Building Your Own Secure Website/vds

[whitehat]

I have an extra desktop computer with no OS installed, that I use for playing with live boot linux disks.

I would like to host my own server/website, with the maximum possible security and anonymity then offer it up as a hacking target like www.hackthissite.org so that I can learn by trial and error how to secure/run a server, and maybe make a few friends in the process (visitors).

What choices would you make to get started?

Do you think that the choice of server matters, or are they all basically equal except for whichever one is easiest to configure properly? Should I just go with Apache despite all the vulnerabilities?

What would be the role of a service like www.noip.com or dyn.com? Would those DNS services actually keep website visitors from seeing my home internet connection IP? If I register a domain, sign up an account at www.noip.com, is that no IP host my nameserver for the DNS name?

If I have the website/webapp running on the old desktop I'm making my server, then can I still use VPNs on my other home computers/laptops/devices without knocking my website offline?

Does it matter which distro/OS I pick, and what do you recommend if so? Most of the sec distros at www.distrowatch.com are blackhat focused, so I don't know if it would really help me as the webmaster / sys admin?

Should I use something like NetSecL or LPS that is configured to be isolated and more locked down?

Thanks in advance

[Jason Cooper]

Ok, if you want to host the site anonymously so that people can connect to the site without knowing your IP then you are going to want to be looking at setting up a hidden service in something like I2P or tor. Getting a hidden service, really hidden is actually very difficult so you will want to read up on the documentation and tutorials. (Irongeek has quite a bit on i2p) and could be a good place to start to get a grounding on the subject.

[whitehat]

Thanks, you're right. That's a good answer, but I should have mentioned that I'm scared of the darknet and don't want to mess around with it, because I think it would put me in a small group filled with a lot of really really bad people, blah, blah, blah

[whitehat]

But I mean I was going to host the webpage on my computer anyway, which is what a darkweb host would do for you, right? I just wanna know like what's the best server (Apache, etc), what Operating System (NetSecL), etc

[Jason Cooper]

You could probably take some of the advice for running a hidden service in tor securely and apply it to just running on a machine on your local network. Things like running your webserver as a virutal machine where the host machine blocks almost all access from the virtual machine to the rest of your network would help prevent them attacking any of your local machines if they did manage to control the web server.

From an operating system for security point of view I would suggest that you check out OpenBSD, which has a very strong emphasis on security.

Really Apache would be a good webserver to use as it is regularly being patched and there is a lot of documentation for it and how to configure it.

[whitehat]

Good point! Thank you

[Infiltrator]

Thanks, you're right. That's a good answer, but I should have mentioned that I'm scared of the darknet and don't want to mess around with it, because I think it would put me in a small group filled with a lot of really really bad people, blah, blah, blah

You could look into buying a private VPS (virtual private server)! And then use a VPN service to connect to it from home, so that you don't expose your real IP address.

Edited August 28, 2012 by Infiltrator