My site has moved – hopefully to a more secure home

Whew! It’s been a few intense months. I’ve been too engaged to stop and take note of any of it. But I’m taking a breather here to mention a couple things I’ve been working on and talk about the New Home for this blog and how that fits in.

With my DS-1520+ server with its cloud and other functions I keep using more, I’ve managed to put together a house of cards. I’ve added one service after another including various docker containers and applications for about a year now. That included lots of trials and tribulations. I don’t want to lose it all in a hardware failure. I keep backups, but they haven’t been validated and I know for a fact there are various things that won’t get restored by Hyper Backup. So I need a procedure for doing a rebuild, and I need to be able to validate that it works when the time comes, and know what it takes to get a new system functional. And wouldn’t it be great if I could do that without buying new systems to try it out!?! I don’t want to break what I have.

It dawned on me recently that I have all the tools at my disposal to develop and test backup recovery, and without buying any new hardware. On either of my NASes I can run virtual computers using the Virtual Machine Manager. On that virtual computer, I can install a variety of operating systems including Virtual DSM. This lets met build a NAS within a NAS. Now I can start with a fresh installation of DSM and try to restore functionality from a backup. Upon finding and fixing problems with my procedure or limitations in the scope of the backup, I can make various changes and then just throw that Virtual DSM away and start over.

So I’ve been doing exactly that, and stumbled on an interesting thing to try out that I suspect substantially improves the security of my site and is otherwise just cool. In some of my testing I created a Virtual DSM and restored a backup of this web site on it (naturally including databases etc that it needs to function). I got that working and that’s why you can see this web page…the original site has been shut down at least for a while.

The reason this is more secure is this: If at attacker manages to infect the host with malware, the damage that malware can cause is limited to the virtual computer. If it did get compromised somehow then I could just restore that virtual computer from a saved snapshot. If for example the malware were to somehow delete every file on the hard disk and render the operating system unbootable, this would still be limited to the virtual computer that runs the site. The “hard disk” that got wiped is just a virtual hard disk that’s a small part of the storage on the hosting server.

How I moved this site into a virtual computer

I went thru the process of creating a VM for my site several times before I ended up with a smooth and consolidated set of steps. I wanted to boil it down to the essentials so I can easily move things as I see fit. I think it worked out very nicely and I thought I’d record what I came up with here.

To sum it up here’s what I’ll do below. Setup a virtual NAS on my DS-918 using Virtual Machine Manager. Point that virtual NAS to a backup of my DS-1520 server where is currently deployed. Restore from that backup, the services necessary for running the blog along with the site files and SQL database etc. Shutdown the new site and startup the new one in the VM and make it accessible over the internet.

Let’s get into it!

Create Virtual DSM Computer to host my blog

On the DS-918 I’ll visit Virtual Machine Manager and tell it to create a new virtual computer.

Create virtual computer

Stepping thru a few simple dialogs to allocate hardware resources, the VM gets created and I can connect to it at its assigned IP address. Now I give the computer a unique host name and login account.

Name device and create a new login account

That’s about all there is to that…now I login with the new admin account and I’m at a new DSM desktop.

Basic new desktop with no add-ons

Install Web Backends

After downloading DSM updates I now go to the Package Center and tell it to download the backend services that my site needs. These are mostly provided by third parties and won’t be part of the backup we’re going to restore.

By inspecting the Web Station setup on the source NAS where resides, I see the following capabilities there.

Based on that I just choose the right packages to install including (I know some of the above aren’t used anymore):
  • Apache HTTP 2.4
  • PHP 7.4
  • phpMyAdmin

Restore system configuration and web sites

Now I go to the Package Center and tell it to install Hyper Backup which I then launch and tell it to restore a data backup. I’ll point to a backup of the whole NAS.

Login to remote server where backup is stored

Now I step thru a few dialogs telling it just what to restore from the backup and get down to this summary to confirm.

Selective restore of the web server and websites

That kicks off and runs for a couple hours, loading a few hundred GB of applications and data into this virtual server.

After running, that restores ALL network settings and user accounts from the DS-1520 server. This is great in most respects except that it also gives the server the same network and domain name as the server I restored this backup from. So now it’s important to visit the network settings and login portal in the Virtual DSM and restore the correct settings. Also important, is to configure my local DNS so the IP address of the server is permanently reserved.

Finally, I can visit and view the site! But not done quite yet…

Fix inability to login at site

Even though I can view the site anonymously, I can’t login. The reason being that my site is setup for a 2FA login and after moving the site, I can’t seem to make that work (even though it is a TOTP code, so it seems like it should work based on the same secret key).

In any case I came up with the following solution that will let me login and get things working.

Open a SSH session and navigate to the wordpress directory where I’ll temporarily hide the wordfence plugin which handles the 2FA login (and a lot of other security issues).

SSH session to rename/hide the wordfence plugin

The mv wordfence wordfence.bak just renames the plugin directory and makes it unable to participate in the login which then becomes based only on username & password.

Now that I’m logged in I can then rename wordfence.bak, giving it the original name. This makes it possible to now get to wordfence and turn off 2FA logins. Now I can log out, log in, etc. And turning on 2FA makes that work again too.

Secure internet access

At this point the site is fully functional except for one glaring problem. Security certificates are not installed, so access in a web brower includes bypassing stern warnings about the site not being secure. It’s also not possible to reach the VM over the internet. I’ll solve both of those problems below.

To reach the VM over the internet I’ll setup a reverse proxy on that will send traffic to the right place on the LAN. The reverse proxy tells that when it receives HTTPS traffic directed to, that it should send that traffic to the IP address of the Virtual DSM where we’ve placed the site.

Create a reverse proxy to route internet traffic to the VM

(this reverse proxy needs to be associated to the certificate too at the certificates settings page or browsers will still complain regardless of the certificate at the final destination)

Now I’ll just pick the export-action on this certificate so I can import it at my new virtual server where the web site has been moved.

Import SSL Security Certificate

With the certificate imported, I’ll then associate it with the virtual host.

Pair the certificate with the website

And that’s about it! If that seems like a lot of stuff to do, you should have seen my steps the first time 🙂

Leave a Comment