LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-07-2009, 05:10 PM   #1
gagne.marc
LQ Newbie
 
Registered: Feb 2009
Distribution: Ubuntu
Posts: 21

Rep: Reputation: 16
Question Does hosting your own webserver compromise security?


I'm considering making a small, testing server (for testing purposes and also, well, fun) on my Ubuntu 9.04 computer. I won't host a big website on it or anything it's just to have fun and learn about PHP and MySQL. But does it compromise the security on my system? I have no valuable data on this computer, but I still don't wish for it to stop working suddenly. Please answer me.
Marc
 
Old 04-07-2009, 05:12 PM   #2
gagne.marc
LQ Newbie
 
Registered: Feb 2009
Distribution: Ubuntu
Posts: 21

Original Poster
Rep: Reputation: 16
P.S: if I put a password or encryption on my webpages, does that suffice to protect me? Or is it more complicated?
 
Old 04-07-2009, 05:18 PM   #3
sycamorex
LQ Veteran
 
Registered: Nov 2005
Location: London
Distribution: Slackware64-current
Posts: 5,563
Blog Entries: 1

Rep: Reputation: 1024Reputation: 1024Reputation: 1024Reputation: 1024Reputation: 1024Reputation: 1024Reputation: 1024Reputation: 1024
I'm no expert on security but it all depends how you secure you box. The more ports you open the less secure your box potentially is (and you'll have to open at least one port :default 22 for http, possibly 443 for https). As I mentioned before I'm far from a security expert, but I guess even having implemented some security measures (e.g. iptables,selinux,tcp_wrappers, httpd.conf and god knows what else) it's not as secure as with the ports that are just closed. But then again, I might be wrong... Let's wait for some security gurus
 
Old 04-07-2009, 05:20 PM   #4
gagne.marc
LQ Newbie
 
Registered: Feb 2009
Distribution: Ubuntu
Posts: 21

Original Poster
Rep: Reputation: 16
How do I manage ports? I was asking myself that question.
 
Old 04-07-2009, 06:50 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,155
Blog Entries: 54

Rep: Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794
I'm no security guru either but SSL-izing access and using passwords is not enough. When people start "testing" stuff you don't want a server that's not properly hardened to be reachable from the outside until you have made certain you want it to be reachable. I'm saying that because in testmode people will often neglect or trade in security for whatever speeds up rapid development like using XAMP for development, using "test" as password, not properly sanitising input, open dirs, open anon writable FTP, etc, etc.

You could start by making sure that if you're behind a router it doesn't allow pass traffic to the server behind it. Then properly hardening the server would be good in terms of auditability and security (and knowledge for when you're ready to open up the machine to world). And using tcp_wrappers and raising the firewall on the machine, (logging and) blocking inbound traffic with state NEW to the ports you run services on and only allowing in traffic in the "established, related" state would be considered a minimal good start.

In short: deny world access, read up on "secure programming", read up on server hardening. *Then* play.
 
Old 04-07-2009, 07:30 PM   #6
John VV
Guru
 
Registered: Aug 2005
Posts: 12,843

Rep: Reputation: 1711Reputation: 1711Reputation: 1711Reputation: 1711Reputation: 1711Reputation: 1711Reputation: 1711Reputation: 1711Reputation: 1711Reputation: 1711Reputation: 1711
it depends on how you set apache up .it can be locked down very tightly or not .
I have seen some apache installs on windows that were set to serve up the whole C:\\ drive - not just the site
and some on Nix that will serve up / and not just /var/www
 
Old 04-07-2009, 08:19 PM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
I am not a security expert either, but this is a really bad idea IMHO. The level of risk involved with exposing an HTTP service to the world while not being familiarized with the security implications represents incredibly huge amounts of risk. This would be true even if it was a dedicated box on your LAN, and the fact that it's a box you use for other stuff makes it worse. I second the approach suggested by unSpawn, in which you keep the service available only within your LAN until you've learned to implement some decent security measures and have conducted several fire drills.

Furthermore, I strongly suggest that even when you get to the point when you feel ready to expose your service to the big bad Internet, you set up a dedicated box in a DMZ. I don't know whether this is a feasible option for you or not, but if it is then you should definitely go that route instead. By running a public HTTP service on your PC, you stand to lose much more than what you could ever gain. For example, your identity.

