addresses in the same format as the first five entries. The Synology web interface will still only display the first five, but additional clients will work just fine! Note: Changing any UPS setting in the Synology web interface will overwrite the file and remove your extra IPs, so try to avoid making further changes there.

Don’t forget to restart the NUT UPS daemon to apply your changes:

sudo synosystemctl restart ups-usb

Pro tip: The default NUT username on Synology is monuser with the password secret. If you need more information on configuring a non-Synology NUT client, take a look at this gist: https://gist.github.com/jhelmink/ba54e11e6a1b9f448a4a9a5c4cb45b89

Change UPS Parameters

By default, most UPS units come with parameters defining what qualifies as “low battery.” For my specific APC UPS, it is set so that 10% battery charge or 120 seconds of runtime remaining will trigger a “low battery” status, which in turn signals the Synology (by default) to shut down cleanly to prevent data loss. You can see these values by running:

upsc ups@localhost

(from an SSH session on your Synology).

I wanted to adjust these parameters. My main reason for owning a UPS is to protect data rather than maintain uptime during an outage. Ten percent battery charge (or just two minutes) before initiating shutdown seems too tight because it takes my Synology some time to stop all processes, spin down disks, and power off safely. Also, if power returns, causing the Synology to reboot, and then goes out again, I want enough runtime left for another clean shutdown.

If you have only one or more Synology devices connected to your UPS and no additional (vanilla) NUT clients, you can skip the steps below and simply use the Customize time option built-in Synology DSM. Keep in mind, however, that this setting is client-side. If you do have other NUT clients, you’d need to configure each client individually, which can be more work than ticking a single box in DSM. Therefore, if you plan to shut down multiple devices after running on battery for a certain number of minutes, I recommend updating these parameters directly in the UPS firmware. That way, if you unplug the UPS and connect it to another system in the future, the configured value will remain in the UPS itself.

To modify these parameters in the UPS firmware, you could use the official tooling—PowerChute for APC devices—but that means unplugging the UPS from your Synology and connecting it to a Windows PC. However, because Synology uses NUT under the hood, we can also use NUT’s upsrw command to do this remotely. The catch is that Synology’s firmware omits upsrw, so you’ll need a separate Linux machine that does have upsrw in order to connect to your Synology’s NUT server and change the UPS parameters.

Adding a NUT Admin User

Synology hardcodes a single NUT user (monuser) and does not provide an admin account by default. To change firmware parameters, though, you’ll need a NUT admin user. To create one, log in to your Synology over SSH as root and edit:

/etc/ups/upsd.users

Add the following section at the bottom:

[admin]
password = YourNewPassword
actions = SET
instcmds = ALL

Then restart the NUT service:

sudo synosystemctl restart ups-usb

Changing the UPS Parameters

From your Linux machine (the one with upsrw installed), first check which UPS parameters are configurable:

upsrw ups@<YOUR_SYNOLOGY_IP>

You might see something like this:

[battery.charge.low]
Description unavailable
Type: STRING
Maximum length: 10
Value: 10

[battery.runtime.low]
Description unavailable
Type: STRING
Maximum length: 10
Value: 120

[input.sensitivity]
Description unavailable
Type: STRING
Maximum length: 10
Value: medium

...

To change, for example, battery.runtime.low to 300 (i.e., the UPS will trigger a shutdown at 300 seconds of remaining runtime):

upsrw -s battery.runtime.low=300 -u admin -p YourNewPassword ups@<YOUR_SYNOLOGY_IP>

This sets the value in the UPS firmware, so the setting persists even if you later move the UPS to another system.

Once you’re done making changes, remember to restart NUT on your Synology:

sudo synosystemctl restart ups-usb

If you no longer need the admin account, simply remove the section you added to /etc/ups/upsd.users and restart NUT again.

Double-Check UPS Compatibility

This may be obvious, but always verify that your UPS is compatible with your specific Synology model. In my case, I have two NAS units: a DS918+ and a DS218Play. Initially, I plugged the UPS into the DS918+. Although it seemed fine at first—values were read correctly—the Synology soon started reporting that the UPS was constantly going offline and back online with no clear cause. Replugging the USB cable and rebooting didn’t help.

After consulting the Synology Compatibility List, I noticed the DS918+ isn’t listed for my UPS model, but the DS218Play is. Sure enough, once I plugged the UPS into the DS218Play, the random off/online flapping immediately stopped.

How to shrink an ext4 disk with a GPT table without LVM using the qcow2 disk format in Proxmox

This guide explains how to shrink an ext4 disk with a GPT partition table without using LVM, specifically using the QCOW2 disk format in Proxmox.

BACKUP YOUR DATA FIRST BEFORE ATTEMPTING THIS. YOU HAVE BEEN WARNED.

