Adding .htaccess File To QNAP’s /share/Web/ To Secure All Web Applications Within

Legal Disclaimer:  Following the tip within this blog post at your own risk.  You have been warned, thus you know that you are going to do something dangerous here to your web server or QNAP server.  With this knowledge of yours and by having reading this warning or skipping this clear warning, you cannot hold me for your stupidity or dangerous action against your very own QNAP server or web server or against anyone’s web server that you’re responsible for its administrative duties and procurements.

Are you running a web server on QNAP NAS?  NAS stands for Network Attached Storage server.  If you are for whatever purpose, whether this web server is for production purpose or testing purpose, you might want to know that .htaccess file can help secure QNAP’s web applications such as WordPress, Drupal, and the rest.  Here’s how to create proper .htaccess file that controls all web applications at once on your QNAP server.

  1. You need to change into directory of /share/Web by using this Linux command [cd /share/Web].  Of course, please do ignore the square brackets as these are only for clarifying the command line.
  2. Quickly do [ls -la] to figure out if you have an .htaccess file already.  If you do, please make a backup of this file in case you need this original file again for whatever purpose.  To make a backup of this .htaccess file that you already have had in the QNAP’s /share/Web directory, use this command [cp -p -a /share/Web/.htaccess /share/Web/.htaccess-old].
  3. Once you had followed the step #2 herein, then you can try to remove the original .htaccess file (Not the backup one you just made OK?) by using this command [rm -rf /share/Web/.htaccess].  Be very careful with [rm -rf] command line, because if you misspell a file or a directory you’re trying to remove, you will definitely lose such directory or file forever and won’t be able to recover it.
  4. Now let us create the .htaccess file again, but this time we’re creating it the way we like it.  Of course, .htaccess is a complex file, thus regular Joe like us needs not to worry about making this file too complex.  Instead, let a regular Joe like us to just create simple .htaccess file that denies all IP addresses but only allows a specific IP addresses.  This means, if you want to allow one or two specific IP addresses to access QNAP’s web applications, this .htaccess file should satisfy your command.  So here we go…
    1. Creating .htaccess file by using this command [touch /share/Web/.htaccess].
    2. Now, let’s edit the .htaccess file we just created by using this command [vim /share/Web/.htaccess].
    3. Let’s enter the lines below for our new .htaccess file shall we?  These lines must be in the order as follow…
      1. order deny,allow
      2. allow from 192.168.0.x (please use your very own IP address here)
      3. allow from 192.168.0.x (please use your very own IP address here)
      4. deny from all
    4. What we had done was adding 2 IP addresses to the allow list in .htaccess file so these 2 IP addresses will be able to interact/access the web applications that reside in QNAP’s /share/Web directory.  You can add more IP addresses or remove most IP addresses but allowing only one according to your desire by simply adding more [allow from…] or remove [allow from…] lines.  Of course all [allow from…] lines must be written or typed out above the line which said [deny from all] and below the line which said [order deny,allow].  Now, we must save our newly edited .htaccess file by doing this while you’re still in the vim editor.
      1. Hit escape key on the keyboard to exit the editing mode.
      2. Type in [:wq] and hit enter key on the keyboard.  Of course, please do ignore the square brackets as these are only for clarifying the command line.
  5. The last step is to secure our new .htaccess file by doing two things.
    1. First thing to secure is to make sure the owner and the group owner of the .htaccess file are indeed the right owner and group owner.  For me personally, I prefer to not use admin user and administrators group for any web application files and directories, because I don’t want the evil doers to be able to use one of these files with high privilege access to escalate the privilege and execute malicious commands.  This is why on my QNAP server I rather make most of my web applications’ files and directories in the name of user httpdusr and group owner everyone.  So let’s do this command to make this happens OK?  Type in [chown httpdusr:everyone /share/Web/.htaccess].  Afterward, just do [ls -la /share/Web/.htaccess] to see if .htaccess file indeed is using user httpdusr and group owner everyone.
    2. Second thing to secure is to make sure the .htaccess file has the right permission.  So we need to use this command [chmod 400 /share/Web/.htaccess].  What this command does is change the permission of .htaccess file in /share/Web directory to read only for user (owner of the .htaccess file) and no other permission is allowable for anyone else, hint the two zeros after #4.  These two zeros stand for no permission for group user (whoever has the group authorization of whichever group) and no permission for everyone else (this is the last 0 for).  Finally, you can do [ls -la /share/Web/.htaccess] to confirm that the permission for .htaccess file is indeed 400 or not.  If it’s so, it means only the QNAP web server user httpdusr will be able to read the file, but even this user cannot write to or execute whatever within this .htaccess file.

