Does hosting your own webserver compromise security?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Does hosting your own webserver compromise security?
I'm considering making a small, testing server (for testing purposes and also, well, fun) on my Ubuntu 9.04 computer. I won't host a big website on it or anything it's just to have fun and learn about PHP and MySQL. But does it compromise the security on my system? I have no valuable data on this computer, but I still don't wish for it to stop working suddenly. Please answer me.
I'm no expert on security but it all depends how you secure you box. The more ports you open the less secure your box potentially is (and you'll have to open at least one port :default 22 for http, possibly 443 for https). As I mentioned before I'm far from a security expert, but I guess even having implemented some security measures (e.g. iptables,selinux,tcp_wrappers, httpd.conf and god knows what else) it's not as secure as with the ports that are just closed. But then again, I might be wrong... Let's wait for some security gurus
I'm no security guru either but SSL-izing access and using passwords is not enough. When people start "testing" stuff you don't want a server that's not properly hardened to be reachable from the outside until you have made certain you want it to be reachable. I'm saying that because in testmode people will often neglect or trade in security for whatever speeds up rapid development like using XAMP for development, using "test" as password, not properly sanitising input, open dirs, open anon writable FTP, etc, etc.
You could start by making sure that if you're behind a router it doesn't allow pass traffic to the server behind it. Then properly hardening the server would be good in terms of auditability and security (and knowledge for when you're ready to open up the machine to world). And using tcp_wrappers and raising the firewall on the machine, (logging and) blocking inbound traffic with state NEW to the ports you run services on and only allowing in traffic in the "established, related" state would be considered a minimal good start.
In short: deny world access, read up on "secure programming", read up on server hardening. *Then* play.
it depends on how you set apache up .it can be locked down very tightly or not .
I have seen some apache installs on windows that were set to serve up the whole C:\\ drive - not just the site
and some on Nix that will serve up / and not just /var/www
I am not a security expert either, but this is a really bad idea IMHO. The level of risk involved with exposing an HTTP service to the world while not being familiarized with the security implications represents incredibly huge amounts of risk. This would be true even if it was a dedicated box on your LAN, and the fact that it's a box you use for other stuff makes it worse. I second the approach suggested by unSpawn, in which you keep the service available only within your LAN until you've learned to implement some decent security measures and have conducted several fire drills.
Furthermore, I strongly suggest that even when you get to the point when you feel ready to expose your service to the big bad Internet, you set up a dedicated box in a DMZ. I don't know whether this is a feasible option for you or not, but if it is then you should definitely go that route instead. By running a public HTTP service on your PC, you stand to lose much more than what you could ever gain. For example, your identity.
i would also do a lot of reading
" Apache, The Definitive Guide " - O'Reilly
is a good one
read AND Study the apache web site , as if you will be taking a final exam on apache.You will , the web site and you MUST get a 4.0 .
and find and read some tech blogs , like http://www.linuxjournal.com/
Okay, thank you everybody, I never realised that doing this would be so dangerous. I will try to get a hold of the books you recommended and will not futhermore attempt to open my computer to the Internet. I have, however, one last question:
On my home network, I have two computers. One with Apache, one without. Is it normal if the one without Apache can see my website while the other computer is turned on?
How much time and effort you spend securing a box should depend on the value of the data it contains. I've seen bad mangers spend tons of money securing internal test boxes and almost no money securing prod boxes in the DMZ because they thought it was too "risky" to mess with "customer facing" stuff without a good reason. Of course, when an unpatched hole gets exploited it's my problem to get everything back up an running.
How much time and effort you spend securing a box should depend on the value of the data it contains.
That may sound as an easy rule of thumb but it is not entirely true or complete. Given the fact that running GNU/Linux is all about performance, protecting assets and providing services in a continuous, stable and secure way the machine itself represents a value not only in terms of labour (setup, hardening, maintenance) but also in terms of image (OK, mostly business-wise). So it isn't data value alone. Not only that but a machine itself may be of less value than adjacent ones, but once compromised and used as a springboard to other machines your rule breaks again.
Also, the legal ramifications. For example, you should factor in how much value you give to your freedom (or at least, your clean record), because you could lose it if the attacker turns your box into an illegal content distribution center.