1. Check Disk Usage in the VM

In the VM, run:

df -h

Note down the actual usage of the disk you want to shrink (e.g., 250GB).

2. Shutdown the VM

Ensure the virtual machine is powered off.

3. Boot with GParted Live ISO

Load the GParted Live ISO and start the VM using this ISO.

4. Resize the Partition with GParted

In the GParted GUI, resize the desired partition. Leave some headroom—for example, if you noted 250GB in step 1, shrink it to 300GB.

5. Shutdown the VM Again

After resizing, shut down the VM once more.

6. Check the Current QCOW2 File Size on the Host

On the Proxmox host, navigate to the image directory:

cd /var/lib/vz/images/
qemu-img info vm-204-disk-1.qcow2

Note the current size of the QCOW2 file.

7. Shrink the QCOW2 File

On the Proxmox host, execute:

qemu-img resize vm-204-disk-1.qcow2 --shrink -1500G

Replace the filename and the size value (-1500G in this example) with your desired values. This command shrinks the disk from 2000G to 500G.

8. Verify the QCOW2 File Size

Confirm the file has been shrunk:

qemu-img info vm-204-disk-1.qcow2

9. Update Proxmox with the New File Size

Run the following to let Proxmox rescan and update the disk size:

qm rescan

10. Attempt to Boot the VM

When you try to boot the VM, it may fail with an error similar to:

ALERT! /dev/disk/by-uuid/xxxxxxxxx does not exist. Dropping to a shell

This error indicates that the GPT table is broken.

11. Fix the GPT Table

Boot into the GParted Live CD again and run:

sudo sgdisk -e /dev/sda

Although it may throw some warnings and complain, it should (fingers crossed) automatically fix the GPT table.

Note to self: It might be possible to execute step 11 directly after step 4 to avoid booting into the live CD twice. I’ll see if this can be done in future attempts.

12. Resize the Partition to Include Headroom

Once the GPT table is fixed, the VM should boot without issues. However, the partition will not be fully resized because of the headroom. To incorporate the headroom, run:

sudo growpart /dev/sda 2
sudo resize2fs /dev/sda2

Done !

How to resize (shrink) an ext4 partition and disk to fit within a thin-LVM pool in Proxmox

The goal of the steps below is to resize (shrink) the ext4 partition /dev/sda2 and its disk /dev/sda below to 6.9T, so that they fit within the thin-LVM pool sized at 6.95T

Disclaimer: I have no idea what I’m doing, so follow these steps at your own risk.

1. Trim Unused Space

Inside the VM, run:

fstrim -a

This will save time during the disk operations.

2. Boot into GParted Live ISO

Boot the VM using the GParted Live ISO.

3. Resize the Partition

Use the GParted GUI to shrink the partition /dev/sda2 to the smallest size possible, leaving a little headroom.
Example:

4. Shutdown the VM

After resizing, the partition /dev/sda2 will now be smaller, but the disk itself (/dev/sda) will still be the original size. Let’s fix that. Shut down the VM.
Example:
Partition Resized

5. Resize the Disk on the Proxmox Host

On the Proxmox host (hypervisor), resize the VM disk to fit within the thin-LVM pool:

lvreduce -L 6.9T /dev/media/vm-101-disk-0

Replace /dev/media/vm-101-disk-0 with your VM’s disk path.

Why 6.9T? My thin-LVM is 6.95T, so I left a bit of headroom to avoid overcommitting the pool.
Example:

6. Rescan the Disk in Proxmox

Run the following to make Proxmox aware of the new disk size:

qm rescan

Example output:
QM Rescan

7. Attempt to Boot the VM

If you’re lucky, the VM will boot without issues. However, you’ll most likely encounter an error like:

ALERT! /dev/disk/by-uuid/xxxxxxxxx does not exist. Dropping to a shell

If this happens, boot the VM into the GParted Live ISO again. The GParted GUI will show all storage as unallocated, but don’t panic (famous last words).
Example:
Unallocated Storage

8. Fix Partition Errors with gdisk

Open a terminal in GParted and run:

sudo gdisk /dev/sda
  • Type v to verify the disk.
  • You’ll likely see warnings or errors. Follow the on-screen instructions to fix them.
    • For example, I had to go to the expert menu (x), then press e, and so on, until all errors were resolved.
  • Once everything is fixed, type w to write the changes to the disk and press Enter.
    Example:
    Gdisk Fix

9. Resize the Partition Back to Match the Disk

Open the GParted GUI again. This time, you can expand the partition to fill the resized disk.
Example:
Resize Partition to Match Disk

10. Verify the Disk Layout

Check that the disk size and partition size match your desired configuration:

sudo fdisk -l

Example:
Verify Disk Layout

11. Check the Filesystem for Errors

Run a filesystem check to ensure no errors:

e2fsck -f /dev/sda2

12. Reboot the VM

Finally, reboot the VM. It should boot without any issues, and the disk and partition should now be sized as desired.
Example:
Final Result

That wasn’t so hard after all… lol. I hope it helps

My first 10 minutes on a Windows development server

On the Windows Servers I use for development, I like to keep things simple. That means security should be in place, but at the same time should be workable and flexible enough for me to install and download things, without getting nagged by obnoxious over-active security mechanisms. In order to do so, I execute the following steps on every Windows development server I install.