Now, with this .htaccess file configuration for your QNAP’s /share/Web directory, the web applications that are residing within this specific Web directory will not be accessible to anyone with any IP address unless somebody is using the IP address that is being allowed by this very .htaccess file.

Do you know that by following the tip herein, you can also use this very tip for non-QNAP web server?  Just create a similar .htaccess file within whatever web server’s directory to prevent snooping to most IP addresses and allow only the IP addresses that are being allowed within.

Advertisements

How To Map A Network Share To Mac OS 10.9 (Mavericks) Permanently

Within the video right after the break, I show you how to map a network share to your Mac OS 10.9 (Mavericks) permanently.  This way, whenever you reboot or first boot up your Mac, the network share folder will automatically be connected to the NAS (network attached storage server).  Enjoy!!!

Using External Device As A Share Drive Or Backup Drive For Your QNAP Server

In the video right after the break, I talk about how to use an external device as a share drive or a backup drive for your QNAP server.  On a side note, I think this is a great way to enable USB 3.0 capability for a computer that doesn’t have the motherboard that can support the USB 3.0 adapter.  Keep in mind, if you have a QNAP server that supports USB 3.0 ports, it’s like you have USB 3.0 capability on your local computer.  Basically, you can always tap into the QNAP server’s share drive and tell it to behave as if it’s just another external hard drive on your computer.  Obviously this share drive which is connecting to your QNAP server is using USB 3.0 port, and hence this is why you can enable USB 3.0 capability for your local computer.  This is a stupid reason for you to just go out and buy QNAP server and external hard drive that support USB 3.0 ports, because you can just buy another computer which supports USB 3.0 ports.  Nonetheless, you can definitely take advantage of this beneficial side effect of having a QNAP server as a network attached storage server.  Same story with eSATA capability if your QNAP server supports eSATA ports.  Enjoy the video!!!

How Paranoid Should You Be For Backing Up Your Data?

Backup Backup Backup - And Test Restores

Backup Backup Backup – And Test Restores (Photo credit: Wikipedia)

If you ask me what is the best way to backup your data, I will probably direct your concern to more than one way.  I like to think of not placing all of your eggs in one basket kind of scenario.  What’s the point of backing up data in the first place?  It’s to hope that when things go crazy such as a computer’s data corruption might occur, you can then access your most valuable backup data.  If you only rely on one preferable backup method, then what if in a critical moment that even the backup data isn’t accessible through your preferable only backup method, what will you do then?  Even a perfect storm is a possible scenario for spreading eggs in more than one basket, therefore I think being paranoid about safekeeping your data with more than one preferable backup method is the best way to go about doing the backups for your valuable data.

For us normal folks, the regular Joe(s), who have data that we want to safeguard, it’s a must for us to spread our data in more than one basket.  It must not be that you have to be a company to take this approach.  Furthermore, nowadays regular Joe(s) do have plenty of ways to go about doing backups for their data.  Let me list few of them:

  • Google Drive
  • Pogoplug
  • Dropbox
  • Amazon Simple Storage Service
  • CrashPlan
  • External hard drives
  • Network attach storage solution such as QNAP NAS servers
  • Do it yourself FreeNAS server solution
  • rsync to a renting server with affordable monthly fee

And the list can go on a lot longer as third party cloud services are now in amble supply.  I think the problem isn’t about finding a backup solution or solutions for the regular Joe(s), but it’s about the affordability, speed, security, and conveniency aspects.  Let say, if a regular Joe wants to spread his backup data in more than one basket, how affordable can this be?  So on and so on…

I think affordability should not be as big of an issue as before the time when there were no third party cloud service and competitive (affordable) computer hardware pricing.  If you don’t intend to harbor 100 of Gigabytes worth of data for streaming purpose or whatever extreme configuration, backing up few Gigabytes worth of data should not cost you much at all.  Perhaps, you can do it at no cost too.  One example, I think Google Drive gives you around 10 Gigabytes worth of free data space or a little bit more than this, and just with this service alone you know you don’t have to spend a dime to backup your data as long you are not going over the free space limitation that Google Drive allows.  Don’t like third party cloud services for whatever reasons?  Computer hardware such as external hard drives nowadays are no longer pricing at outrageous prices, therefore it’s easier for regular Joe(s) to go this route for doing their data backups.  How about coupling Linux with a spare, dusty computer to form a local backup storage server at zero cost in term of money, but you have to spend time on putting things together such as installing Linux and deploying Linux’s network attached storage services to have a more complete backup server solution.

