Re: [tlug] Introduction and defense of home webserver

[Kalin KOZHUHAROV <me.kalin@example.com>]

Hello,

On Sat, Jun 13, 2015 at 9:48 PM, Kevin Sullivan <csr-kts@example.com> wrote:
> Greetings, Linux folk. Long ago, from TPC with Jim Tittsler's incredibly
> patient help, I ran a Linux router for my home Win and OS/2 network.
> Still a virtual Linux newbie with tenuous grasp of a few commands,
> though it's getting better.. maybe.
>
It is always getting better, problem is how far ahead are you, say
from script kiddies and automated scanners.

> I am dipping my toes into running a Debian (stable) webserver (LAMP,
> Wordpress) at home from my cable connection.
>
> The domain is up and only port 80 is forwarded through the router to my
> server.
>
To give you analogy to think, you have (say) gorcery store and you
made sure only one door (port 80) works. And you advertise it in a
way, since it is the default front door (port 80). But actually you
have a corridor between the street and the shop (your forwarding).
While most things are somewhat stored behind the counter, your shop
assistant (admin) is occasionally not there, you don't have any
cameras being monitored and no secure tags on the goods (IDS). Chances
are everybody knows where the cash is (/etc/passwd) and the keys to
the cash register hanging on the chain of your assistant
(/etc/shadow). People can easily walk in with ice-cream and make a
mess (in /tmp), or simply dump a lot of garbage. Well, most people
will not do that anyway. BTW, there are lots of known (public and not
yet) ways to steal goods and there a trained thiefs (they installed
WordPress with default config and played around and asked Google).

Do you have anything to worry?

> All my admin work would be done inside the home networks through
> SSH.  Later I would be interested in allowing trusted remote users
> access (inside my own ISP and town) so I could host their virtual
> websites they maintain remotely. What is the minimum necessary, FTP, SSH?
>
Trusted remote users.... Are you going to provide multi-factor
authentication for them, using tokens/certs/whatever issued by you?
And have them sign EOL? And monitor them? And audit their environment,
enforcing certain standards (patching) on the systems used by those
users (they are trusted by default, right).

Or it just means, folks that I had beer with ;-)

And FTP...? In 2015?

> Internet =>
> Cable ISP =>
> 172.16..Router1 => (:80 forwarded to static IP server)
> (192.168.2.. DHCP home network with Win7, Server, various WiFi mobile
> devices)
>
> Security implications?
>
That is a bit sketchy for assessment, but think about that Win7
getting p0wned via WiFi then stealing your credentials to the server.

> I do have a second gigabit LAN router2 that could be used to "segregate"
> the server to its own segment, but unsure if this would be useful or the
> proper configuration.
>
Adding more devices may help or may hinder security. How are you
managing this router? Are you patching it, monitoring it?

> If any of you run a home webserver / know the issues or dangers, or
> could suggest the proper google search terms leading to the right
> sources? Thanks.
>
I do occasionally run one or two, depending when and how I feel about
different providers and whether I need something to hack on. But I
stopped hosting other people sites that include non-static pages since
I started working as security consultant ;-) It is too much of a risk.

If you are going to do that for business, consider a hosted solution
running Xen or something. Unless you manage to get 20+ clients you'll
probably not make any profit hosting at home (and your ISP might get
pissed at you sooner than you realise, at which point you'll need to
move the services anyway).

And whatever you do, try to use some of those automatic free tools
against your setup to make sure you stay ahead of the script kiddies
(nmap, nessus, nikto...); organise your logs and look analyse them (as
opposed to looking with less); and keep off-server and off-line
backups.

Cheers,
Kalin.