Install RDP Defender

If your Windows server is publicly available from the internet, then there is a 100% chance that hackers, network scanners and brute force robots are trying to guess your Administator login and password as we speak.

Using password dictionaries, they will automatically try to login to your server hundreds to thousands times every minute. Not only this is bad for your server’s security, but it also wastes a lot of resources, such as CPU and bandwidth.

RDP Defender will block these attacks, by monitoring failed login attempts and automatically blacklisting the offending IP addresses after several failures. You can of course configure it to suit your needs, but it pretty much take care of itself. It takes just 30 seconds to download and install: https://www.terminalserviceplus.com/rdp-defender.php

However, if your server or VPS is frequently targeted by DDoS attacks, you may benefit from a DDoS protected VPS or a remote DDoS protection solution to help your server and network secure.

Increase RDP Security

Start –> Run –> gpedit.msc
Go to Computer Configuration à Administrative Templates à Windows Components à Remote Desktop Services à Remote Desktop Session Host à Security

Set client connection encryption level – Set this to High Level so your Remote Desktop sessions are secured with 128-bit encryption.

Require secure RPC communication – Set this to Enabled.

Require use of specific security layer for remote (RDP) connections – Set this to SSL (TLS 1.0).

Require user authentication for remote connections by using Network Level Authentication – Set this to Enabled.

Disable Remote Management, unless specifically needed.

I’m not a fan of having stuff enabled that I don’t use or need, so even tough this probably isn’t a security risk, I’m going to disable it anyway.

Go to Server Manager à Local Server à Remote Management and click ‘Enabled’.
In the window that opens, untick ‘Enable Remote management of this server from other computers’ and hit apply.


Do not start Server Manager automatically at logon

Go to Server Manager à Manage à Server Manager Properties
Check ‘Do not start Server Manager automatically at logon’.

Disable Password Expiration

Like I said, this is a development server. There’s no need for me to have top notch security, as I’ll probably spin up a new machine in a couple of months again and delete this one.

Start à Run à gpedit.msc
Go to Computer Configuration à Windows Settings à Security Settings à Password Policy.

Change ‘Maximum password age’ to 0. Hit apply and ‘Password will not expire’ should now be shown.

Schedule automatic update restarts

Windows Server 2012 and 2016 use ‘active hours’ to determine whether or not it’s safe to reboot the machine for updates. Moreover, the maximum time frame of the ‘active hours’ cannot be greater than 12 consecutive hours. To be honest, I don’t know who came up with this brilliant idea, since a server is usually designed to be on 24/7. Therefore, I prefer choose when Windows reboots for updates by scheduling a specific time, instead of playing Russian roulette whether or not the thing is going to reboot while I’m running any jobs/tests.

Start à Run à gpedit.msc
Go to Computer Configuration à Policies à Administrative Templates à Windows Components à Windows Update.

Tick ‘Enabled’, choose option 4 and tick ‘Install during automatic maintenance’

Note: When ticking ‘Install during automatic maintenance’ the schedule you define in gpedit, i.e. ‘Every day’ and the scheduled install time of 03:00 as in the screenshot above, have no effect! The automatic maintenance option overrides this schedule. Automatic maintenance is performed daily, but you are free to change at which time it takes place via Control Panel à System and Security à Security and Maintenance à Automatic Maintenance

Disable Internet Explorer Enhanced Security Configuration

On a development server, downloading new tools and utilities is common practice. Instead of whitelisting every domain, which are a lot nowadays, I simply turn off the Internet Explorer Enhanced Security Configuration. Yes, I know this is a potential security risk, especially on production servers, but like I said, this is a development server. In addition, use your common sense when pointing and clicking at stuff on the interwebz and you should come a long way

Go to Server Manager à Local Server à IE Enhanced Security Configuration and tick ‘Off’

Privacy settings

Windows Server 2012, and especially Windows Server 2016, are quite intrusive when it comes to privacy. I don’t like the automatic sharing of ‘diagnostic and usage data’ (whatever that may be), so I switch off these options as far as possible (hoping they actually do something instead of being bogus buttons/placeholders).

