server or hosting?
 

Hi

I am considering setting up a website here in the UK.

After much research I have a standalone LAMP setup using Ubuntu7.10, Apache2, MySQL, PHP5 and Joomla CMS. This localised site running with good content but have now encountered my final decision point:

Do I now open the server to the net or host my site on a UK hosting site?

So far as I can tell the Pros and Cons are:-

Hosted
Pros
Security of my LAN computers.
Cons
Loss of "control" to hosting provider.
Reliance on server modules being available.
Potential down-time not under my control.
More expensive running costs.

Personal server
Pros:
Unlimited site space and control of it.
Reduced domain costs.
Cons:
Security a BIG BIG concern. Can access be gained from the net into my LAN and can individuals get access to personal data on files, even when I "lock down" the server and secure the web server's site folders.

I'd prefer to go Personal Server, but the security is a BIG issue for me.

Am I worrying too much?

I think in case of relatively small web portal problem of server-side software/settings security can be solved by contacting a trusted sysadmin who'll set up secure environment (which'll also make any attacks on server's LAN impossible). After that you only have to watch for any issues in public services (such as apache in LAMPP package) and upgrade if necessary, since it'll be your server's only link with the outside world. You'll also be able to open anything else you like if you'll feel it's safe and necessary to do so.

As for any possible security holes in running scripts - no host can fix that anyway and potential damage from that kind of exploit can be minimized to daily data by regular backups and monitoring.

Overally, I think you worry too much, but prehaps I just don't know what kind of risks are acceptable in your situation.

Hi , How are things in Yekaterinburg, Russia - COLD I suspect, like here in London.

thanks for your opinion on my predicament.

This is an small school organisation, we have a closed loop LAN (no net access - yet), and I AM the sysadmin. The environment is as secure as I can make it (firewall, ports closed down, separate system user + group for apache server, separate user+password for mySQL, file/directory permissions etc.

What are the "Public issues" to you refer to in Apache?

Essentially, I would like to know if it is possible for "private and personal data" that may exist on our LAN, to be accessed when running a LAMP server, then I think the decision has to go to put the site on a commercial hosting provider whose network is physically segregated from ours?

(your English is superb ;-) - are you student?)

I really don't think you have anything to worry about- in my opinion, you will be able to keep up with security updates in a much more timely manner if you self host, and if you set up the server in a DMZ, then it should be secure.
The biggest concern will be keeping Joomla/php secure, but that should only affect the web server box.

Thanks for that Chris.
The server is behind a Netgear WGT624 router. The router only operates on a single subnet (so far as I can determine from the config screens so It is not clear to me if I can configure the LAN on one subnet, the server on another and the router on the third subnet ??

Prehaps you can spare some rusty hardware to assemble a router or a bastion-like host for your LAN?

By "issues in public services" I just mean any dangerous vulnerabilities in services like apache, proftpd or their modules which seem to pop up every now and then.
Apache seems quite secure by itself (with exception for some DoS attacks) but it's modules (notably mod_alias, mod_rewrite, mod_perl, mod_tcl, mod_php, php-cgi) aren't that safe and their bugs don't seem to be fixed with the same speed as with apache so it's up to you to watch out for any security patches.

Well, and since you have access to everything you need, I see even less reason for you to use any hosting services.

I've lacked patience to finish university but it seems my english isn't beyond the point of irony yet or superb indeed, thanks. It'll be below -20C next week, or so meteorologists say, so I wonder where is that "global warming" thing when we need one? :)

Hi again.

I will instigate your proposal for a rusty firewall :-) the spec doesnt need to be great, to run a firewall behind a router.

All public services are already shut down with the exception of http (of course!).

Your comment on mod_php on apache makes me slightly nervous because our site is joomla powered and of course joomla requires PHP. We run PHP5 currently plus mySQL although the mySQL server is on another machine and accessed via an application server so that "hopefully" adds additional security ??

From your insightful viewpoint I am tending to consider hosting the site ourselves, but if I understand you then PHP and apache's mod_php looks like our only "real" issue. In this case I believe all we can do is keep our apache and PHP versions current including all security patches.

Have I made a fairly accurate synopsis?

Thanks for your kind help.

That's exactly what I'm trying to say)

Ok acknowledged and thanks for all the support on this thread.

Closing off.