Last edited by win32sux; 04-07-2009 at 08:20 PM.
 
Old 04-07-2009, 08:58 PM   #8
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Install it locally if you want to play around and get familiar with it. That way you can do what you want and not have it exposed to the internet.
 
Old 04-07-2009, 10:11 PM   #9
John VV
Guru
 
Registered: Aug 2005
Posts: 12,843

Rep: Reputation: 1711Reputation: 1711Reputation: 1711Reputation: 1711Reputation: 1711Reputation: 1711Reputation: 1711Reputation: 1711Reputation: 1711Reputation: 1711Reputation: 1711
i would also do a lot of reading
" Apache, The Definitive Guide " - O'Reilly
is a good one
read AND Study the apache web site , as if you will be taking a final exam on apache.You will , the web site and you MUST get a 4.0 .
and find and read some tech blogs , like
http://www.linuxjournal.com/
 
Old 04-07-2009, 11:19 PM   #10
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by gagne.marc
I won't host a big website on it or anything it's just to have fun and learn about PHP and MySQL. But does it compromise the security on my system?
It certainly won't help the security of your system.

I'll give you another book recommendation, and I strongly suggest that you read it if you're serious about the security of this project:

Apache Security
by Ivan Ristic

It is eye-opening, to say the least. Securing Apache is a non-trivial task. Throw PHP into the mix and it's a whole other animal.
 
Old 04-08-2009, 08:08 AM   #11
gagne.marc
LQ Newbie
 
Registered: Feb 2009
Distribution: Ubuntu
Posts: 21

Original Poster
Rep: Reputation: 16
Okay, thank you everybody, I never realised that doing this would be so dangerous. I will try to get a hold of the books you recommended and will not futhermore attempt to open my computer to the Internet. I have, however, one last question:
On my home network, I have two computers. One with Apache, one without. Is it normal if the one without Apache can see my website while the other computer is turned on?
 
Old 04-08-2009, 08:22 AM   #12
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
How much time and effort you spend securing a box should depend on the value of the data it contains. I've seen bad mangers spend tons of money securing internal test boxes and almost no money securing prod boxes in the DMZ because they thought it was too "risky" to mess with "customer facing" stuff without a good reason. Of course, when an unpatched hole gets exploited it's my problem to get everything back up an running.

Anywho, see the formula in my tag line.
 
Old 04-08-2009, 12:38 PM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,155
Blog Entries: 54

Rep: Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794
Quote:
Originally Posted by Crito View Post
How much time and effort you spend securing a box should depend on the value of the data it contains.
That may sound as an easy rule of thumb but it is not entirely true or complete. Given the fact that running GNU/Linux is all about performance, protecting assets and providing services in a continuous, stable and secure way the machine itself represents a value not only in terms of labour (setup, hardening, maintenance) but also in terms of image (OK, mostly business-wise). So it isn't data value alone. Not only that but a machine itself may be of less value than adjacent ones, but once compromised and used as a springboard to other machines your rule breaks again.
 
Old 04-08-2009, 12:46 PM   #14
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Also, the legal ramifications. For example, you should factor in how much value you give to your freedom (or at least, your clean record), because you could lose it if the attacker turns your box into an illegal content distribution center.

Last edited by win32sux; 04-08-2009 at 12:47 PM.
 
Old 04-08-2009, 12:58 PM   #15
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Also, you don't want to turn into one of these: http://isc.sans.org/diary.html?storyid=6148

A *nix box with no valuable data on it is still a prized possession to bad guys.
 
  


Reply

Tags
security, server, webserver


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache 2 webserver, hosting multiple websites atomiccomp Linux - Newbie 1 12-08-2008 12:53 AM
Unneeded services running that may compromise security. xeross Linux - Server 7 07-22-2008 09:07 AM
Security Compromise apache Linux - Security 16 08-07-2004 10:29 PM
How install my own hosting and webserver? Axel5 Linux - General 3 03-20-2003 06:45 AM


All times are GMT -5. The time now is 09:12 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration