Own web server = suicide?

[lego batman]

Hi everyone,
I saw this guide (http://lifehacker.com/124212/geek-to...ome-web-server) and it looks pretty simple.
If I follow these instructions, will I probably be hacked quite soon ? Sorry if this is a silly question.

[Splash]

It rather depends on what you're wanting to achieve - are you wanting a webserver to run local testing of stuff on? If so you needn't expose it to the internet anyways, so you're pretty safe. If you *are* exposing services to the internet then you need to be prepared to keep an eye out for any updates to your OS and server software.

[peterb]

No (and yes!)

If you decide to run your own webserver, you need to be sure to understand the risks and how to minimise them.

The risks stem from two sources - vulnerabilities in the operating system, and vulnerabilities in the application(s) that you are running - in this case Apache, and apart from following the instructions in the web site you linked to, I would STRONGLY recommend that you buy a book on the Apache (Such as Apache, The definitive Guide - published by O'Reilly) and read the documentation at www.apache.org. You also need to address security in the round, such as firewall/router configuration, because you are by definition going to open up an inbound port (usually 80) for incoming requests.

Furthermore, it would be better to have a dedicated machine as a webserver, so if it does get hacked, you won't be compromising any personal data.

There will also be a small admin overhead, checking logs etc to check that it hasn't been subverted, and ensuring that the OS and the application are always up to date.

I run a webserver (and have done for about 3 years) and (afaik!) it hasn't been hacked, however attempts are made on a daily basis, often running into the hundreds. These attempts are usually probes looking for vulnerabilities.

So if you are going to do this...

Use a dedicated machine
Ensure that the OS is fully patched and up to date
Read the Apache documentation thoroughly - and get the book I recommended
If you use a pre-built version of Apache, watch out for updates and apply immediately, same for any other web related applications such as PHP, MySQL and content management systems (such as Wordpress)
Put aside some time to monitor system logs.

Have fun!

(I have assumed that this is going to be a public internet facing machine - if it isn't, and only going to be used on an internal lan, then the risks are minimal, and so the advice above is less relevant, although as a matter of good practice, you should consider applying them anyway)

[Agent]

WAMP is a pre-configured Apache, MySql and Php server. By default it won't show to the internet, although you can allow it too.

It has a fairly high use for locally testing stuff, so it's a great starting point.

[lego batman]

Thanks for the quick responses.
I intended this just to share my work files which I would keep in a separate folder on my computer, and I think I can follow all your advice peterb apart from getting a dedicated machine.
Is there a better/more secure way to make these accessible over the internet than apache?
Would it be safer (or indeed possible) to run it in a virtual machine?

EDIT: Oh good recommendation Agent! That looks a bit simpler. Do you know if it is any more/less secure compared to plain apache?

[Agent]

Virtual machine - yup, it's what I do

You just need to configure the network adaptor to pass through the correct traffic, which is fairly trivial.

[lego batman]

Great - Set up is going to be WAMP in a virtual machine following peterb and Splash' advice.
Do you use virtualbox Agent?

[Agent]

I actually use Microsofts own virtual machine, although I haven't really used any others to comment on if its better

I've never had a problem with it and it's always been fast for me.

[aidanjt]

I use VirtualBox, just set the virtual machines' network adaptor to 'bridged' mode, and your virtual web server machine will be exposed to the network as if it's a real machine with it's own NIC.

Slap on some Linux distro, most of these have a working apache out of the box when you install the apache package. Ubuntu Server (while not the safest server distro) even gives you the option to install a LAMP stack out of the box. All done.

[Jay]

for the cost of hosting whats the point? The cost of your electricity bill will be more than the cost of dedicated hosting!

try www.webtapestry.net and see what deals they will do you. I work in the datacenter where their stuff is housed so I know how they run their gear and its pretty tasty!

Also think about bandwidth, a hosted site will have multi upload links from 100Mb/s to 1Gb/s

a little taster

[PeteSmith]

I would second the opinion of using a dedicated machine as a web server if you want to open the doors to the outside world. Otherwise i think the VM route is a very cost effective simple solution.

I personally use my NAS box as a webserver, which hosts my blog and a couple of other small websites. I also use it as my development enviroment which works very well. As i only need to forward any incomming traffic to the NAS box i know the other machines on my home network are pretty safe, i log all inbound traffic and run reports which tell me how often it is accessed, the referrer, and the visitors IP. This reporting is very useful if you run your own website, however if you also use the same machine for filesharing the reports soon become very saturated. HTH

[peterb]

for the cost of hosting whats the point? The cost of your electricity bill will be more than the cost of dedicated hosting!

snip----->

Because you can! I'm just building a new webserver atm, based on a mini itx setup. Currently drawing 36 watts! (Old one draws about 110W)

(Fedora 10, Apache, PHP, MySql and Wordpress!)

More seriously, yes, if you are going to get a lot of traffic, upload speed is an issue, and if you are intending it to be running 24x7, you need to consider additional issues as well - UPS, back-up and so on, but get stuck in - regard it as a self teaching experience!

[Jay]

well if you are doing it at home (as I have done in the past) an atom based PC is the best way to go.

[Georgy291]

i would buy a cheap hhd enclosure that has got NAS cabability and use it as a FTP server. that way its already passworded and is more or less safe, it would also use less power

[peterb]

i would buy a cheap hhd enclosure that has got NAS cabability and use it as a FTP server. that way its already passworded and is more or less safe, it would also use less power

FTP is neither particularly secure nor safe - and isn't a web browser!

well if you are doing it at home (as I have done in the past) an atom based PC is the best way to go.

Well, it's one way to go (other low power processors are available!) - the criteria really is low power - you don't need a lot of grunt for this type of application in this type of situation. (I ran a web server on a hacked Linksys NSLU2 which worked well until I came to run MySql as part of a CMS system - that really was too much for it!)

[badass]

FTP is neither particularly secure nor safe - and isn't a web browser!

FTP needs to die. 20 years ago. It is truly rubbish in every imaginable way. And then some.