Re: [tlug] Introduction and defense of home webserver

[Kevin Sullivan <csr-kts@example.com>]

On 6/13/2015 10:57 PM, Kalin KOZHUHAROV wrote:

> It is always getting better, problem is how far ahead are you, say
> from script kiddies and automated scanners.

To be perfectly honest, they are WAY ahead of me! I muck beyond minimal 
initial installs only if necessary, fearing I may well mess it up with 
misguided "improvements."

##KTS Added 6/14/2015

is my friend in .conf files!

> Do you have anything to worry?

Worry? Me? From who? Nothing on the server itself of interest to thieves 
or law enforcement.

> > All my admin work would be done inside the home networks through
> > SSH.  Later I would be interested in allowing trusted remote users
> > access (inside my own ISP and town) so I could host their virtual
> > websites they maintain remotely. What is the minimum necessary, FTP, SSH?
> Trusted remote users.... Are you going to provide multi-factor
> authentication for them, using tokens/certs/whatever issued by you?
> And have them sign EOL? And monitor them? And audit their environment,
> enforcing certain standards (patching) on the systems used by those
> users (they are trusted by default, right).
>
> Or it just means, folks that I had beer with ;-)

Friends and family who are not PC savvy, could have been hacked 
themselves, etc. I am only interested in allowing them a

/user/sister1/public_html/
/user/friend1/public_html/

area to do their own uploading and playing with, no installing their own 
software without (calling, convincing me, me doing the install... in 
other words, unlikely beyond basic LAMP and wordpress or static pages 
they maintain themselves.) No money/business angle on the hosting for 
me, service to family/friends I know personally. I will need to learn 
basic admin and auditing in a multi-user environment, like I said I come 
from single-user mindset through DOS, Win, OS/2 and Linux. Far far into 
the future would be running my own private hosting site for profit... 
um.. any !easy! money in that? ;)

> And FTP...? In 2015?

My outdated ways get jeered. Yay! Let the learning commence. What is the 
modern "safe" way for users to upload their updated website to their 
area? some <!web_enable_user_upload = yes> toggle in proggie.conf?

> That is a bit sketchy for assessment, but think about that Win7
> getting p0wned via WiFi then stealing your credentials to the server.

Yeah, right. 10M from my house, a sketchy-looking van with antennas 
creeps by to gain access to the wonderland of my precious iPhone photos 
of the latest car project or lunch photos. I am just not a target or 
doing anything interesting enough to be bothered with beyond just being 
out there. My vision of an attacker would be remote and lazy and in no 
way interested in visiting my village. Would limiting no broadcast and 
using MAC addresses of the few trusted hardwares to my home WiFi be the 
way to go? Less than 10 devices.

> How are you
> managing this router? Are you patching it, monitoring it?

Nope, about a year old, in Japanese, Elecom and I-O Data. I did change 
admin/admin password, woohoo! (recently!) BTW, both Win and Server are 
only single gigabit LAN NICS.

> And whatever you do, try to use some of those automatic free tools
> against your setup to make sure you stay ahead of the script kiddies
> (nmap, nessus, nikto...); organise your logs and look analyse them (as
> opposed to looking with less); and keep off-server and off-line
> backups.

OK, do you have a favored URL of "please.test.attackmyserver.net" to 
suggest?

> Cheers,
> Kalin.

Thank you, Security Consultant Kalin