jrperry Posted September 15, 2014 Share Posted September 15, 2014 Hello, I am looking to host a website on an old computer I installed Ubuntu on in my basement. What I am interested in is what are common security mistakes people self hosting websites make. Cheers Quote Link to comment Share on other sites More sharing options...
digininja Posted September 16, 2014 Share Posted September 16, 2014 Short, slightly sarcastic answer is the biggest mistake is hosting your own website at home. Longer answer, you have to consider: Keeping the box fully patched The application is usually the weakest link so is that fully secure The server must be fully segmented from your home network otherwise a compromise would give an attacker full run of your home Does your ISP allow hosting? Some don't on residential contracts Do you have a static IP or will you be using a dynamic IP service Whats your bandwidth allowance and will people using the site affect you using the internet Is the cost in electricity and time maintaining it lower than just paying a small amount of money to a hosting company? If you want to do that have a look at http://cloudatcost.com/ for very cheap servers * Why are you doing it? To learn, to save money on commercial hosting or for something else? Sure there are other things to consider but that is what comes off the top of my head. * discount codes: 20% off all servers AqUVYbUXag50% off all big dog (whatever that is) 7E9YRUzEZy Quote Link to comment Share on other sites More sharing options...
jrperry Posted September 16, 2014 Author Share Posted September 16, 2014 Digininja, The primary goal of this project is learning if it moves outside of that I have no interest in worrying about keeping it up for anyone outside of family. I am running the server behind a firewall on its DMZ. My service provider does allow hosting and my connection is 4Gb up and 25 down with unlimited usage. I can also bump my upload speed to 10Gb if I want. There is no static IP I spoke to my ISP about that option when I asked about the hosting. My plan is to use an editor till I learn more about PHP (I all ready have an understanding of HTML), then move to Joomla or a similar product after that. My biggest thing is I choose to be paranoid about security because no one is immune and if I am complacent that is when I will run into problems. If keeping software up to date is my biggest worry that is reassuring. Thanks for your help. If there are any other pointers out in the community I am always interested Cheers Quote Link to comment Share on other sites More sharing options...
digininja Posted September 16, 2014 Share Posted September 16, 2014 By the sound of it the app itself will be your biggest problem, if you write it yourself then make sure you read as many blogs on secure coding as you can, if you go for something like joomla or wordpress then you have to be on top of it every day checking for updates. All it takes is a vulnerability and a bot that scans IP ranges and you are screwed. Quote Link to comment Share on other sites More sharing options...
cooper Posted September 16, 2014 Share Posted September 16, 2014 Start with hardening the machine - make your install as minimalistic as possible and deactivate all options the remaining software provides, but which you know you don't need. Create the app and run it on the machine. Look at *ALL* input handling and assume you're not getting what you want to get. Make the app properly handle all those situations. Update all the software on the machine to the latest version and verify the hardening is still properly done. Only now should you consider opening up the app to the outside world. Try to restrict this definition of 'outside world' as much as possible such that it is only those machines that you want to provide access. There are probably only a number of subnets that have a need to access the app, so, for instance, block off China, Russia.... When you've done what you intended to do, take the machine/app offline again. As long as the system is running, keep a close eye on any security updates that may arrive for the various bits of software you have installed. At least once a day. Quote Link to comment Share on other sites More sharing options...
digininja Posted September 16, 2014 Share Posted September 16, 2014 Its that last bit that gets people, check updates and logs every day, just in case. We do it for the first few days, maybe a week then have a night off, then "will do it at the weekend", then it just stops happening. Quote Link to comment Share on other sites More sharing options...