I can see that the many third party cloud services as good solutions for doing backups.  How come?  Let say you’re paranoid about the safety of your data to a point that you consider the scenario where local backup data can all be corrupted at the same time for whatever reasons such as a virus/hack attack (or by even a more nefarious scenario), therefore you think third party cloud services are the additional safety reservoirs for your backup data.  If you are this paranoid, I think you’re doing it right.  Although third party cloud services are good measures against local data corruption, there are problems with this whole approach in general.  Let me list a few:

  • Broadband’s upload speed (Internet connection) isn’t fast enough to do a major backup (i.e., backing up huge amount of data in Gigabytes worth)
  • Security issue… how do we know our data can be securely safeguarded and stored on the remote servers?
  • Trust issue… such as how do we know our data privacy and our privacy won’t be breached on the remote servers?

I sneakily snuck in the speed and security concerns about backing up data remotely through third party cloud services, but we should not take the security issue lightly since many people may not want their privately backup data to be made known to the whole world.  Security done right in term of backing up data locally and remotely, this will also address the privacy issue/concern too.  I think employing good network and computer security measures locally will enhance the security protection level for the backup data.  Such measures should be about employing hardware and software firewall, antivirus, and so on.  Don’t forget to update the software and firmware, because through updating these things that you can be assured of weeding out security bugs.  You can never be too sure about the security of your data when you’re backing up your data remotely, therefore you should employing encryption for your backup data before you upload your backup data to the remote servers.  One good encryption measure I know of is TrueCrypt software which can be downloaded and used freely.

I don’t think we should sacrifice our data security for conveniency, because data security is definitely more important than otherwise.  Still, conveniency should be considered in the calculation of our data backup challenge too.  It’s just that we have to make sure we don’t have to sacrifice data security for conveniency.  Let say, you want to backup your data to a third party cloud service, but you don’t like the idea of doing a local encryption for your data first… this means you are sacrificing your data security for conveniency and this is truly bad for you as the owner of the backup data (i.e., privacy concern).

In summary, I think if you’re paranoid enough about the health of your data, then you should devise many backup plans for your data.  You should try to backup your data both locally and remotely, but you should employ encryption for your data when you do backup your data remotely.  Backing up huge amount of data remotely can be very inconvenient at this point in time since so many regular Joe(s) do not have access to fast upload broadband speed.  Let hope this will change soon, and I know things will be moving in this direction since data streaming and data sharing and data backup are in much more demand than ever before.  One example would be Google fiber Internet service.  Google is driving the Internet Service Provider competition forward as Google deploys its Gigabit Internet connection service for many households in various lucky cities and towns.  With Google pushing for more competition in the area of broadband speed, I think the future — having great Internet connection for uploading our backups — is definitely bright.  As time is moving on, the costs of computer backup hardware and backup services can be even more competitive, we can expect the cost of deploying backup measures for our data can only get cheaper and easier.  I like the idea of having a NAS locally, and using one or two third party cloud services for my data backups.

(How paranoid should you be for backing up your data?  In my opinion, the answer should be, the more the merrier.)

On QNAP Server, How DO I Set Up FTP And Connect To It?

QNAP TS-419P II is what I use to hold the backup data and share data among machines within my house.  Basically, QNAP TS-419P II is a network attached storage server.  It got RAIDS and host of other capabilities such as hosting a Time Machine service.  Nonetheless, within this post, I post a video which talks about how to set up FTP and how to connect to FTP, on QNAP TS-419P II.  Obviously, it’s not only QNAP TS-419P II which uses this particular firmware/software, therefore any other QNAP server model which uses the same firmware/software will work with the instruction within the video right after the break.  Please, enjoy the video!!!

