|
Does hosting your own webserver compromise security?
I'm considering making a small, testing server (for testing purposes and also, well, fun) on my Ubuntu 9.04 computer. I won't host a big website on it or anything it's just to have fun and learn about PHP and MySQL. But does it compromise the security on my system? I have no valuable data on this computer, but I still don't wish for it to stop working suddenly. Please answer me.
Marc |
P.S: if I put a password or encryption on my webpages, does that suffice to protect me? Or is it more complicated?
|
I'm no expert on security but it all depends how you secure you box. The more ports you open the less secure your box potentially is (and you'll have to open at least one port :default 22 for http, possibly 443 for https). As I mentioned before I'm far from a security expert, but I guess even having implemented some security measures (e.g. iptables,selinux,tcp_wrappers, httpd.conf and god knows what else) it's not as secure as with the ports that are just closed. But then again, I might be wrong... Let's wait for some security gurus:)
|
How do I manage ports? I was asking myself that question.
|
I'm no security guru either but SSL-izing access and using passwords is not enough. When people start "testing" stuff you don't want a server that's not properly hardened to be reachable from the outside until you have made certain you want it to be reachable. I'm saying that because in testmode people will often neglect or trade in security for whatever speeds up rapid development like using XAMP for development, using "test" as password, not properly sanitising input, open dirs, open anon writable FTP, etc, etc.
You could start by making sure that if you're behind a router it doesn't allow pass traffic to the server behind it. Then properly hardening the server would be good in terms of auditability and security (and knowledge for when you're ready to open up the machine to world). And using tcp_wrappers and raising the firewall on the machine, (logging and) blocking inbound traffic with state NEW to the ports you run services on and only allowing in traffic in the "established, related" state would be considered a minimal good start. In short: deny world access, read up on "secure programming", read up on server hardening. *Then* play. |
it depends on how you set apache up .it can be locked down very tightly or not .
I have seen some apache installs on windows that were set to serve up the whole C:\\ drive - not just the site and some on Nix that will serve up / and not just /var/www |
I am not a security expert either, but this is a really bad idea IMHO. The level of risk involved with exposing an HTTP service to the world while not being familiarized with the security implications represents incredibly huge amounts of risk. This would be true even if it was a dedicated box on your LAN, and the fact that it's a box you use for other stuff makes it worse. I second the approach suggested by unSpawn, in which you keep the service available only within your LAN until you've learned to implement some decent security measures and have conducted several fire drills.
Furthermore, I strongly suggest that even when you get to the point when you feel ready to expose your service to the big bad Internet, you set up a dedicated box in a DMZ. I don't know whether this is a feasible option for you or not, but if it is then you should definitely go that route instead. By running a public HTTP service on your PC, you stand to lose much more than what you could ever gain. For example, your identity. |
Install it locally if you want to play around and get familiar with it. That way you can do what you want and not have it exposed to the internet.
|
i would also do a lot of reading
" Apache, The Definitive Guide " - O'Reilly is a good one read AND Study the apache web site , as if you will be taking a final exam on apache.You will , the web site and you MUST get a 4.0 . and find and read some tech blogs , like http://www.linuxjournal.com/ |
Quote:
I'll give you another book recommendation, and I strongly suggest that you read it if you're serious about the security of this project: Apache Security by Ivan Ristic It is eye-opening, to say the least. Securing Apache is a non-trivial task. Throw PHP into the mix and it's a whole other animal. |
Okay, thank you everybody, I never realised that doing this would be so dangerous. I will try to get a hold of the books you recommended and will not futhermore attempt to open my computer to the Internet. I have, however, one last question:
On my home network, I have two computers. One with Apache, one without. Is it normal if the one without Apache can see my website while the other computer is turned on? |
How much time and effort you spend securing a box should depend on the value of the data it contains. I've seen bad mangers spend tons of money securing internal test boxes and almost no money securing prod boxes in the DMZ because they thought it was too "risky" to mess with "customer facing" stuff without a good reason. Of course, when an unpatched hole gets exploited it's my problem to get everything back up an running. :rolleyes:
Anywho, see the formula in my tag line. |
Quote:
|
Also, the legal ramifications. For example, you should factor in how much value you give to your freedom (or at least, your clean record), because you could lose it if the attacker turns your box into an illegal content distribution center.
|
Also, you don't want to turn into one of these: http://isc.sans.org/diary.html?storyid=6148
A *nix box with no valuable data on it is still a prized possession to bad guys. |
| All times are GMT -5. The time now is 08:23 PM. |