Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Introduction and defense of home webserver

On 6/13/2015 11:42 PM, Stephen J. Turnbull wrote:
Kevin Sullivan writes:

You might consider using 443 (HTTPS) as well or instead.  Especially
if you are lending your server to family and friends.  Unless you
insist on an authenticated connection, it doesn't really increase
server security, but it helps to protect passwords (people might have
pages they want to restrict to family or other authorized users).

OK, I will look into how to implement that.

  > Later I would be interested in allowing trusted remote users access
  > (inside my own ISP and town) so I could host their virtual websites
  > they maintain remotely.

As Kalin also pointed out, this may not be a great idea.

I shall pretend I didn't hear that because "I want..." is still in my head, though I could be convinced, perhaps through bitter experience, upcoming.

Although the
days of ADSL are long gone (in Japan, anyway), most home providers do
insist on an asymmetric allocation of bandwidth.  Your *incoming*
bandwidth is likely to be a lot higher than *outgoing*.  And even if
it's not restricted beyond what the hardware supports, likely if you
start serving at MB/s rates you'll hear about it from your provider.

Gigabit down 5/mbps, maybe about 110kbps up. Though I would like to host some short videos of mine, I am not expecting/planning for huge popularity at this time for my site or friends/family sites. There is a "server course" from my ISP that would do static IP and greater bandwidth, maybe in the future, haven't looked into it in detail in years. Would be sweet indeed to speed up my Torrent stuffs for tv shows, but website then SETI up/down, then Torrent is more priority for me and my precious bandwidth up being used to serve greybeard pirates (other than ME, of course.)

Use rsync over SSH.  If your clients can't
handle that, think twice about allowing them on your system at all.

Thank you. A promising breadcrumb:

Maybe cygwin or deltacopy could do the trick for them. I could create the user and password, tell them to locally make the website, install this software, log in, upload, test, done. That would be ideal for my "users" whom I do not want to provide real support for until I can get myself up to speed and ahead of them!

Is Router1 the cable modem, or is it a separate host?  Again as Kalin
points out, Router1 and all the other hosts, especially the Win7 host,
should be considered vulnerable (unless you're the only user and
you're rather careful about the things you download, and your wireless
network is secure).  Securing the routers themselves is relatively
specialized work.  You'd hope that the vendors would distribute them
thoroughly locked down, but that isn't always the case.

Current config:
Incoming Cable ISP provides one DHCP gigabit LAN connection 17.16.., to which my Elecom Wifi 300 GB router provides 4 ports out 192.168.2.., one to my daily Win7, second to my debian server, both located in my (little!) house. Port :80 only forwarded through to server which I set as static IP on the 192.168 private network. Once I get read up :443 and https: and SSH a bit, I may open those ports later, but no need so far, no content to provide yet. Pre-alpha raw "Testing" stage days here.

  > Security implications?

Depends on what you consider valuable.  Figuring out what you
want/need to protect from whom is the first task in security planning.

I only wish to serve up my webstuffs, without letting strangers poke
beyond the public areas. I run a SAMBA local fileserver for Win backups
on a separate LVM logical partition of ye olde disks located on the server.
There are thousands of users inside the ISP, then outsiders who would know
(potentially, if they cared, they don't yet) of my domain name DYDNS pointing back through the ISP to my router then portforwarded to the server.

  > If any of you run a home webserver / know the issues or dangers, or
  > could suggest the proper google search terms leading to the right
  > sources? Thanks.

Start with Bellovin and Cheswick "Firewalls and Internet Security"
(the authors' names are spelled right, the book title is a bit shaky).

add "Repelling the Wily Hacker" and you are there. Will expand my "on the lookout for info..."


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links