(If you know how to set up FTP and connect to FTP, on QNAP server already, then I think this video is rather useless for you.)

How Much Are You Willing To Spend On Securing Your Data?

Network Attached Storage

Network Attached Storage (Photo credit: Wikipedia)

The actual cost of making sure your data is safe (i.e., redundancy) and secure can be quite ambiguous.  The ambiguousness is probably derived from the plethora of options that you can choose to go about making sure your data is safe and secure.  I guess it is all depending on how you want to go about making sure your data is safe and secure.  Nonetheless, if you insist on wanting to know an estimated price range for securing and backing up whatever data, I think you’re looking to spend around a little more than $1,000 or just about $0.  You see, the ambiguousness can already be found from just looking at the possible cost of implementing a solution for securing and backing up data.

Remember, we are speaking about implementing a solution in securing and backing up data for small business or home, therefore I think the cost of implementing this kind of data assurance solutions should not be too outrageous.  Let us just go over some possible data assurance solutions to see how much you might have to spend, OK?  Nonetheless, remember the cost will be ambiguous as each unique data assurance implementation might require unique data assurance solution.

Requisite elements for $0 spending in securing and backing up data:  Talking about spending $0 on securing and backing up data is totally possible.  This scenario requires you to have a spare computer which you will not have any other use for it besides of wanting to use it as a backup machine for this specific scenario.  You will definitely need to download an open source backup solution such as FreeNAS or a Linux distribution (an open source operating system which is similar to Unix type).  You also need to download TrueCrypt.  In the case if you want to protect database of passwords, you totally need an additional layer of protection such as password manager which is capable of encrypting its database (e.g., KeepassX, etc…).  A proper home or small business network needs to be setup correctly, therefore you need to have a working router.  Also, you need to know how to distribute a local, non-public, static IP address for your backup server.  In the case of backing up data from outside of the network, you definitely need to know how to open up ports on your backup server and forward ports on your router.

Piecing together the elements for $0 spending in securing and backing up data:  So basically, the spare computer can be setup with FreeNAS or Linux distribution as a backup server.  You will use TrueCrypt to encrypt data first before backing up the data onto FreeNAS or Linux server.  Linux server requires your knowhow of setting up a proper service which allows you to use proper protocol to backup the data.  One example of backing data to Linux would be using rsync.  FreeNAS is a lot easier to deal with as it’s designed to launch NAS (Network Attached Storage) services quick and fast.  In the case of digitizing saved passwords, you need a proper password manager which is capable in encrypting your passwords in an encrypted database, therefore I suggest you should try out KeepassX.  To make your digitizing saved passwords even more secure, you can totally use TrueCrypt to encrypt the KeepassX database.  On Linux server, you can totally download free firewall and free antivirus solution to protect your Linux server from hacks and viruses, consequently providing even more protection for your data.  In the case of a FreeNAS server, at the moment I don’t think you can install firewall and antivirus programs, therefore you should make sure the firewall of the router is properly configured (i.e., to protect the FreeNAS server from intrusions).  I think you might be able to use an antivirus solution on a PC to scan iSCSI drives of FreeNAS server, therefore I guess you can use an antivirus program with FreeNAS server if you have setup iSCSI drives on FreeNAS properly.  Nonetheless, you must know that this is a dirty fix antivirus solution for FreeNAS server as you can only initiate an antivirus program on a PC and not on the FreeNAS server itself, limiting you to scan FreeNAS iSCSI drives only and not the entire array of physical hard drives that reside within a FreeNAS server.  To backup data from abroad to your backup server at home or office, you need to rely on VPN (Virtual Private Network protocol).  VPN will safely encrypt and secure the data that is in transit (i.e., utilizing the Internet to transfer data from one network location to another network location).  I think you can set up VPN service on Linux server with some efforts, and this will not work if your ISP doesn’t allow VPN traffic.  I’m not sure if FreeNAS supports VPN or not, but if it’s you should use it to backup data from abroad.  Don’t forget to open up or port forward necessary ports for the router and the backup server to allow proper transfer of backup data, OK?

