Jump to content

How to set up a web server from home... the correct way?


ApacheTech Consultancy

Recommended Posts

Up until recently I've been hosting a website from home, which I've mainly been using as a sandbox site and repository. I have been using Windows 7 Ultimate, XAMPP 1.81, DirectUpdate and a dynamic DNS address. I've whitelisted XAMPP through Windows Firewall and allowed traffic through the router's NAT to my PC which is on a static IP at home. I also use BitVise WinSSHd as an SSH server, using virtual profiles rather than Windows Authentication. It's all worked really well up to now, but after speaking to a few people, they've said that you should never use XAMPP or the like for publicly accessible websites. To that end, I've been wondering what is the most secure and most recommended way to run a website from home?

So, starting with a fresh and fully updated version of Windows 7 Ultimate, where do I go from here?

Also one side-question; can you run Apache and IIS concurrently on the same machine and have both serve websites on virtual hosts?

Edited by ApacheTech Consultancy
Link to comment
Share on other sites

So, starting with a fresh and fully updated version of Windows 7 Ultimate, where do I go from here?

I would build a VM as a web server and firewalled off from the rest of the lan, possibly port forwarded to the VM from the router while the VM is bridged to the network, but the VM should be run on a non production box, meaning, if they escape the Vm to the host, you don't care if it gets nuked. Possibly a good lesson why lan segmentation, switches, vlans and subnetting begin to come in handy in cornering off services.

As for running two web servers on one host, if you ran two VM's yes, but you'd have to configure each of the web servers, to listen on different ports, since they would both want to serve http by default, on port 80. I wouldn't attempt to do in natively on the same host. If you want two websites, use apache with vhosts for that with a DNS server to get to each domain name instead.

XAMPP on windows, is usually very easy to hack into in general though, so thats why I would build a VM on a dev box you don't care if the host machine gets nuked, while running something as simple as a turnkey linux VM already configured with Apache and PHP, MySQL, etc, for you. Just secure it once you get it up and running. In general, your main home machine, should not serve anything to the internet if you want it to live very long. Not saying it can't be done, just chances are much greater to have it at risk than not if its not accessible at all from the web and the whole reason we have NAT to help protect workstations from being exposed directly to the web.

If you do keep xampp in place, be sure to harden phpmyadmin and keep it up to date, as thats usually the path taken to get into the box, and then upload a php shell, to run system commands on the host itself which gives them access to the whole machine usually when run under windows.

Link to comment
Share on other sites

The home PC it's running on is set up purely as a host PC. I have Office and Visual Studio on it, but no personal data is saved on the HDD and I'm not too worried if the machine gets bauked. I've had it running 24/7 for over a year and it's never been visibly damaged so far. BitVise comes up every couple of days or so with a Chinese IP address trying to gain access to my SSH server, but I suppose that is to be expected. I ran Zenmap on one of the IPs once and it routed back to the Chinese Embassy in the UK. :s It's possibly because WoW is installed on the same PC so they're scanning for those ports too to try and get access for gold farming. From the aftermaths I seen in the past, attacks usually take the most direct route ending in an NTDLR failure. I have enough system recovery tools to cover most events.

Ideally, I'd like to stick firmly with Windows because I wouldn't have the first clue about how to WebDev or even store files in Linux, and I need Visual Studio as well. I have pretty much unlimited numbers of versions of Windows through Dreamspark Premium so I can put however many VMs of any version on there I want.

I've tightened up XAMPP as much as possible. I've changed all the default passwords for phpmyadmin, filezilla and the admin site; moved the XAMPP admin panel to a separate folder entirely; run everything through non-standard ports; updated phpmyadmin; used HOSTS based access with password protected directories.

How would the network handle having that PC set up statically using /25 and the rest of the devices on the network on DHCP using /24? Or is this the perfect opportunity to separate that device using a port based VLAN from the router?

