What are the dangers of running a public web server from home if I don't allow any user input...

What are the dangers of running a public web server from home if I don't allow any user input? One open port and the connexion framework for restrictive server-side routing.

Attached: IMG_20190219_202406.jpg (4032x3024, 2.36M)

Other urls found in this thread:

autistici.org/
twitter.com/NSFWRedditImage

If you don't know the risks then don't do it.

That's why I'm asking

Here’s a baseline for you
https: // iase.disa.mil/stigs/app-security/web-servers/Pages/apache.aspx

I was wondering something similar myself earlier today. I wanted to set up my own email server at home, but in order to do so I’d need to get a business line with a static IP. I was wondering earlier if this would make my home network more of a target to potential attackers. Was wondering the same thing With a couple raspberry pi’s I wanted to make into a tor relay and i2p node, but I figured I’d just put them on a different vlan from all my regular devices at home and I’d be good.

Pretty much every address is getting probed constantly. Somebody will find and attack your server.

use lighttpd or hiawatha

Attached: IMG_20190219_222633.png (1529x957, 183K)

you're getting haxxored dude

That’s what I figured. It seems it would be much easier for me to get a VPS or two on digitalocean for my email server anyway, but I do like the idea of having physical control over my servers.

If you know your Linux sysadmin stuff and keep software updated, there is virtually no risk.

>One open port
Doesn't really matter, what matters is that what's running on the ports is secure and your known stuff.

>Somebody will find and attack your server.
Some bot will try root:password on ssh and the standard vulnerability on Apache.

You'll simply have neither problem and not really give a flying fuck that such most futile attempts were made.

Still won't hurt to Apparmor or firejail or otherwise isolate the respective processes a bit more from the host OS; it's not much effort.

Hardware exploits, specifically on the router you are using to port forward.

It depends on what you choose to host on your server. As a general rule, if you ensure all your software is up to date, all folder permissions for port forwarded services are appropriately set, all passwords are strong and haven't been used elsewhere, and that all services that don't need to be port forwarded are not port forwarded, you should be fine. Also, make sure you disable the root account in some way or form if you plan on using a remote access service. I'd also recommend installing something like fail2ban as an extra precaution.

As an extra note, you want to make sure that the router you are using is up to date and not vulnerable to remote exploits. Remember that once you open your ports anybody can find you. Given that you're just hosting from home, odds are you won't be a big enough target that someone who knows what they're doing will find you. That being said keeping things as locked down as possible will save you a lot of headaches should something or someone find a way in

>Also, make sure you disable the root account in some way or form if you plan on using a remote access service. I'd also recommend installing something like fail2ban as an extra precaution.
Basically placebo. Just do pubkey auth for ssh, disable passworded login.

If someone actually could break into that, they'd prefer to plunder bank accounts and so many other servers, not your shitty little webserver. But it is not possible as far as we know.

>Just do pubkey auth for ssh, disable passworded login

This. Assuming you keep your key on a protected and trusted storage medium and do not share it with anyone else there's practically no chance someone will get in

To add to this you could stand up an ec2 on AWS and forward the connections through it. All regular sec shit applies still

Go full tinfoil hat
>TACACS+ server
>SNORT server
>Dedicated security appliance
>Syslog server accessible on mobile device

don't set up your own email. it is the worst and you will get hacked. you can run a webserver if you want though

That's the higher security boundary, but frankly if someone can access your password storage or input device like your keyboard and really tries hard to get your PW, you're possibly shit out of luck.

Sure, you can theoretically combine TOTP/HOTP with a secret on your smartphone plus a Yubikey or two plust the passworded key file for auth if you want. It'd make it harder to pull this attack unnoticed since it now involves more devices, some of them theoretically really hard to access/inaccessible.

But do you really want/need to do that? Usually not really.

There’s no good email providers though

if you're interested in security use gmail. if you're interested in privacy use autistici.org/ or riseup

If you pass it all through an aws ec2 you can use thier mail service which will get around your isp probably blocking 25. Will also clear you through spam filters world wide.

Where can I learn how to secure my webserver + vps and the likes? The only thing I have managed is nginx security headers and disabling sshing in as root

Attached: 1536754231308.jpg (640x640, 37K)

Google

>if you're interested in security use gmail

Attached: 1539859198487.jpg (639x673, 36K)

the neets always hate this message, but its true. you'd be much more secure (not private) using gmail than anything else

He's right, though.
>conflating security and privacy in 1k19+1k

I like both though. I also like decentralization and local storage of my data.

Interesting. I don’t have any expierance with amazon cloud stuff. Is it expensive?

run it on a separate vlan.

I think you can get a small allocation for free for a year

Retards think this unironically.

this and firewall the networks

Open just one port on both your rpi and your NAT and then chack from a WAN with nmap. Also, check your apache/nginx/lighttpd configs

none
make sure firewall(ufw) is turned off
allow remote root ssh
disable ssh key and use password only

Don't this OP
This creates mustard gas

If your concerned about security you could just get one of those $5 DO droplets and install wireguard and basically have a VPN tunnel from your local host to the droplet and basically use the droplet as a proxy.

>chinese bot exploits apache bug
>uses your pi as personal pizza storage
>vans come crashing through the window

This is why you use nginx

>double tags VLAN id
>hops into your VLAN
Pssst. Nothing personnel, kid.

The problem you will have in a modern world is implementing DKIM DMARC and SPF

More servers are relying on checking these things and besides which if your server gets blacklisted for failing to meet standards you will need a change of IP Address or spend weeks getting off the blacklist
Theres a reason why most sysops dont run their own mail servers, for the reasons above, and if you are on a domestic contract with your ISP then it mat break their T&C's.
It is far cheaper and easier to simply pay for webhosting and email services and configure the servers through cpanel

Run the service in the least privileged user context possible. Make sure it is up to date. Segment from the rest of the network if possible. Containerize/virtualize wherever possible.

>what is an intranet dmz - what is a firewalled DMZ

Don't be stupid. It's not technically the security that's a problem but that you'll be easily congested.

Are hardware encrypted USB drives a meme? Is filesystem encryption good enough?

Attached: 0727-primary-100593461-large.jpg (580x388, 67K)