Requisite elements for $1,000 spending or more in securing and backing up data:  No specific recommendation on NAS (Network Attached Storage) hardware, but I have seen many NAS machine can be purchased as low as $100.  Nonetheless, I think you should choose a NAS machine that fits to your data assurance plan.  Firstly, you want to make sure the NAS machine you want to buy is regularly updating its firmware to combat vulnerabilities and software errors.  Usually, searching Google might reveal critical complaints on specific NAS machine that you are thinking of buying.  As long you don’t find any critical complaint about a NAS machine you want to buy, then go ahead and purchase the NAS machine if you think it’s the right solution for you.  Secondly, you want to know the NAS machine you are looking at is diskless or vice versa.  If it’s diskless, then you should know that you have to buy hard drives to install into the NAS machine.  If the NAS machine comes readily with hard drives, then you should not buy any additional hard drive.  Thirdly, you might want to check how many hard drive bays the NAS machine you’re looking at has.  The more hard drive bays a NAS machine has, the more RAID choices you can implement.  Nonetheless, the more hard drive bays a NAS machine has, the more money you might have to spend (e.g., the cost of more bays on a NAS, the cost of more hard drives to fill up the bays).  Fourthly, you want to check to see the NAS machine you’re looking at is capable of supporting all the software implementations that you have in mind (e.g., Time Machine, CIFS, VPN, NFS, FTP, rsync, etc…).  Fifthly, you want to make sure the NAS machine you’re looking at is capable of doing fast data transfer in terms of reading and writing speeds.  Obviously, this specification will not guarantee fast data transfer as other network and hardware bottlenecks must also be considered (e.g., slow hard drives, using slow RAID choices, slow local network, etc…).  Other things you also need to consider before purchasing a NAS hardware is a NAS temperature under heavy loads, the fan noise levels, the size factor, data encryption support, antivirus capability, security measures, and so on.

Piecing together the elements for $1,000 spending or more in securing and backing up data:  Putting a NAS machine to work is probably easier than having to configure a FreeNAS or Linux backup solution since many NAS machines are designed with NAS users in mind.  This means the NAS machine you have bought should be easily configurable, allowing you to setup proper NAS services with ease.  If your NAS machine is supporting Time Machine and you have a Mac, then you should setup Time Machine on the NAS machine to allow the Mac to backup to the NAS machine whenever.  If your NAS machine is supporting CIFS, NFS, rsync, FTP, iSCSI, and so on, then you can setup these protocols/services on the NAS machine to allow all major operating systems to backup the data to the NAS machine.  The major operating systems I’m referring to are Linux, Mac, and Windows.  Furthermore, if your NAS machine supports cloud type of service and mobile data, then you should setup these services to allow cloud type of usage and mobile data backup.  Nonetheless, you should only enable the services that you need on the NAS machine, because enable way too many unnecessary services might open up unwanted vulnerabilities (i.e., allowing hackers to exploit more than one vulnerable services in a machine).  Your NAS machine might be readily announced what ports you need to open on a router for network traffic to transfer data to the NAS machine correctly.  Also, your NAS machine might also allow you to change default port of a service easily.  To secure your data even more, you should consider the option of encrypt the NAS hard drives if the NAS machine supports encryption.  I think some NAS machines might have encryption programs installed by default.  If this is not possible for your NAS machine, you can use TrueCrypt to encrypt the data before such data get upload to the NAS machine.  To further enhance the security of digitizing saved passwords, you can totally use KeepassX as KeepassX automatically encrypts its password database.  Don’t forget to use TrueCrypt for the KeepassX database so digitizing saved passwords will be even more secure right after such passwords get backup to the NAS machine.  When backing up data from abroad, you need to setup VPN service on the NAS machine so the data can be securely transit from abroad to the NAS machine that resides in a home or an office network.

Some of you think backing up data to a third party backup service such as CrashPlan is a great idea, it might be so if you’re careful about encrypting the data.  Backing up to the cloud is definitely an additional layer for data redundancy, therefore it’s a plus for a complete data assurance scheme.  Nonetheless, when data leaves the local network and resides on someone’s else network (e.g., CrashPlan, Amazon Cloud Drive, etc…), the data is truly beyond your control.  This is why when encrypting the data before allowing such data to be uploaded to the cloud is a wise data security measure.  The cost of backing up data in the cloud can be varied as each cloud service will have different cloud plans.  Nowadays, I have found many cloud services are quite affordable, therefore it’s up to you to find out which cloud service is best for your data assurance plan.