Link to comment
Share on other sites

Being all on one machine can't really separate them other than with VM's and their own lan and NAT with the host running port forwarding to the VM while the router port forwards to the host. Otherwise, you just bridge the VM to the lan to get DHCP from the router or set static address in the VM, but you can do, or should be able to VLAN the VM if you install more than one NIC, and give it to the VM exclusively, but that also depends on your home router setup for vlans and a switch for trunking vlans and disabling vlan 1 which pretty much broadcasts to everyone. With one router, kind of hard to subnet, since you only have one gateway address on that router, unless its not an off the shelf consumer router, and has more than one lan interface, you can then subnet each interface to keep the lan segmented.

Basically draw your topology out and plan where to plan shit...lol. Sounds crazy, but I know some people, who install a second line in their home to host sites at home, so there is no tie in to the home lan and household, so that an option if you have a spare machine and a cheap DSL setup to dedicate for a stand alone web server, while your regular home workstation doesn;t have to worry about being compromised from a pivot off the webserver if they each have their own unique WAN address.

Link to comment
Share on other sites

I think I might talk to uni, see if I can take one of the old Cisco routers and a Switch. They have a few which are "bricked" because they don't have the proprietary stuff they need to flash them properly to unbrick them. But I'd be able to pick them apart and flash them myself. A second BT line is a definite no-go. It'd cost far too much money and it's my parents' house anyway. I've just had a look at the options on our router config here and VLANs seem amazingly difficult to set up. It is a four port EchoLife router but the interface for it is notoriously bad.

From what you've said, I think I'll go with a slim-on-top VM setup. I'll have the full Win 7 Ultimate as a thick server base but stripped down to maximise performance (Classic scheme, WinTweaks, etc); then on top of that, a slim WIn7 VM with a 32GB VHD. I can strip Windows down to its basic functions, I won't even need the shell. I can rotate backups of the VHD on the NAS as the only thing that would get baulked is the VHD and I can just do a 12hour rollback on the whole image and analyse the baulked drive to patch any security holes. If I only give the VM read-access to any shared files from the NAS that it needs then any corruption should stop short of the host OS. I'm not sure I can cut it off from the rest of the network (it would mean explaining subnetting to my parents and configuring anyone's phones or laptops who ever came round), but I can severely limit its access to the LAN, only whitelisting the specific ports I need through NAT. All the WebDev can be done through SFTP/FTPS from the host to the VM as a remote project. To me, that seems like a fairly bullet-proof design from what you've said about splitting it from the rest of the network. I don't have the luxury of any spare devices or extra lines; I have to work with what I have. One PC, one crappy router and a single phone line. I have all the software I could ever need from Microsoft though. :) How does that sound?

Edited by ApacheTech Consultancy
Link to comment
Share on other sites

Just a quick observation, if you are going to be setting up two individual webservers, make sure your change the default port on one of the webservers to port 8080.

For a very simple reason, you only have one WAP IP address and you can't have x2 port 80 running on the same IP address.

For example, webserver1 would be on port 80 and webserver2 would be on port 8080.

Edited by Infiltrator
Link to comment
Share on other sites

Yeah, I run port based virtual-hosting through Apache at the moment for different sandbox sites. The default 80 is just a landing site atm That side of it I've got down, but I think I'll have to install IIS first because it likes to hog the default ports, then virtual-host Apache on 8000 and 8080, leaving 80 and whatever other ports I use to IIS. It's just whether IIS will play ball with Apache.

Link to comment
Share on other sites

Just a quick observation, if you are going to be setting up two individual webservers, make sure your change the default port on one of the webservers to port 8080.

For a very simple reason, you only have one WAP IP address and you can't have x2 port 80 running on the same IP address.

For example, webserver1 would be on port 80 and webserver2 would be on port 8080.

I thought I did mention that, no? lol - http://forums.hak5.org/index.php?/topic/29131-how-to-set-up-a-web-server-from-home-the-correct-way/?p=220990
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...