Go to Server Manager à Local Server à Feedback & Diagnostics and click ‘Settings’
In the window that opens, choose ‘Never’ and ‘Basic’:

Do the same for Windows Defender, by switching off ‘Cloud Protection’ and ‘Automatic Sample Submission’:

Show extensions & hidden files, folders and drives

It’s always handy to know whether or not you’re opening invoice.pdf.exe or an actual invoice.pdf, isn’t it ?

Open a random folder, go to File à Change folder and search options

Tick ‘Show hidden files, folders and drives’ and untick ‘Hide extensions for known file types. Hit apply and OK.

Change Power Plan to High Performance

I hate waiting for my disks to spin-up and since this is a server, I always choose the High Performance Power Plan in order to get maximum performance.

Go to Control Panel à Hardware à Power Options and tick ‘High performance’.


Last but not least, install 7Zip & Notepad++

These two tools belong in every developer’s toolkit, so install them while you’re at it!

That’s all for now. Comments or questions? Let me know down below. Cheers!

Tutorial: How to secure Traccar with SSL / HTTPS for free, using IIS and Let’s Encrypt on Windows Server

Introduction

In this guide, I’m going to show you how to secure your Traccar installation with SSL, so that it can be reached over https instead of http. Traccar is a free and open source modern GPS tracking system.
Since Traccar has no native support for encrypted connections, we’ll do so by setting up a Reverse Proxy using IIS (which is the recommended method by the developer). We’ll be using Let’s Encrypt to generate a free valid certificate for your Traccar installation.

Prerequisites

  • A working Traccar instance, reachable over http (by default http://localhost:8082), installed on Windows Server 2012 R2 or Windows Server 2016.
  • A Fully Qualified Domain Name (FQDN), for example ‘yourdomain.com’, with an A record pointing to the IP of your Traccar server:

    (Of course, in the screenshot above, change the variables to meet your environment, i.e. replace ‘123.123.123.123’ with the IP of your Traccar server and ‘traccar.yourdomain.com’ with your own (sub)domain.
    Please note that it can take up to 24 hours, but usually no more than 1-2 hours, for your DNS servers to ‘propagate’, i.e. sync your update with the rest of the world.)

Getting Started

First, install the URL Rewrite add-on module. From Windows Server 2012 R2 and up, you can use the Microsoft Web Platform Installer (WebPI) to download and install the URL Rewrite Module. Just search for ‘URL Rewrite’ in the search options and click ‘Add’.


After installing, do the same for the Application Request Routing 3.0 add-on module:


Next, open IIS and add a new website:

In the window that opens, fill in the following details:

Change the variables to meet your environment.

Close IIS for now and download and install ‘Certify the web’, a free (up to 5 websites) SSL Certificate Manager for Windows (powered by Let’s Encrypt). Certify will automatically renew your certificates before they expire, so it pretty much takes care of itself.

After installing, open Certify. Before we can request a new certificate, we first need to setup a new contact. This is mandatory. So, first, go to ‘Settings’ and set a ‘New Contact’:


Next, click on ‘New Certificate’:

Select the website you created in IIS, in my case named ‘Traccar’:

The rest of the information should now autofill, based on the details you entered in IIS.

Next, go to the Advanced tab and click ‘Test’ to verify if everything is setup correctly

If all goes well, you should get this popup:

Click OK and click ‘Save’.

Next, click ‘Request Certificate’ to request your free valid SSL certificate from Let’s Encrypt for your Traccar installation:

If all goes well, you should get ‘Success’

Next, close Certify and open IIS again. Go to the website you created (in my example Traccar) and click on URL Rewrite

Click on ‘Add Rule(s)’ in the top right corner:

In the window that opens, click on ‘Reverse Proxy’ and click ‘Ok’

In the window that opens, enter ‘localhost:8082’ in the Inbound Rules text field,
select ‘Enable SSL Offloading’,
select ‘Rewrite the domain names of the links in the HTTP responses’ from ‘localhost:8082’
and select your Traccar domain from the dropdown menu, i.e. ‘traccar.yourdomain.com’ and click OK.

Next, go to your website in IIS again and click on Compression:

Outbound rewriting can only be applied on un-compressed responses. If the response is already compressed then URL Rewrite Module will report an error if any of the outbound rules is evaluated against that response. Therefore, we need to disable Compression in order to get Traccar to play nicely with IIS. Uncheck both options and click Apply:

That’s it! We’re done! Your Traccar installation should now be reachable over HTTPS and have a valid SSL certificate:

If the website is not opening (times out), check if port 443 inbound is open in your firewall:

Optional

Since your website is now reachable over https, you can change the Challenge Type to tls-sni-01 in Certify:

This way, you can remove the port 80 binding in IIS if you want, to force all traffic to your Traccar installation over https:

Have fun! Any questions or comments, let me know down below.

Scroll to Top