jrperry Posted September 16, 2014 Author Share Posted September 16, 2014 Thanks for the advise Some good points I didn't think of, like restricting the geographical area that it is available to. Time restrictions is another good consideration, If I am only looking to have local family members use it does it need to be up at 4am. My goal is to keep as few ports open as possible. To start only port 80 till my needs move past that. And now that I think of it, I am a big one server one use person but I don't think I really check to see what else is installed other than what I am using. I have always been big on the updates. my computers get a fresh image of Linux Mint every week after I update, but I guess I will have to get better if I want to do this. good way to start your day though, a cup of coffee and some updates. I am online every morning anyway. Do you have any good suggestions for secure coding blogs? My experience with the subject is only make sure you satirize ALL your input. As for the issue of logs am I best to use something like webmin or is there a better solution that throws them in your face on a regular basis? Also, this is a really beginner question but, does all hardening really mean is to keep things minimalistic and up to date? I have always assumed that it was more rigorous than that. Quote Link to comment Share on other sites More sharing options...
digininja Posted September 16, 2014 Share Posted September 16, 2014 Thanks for the advise Some good points I didn't think of, like restricting the geographical area that it is available to. Time restrictions is another good consideration, If I am only looking to have local family members use it does it need to be up at 4am. My goal is to keep as few ports open as possible. To start only port 80 till my needs move past that. And now that I think of it, I am a big one server one use person but I don't think I really check to see what else is installed other than what I am using. I have always been big on the updates. my computers get a fresh image of Linux Mint every week after I update, but I guess I will have to get better if I want to do this. good way to start your day though, a cup of coffee and some updates. I am online every morning anyway. Do you have any good suggestions for secure coding blogs? My experience with the subject is only make sure you satirize ALL your input. Almost, it is generally more important to sanitize your outputs as that is where you get caught. Take in whatever is given but then clean it up as required for output, for example HTML encoding when sending to screen but escaping for SQL when putting into a database. As for the issue of logs am I best to use something like webmin or is there a better solution that throws them in your face on a regular basis? I run logwatch to get a good overview of what is going on then a quick scroll through the raw log files every now and then (should do more often but lazyness wins). Once you've read through enough you get to be able to spot anomalies. Also, this is a really beginner question but, does all hardening really mean is to keep things minimalistic and up to date? I have always assumed that it was more rigorous than that. There are loads of hardening guides but those to things are a very good start. Check out the NIST guides http://csrc.nist.gov/groups/SNS/checklists/ Quote Link to comment Share on other sites More sharing options...
Ftb Posted September 16, 2014 Share Posted September 16, 2014 Short, slightly sarcastic answer is the biggest mistake is hosting your own website at home. Longer answer, you have to consider: Keeping the box fully patched The application is usually the weakest link so is that fully secure The server must be fully segmented from your home network otherwise a compromise would give an attacker full run of your home Does your ISP allow hosting? Some don't on residential contracts Do you have a static IP or will you be using a dynamic IP service Whats your bandwidth allowance and will people using the site affect you using the internet Is the cost in electricity and time maintaining it lower than just paying a small amount of money to a hosting company? If you want to do that have a look at http://cloudatcost.com/ for very cheap servers * Why are you doing it? To learn, to save money on commercial hosting or for something else? Sure there are other things to consider but that is what comes off the top of my head. * discount codes: 20% off all servers AqUVYbUXag 50% off all big dog (whatever that is) 7E9YRUzEZy That's a great deal, I put in your email address for the referral, you should get a free server. Thanks, Bill Quote Link to comment Share on other sites More sharing options...
digininja Posted September 16, 2014 Share Posted September 16, 2014 Their support is a bit hit and miss and there is a chance that being so cheap they may go under in 6 months but at those prices if I get 6 months then I'll be happy. Will look out for the referal, thanks. Quote Link to comment Share on other sites More sharing options...
jrperry Posted September 29, 2014 Author Share Posted September 29, 2014 Restricting access to a geographical area. I'd the Apache documentation a good place to start or are there other resources I should be looking at. Quote Link to comment Share on other sites More sharing options...
digininja Posted September 29, 2014 Share Posted September 29, 2014 To lock down by IP you want to look at iptables rather than Apache. Search for IP block lists and IP black lists and feed those in. Quote Link to comment Share on other sites More sharing options...
jrperry Posted September 29, 2014 Author Share Posted September 29, 2014 Thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.