You can get a good Linux VPS from MyHosting.com for something like $10/mn.
They are the best value I have found out there.
So the upside is you save $5/mn.
The downside is your PC is exposed to the entire Internet.
Risks Of Using Computer As Webhost?
As opposed to when you use it to browse the Web, or perhaps your pc is somehow not connected to the internet when you do this?your PC is exposed to the entire Internet
No, I understand what you're trying to say, but these days the risk of running a personal Web server and going online at all are pretty much equal all things considered IMHO...
So long as you apply updates as they become available, and you don't make a silly configuration mistake that exposes the entire file system to everyone, you should be OK...
No, I understand what you're trying to say, but these days the risk of running a personal Web server and going online at all are pretty much equal all things considered IMHO...
So long as you apply updates as they become available, and you don't make a silly configuration mistake that exposes the entire file system to everyone, you should be OK...
Your "HO" is extremely naive.
Being owned through a web browser requires making a deliberate choice to click on something that is malicious. You have to actively ask. Just opening a browser to google and leaving it there does not make you less secure, although your browsing habits might, you naughty bastard you ;-)
Putting a web server on your PC instantly changes the game. You are now liable for any kind of random user on the net connecting to your box and doing as they please. If you do make a config mistake, or if you do run a web server (or OS, or any number of addon packages) with a zero-day exploit in them, then you're fucked. You don't have to do anything. Just put the machine on the web and it'll be owned within a short time.
People literally scan private/home ISP's IP blocks looking for suckers who host insecure servers on their cable modem connections. I have any number of anecdotes of people who have put machines up on the net and had them owned out from under them in less time than it took to install the patches to get those machines up to date.
"Best intentions" does not make for good security. "Should be OK" is a naive phrase that the security-conscious will translate to its true meaning; "you're fucked faster than you can decide whether or not to squeal like a pig."
Don't be lazy and please for the love of god don't advise other innocent people to be lazy on the gamble that "you should be OK..." Take the proper precautions. DMZ your web server at a minimum. Run it on a separate physical network behind a proper firewall for better results.
Being owned through a web browser requires making a deliberate choice to click on something that is malicious.
This is exactly the problem - it doesn't require a conscious choice, or need you to be browsing an obviously malicious site. Only last year a drive by malware installer was here on gamedev.net in the adverts and another in the html. If you aren't running something sane like Firefox or chrome and/or aren't up go date you'll be infected.
There is a concious choice made to host a website on your home connection which gives you the upper hand to make proper provisions and secure that server. 99% of people on the internet have no clue about security so you already have the upper hand.
Not being "low hanging fruit" will help a lot, as the people actively scanning will just move on if you don't meet their criteria, e.g. You patched the hole they want to get in through.
I wouldn't quite agree with that. Note that you open a wayyyyyyy larger window time-wise and service-wise as well as from a visibility point of view.these days the risk of running a personal Web server and going online at all are pretty much equal all things considered IMHO...
Sure, you can probably make a malicious website which I might inadvertedly visit that will "own" my browser (though using Firefox with no Flash, and scripting disabled exept on a few trusted sites, it'll be a bit of challenge). But even if you successfully exploit my browser (which runs as limited user) you don't control my machine.
But...
My home network has 3 computers connected, plus a NAS and a HP laser printer, a wireless router and several surveillance cameras, as well as the videorecorder which acts as DLNA server, plus Kindle and Fire stick, plus some other stuff that I probably forgot. And of course a router for internet access. All those are really just "computers", too. So we're talking more about a dozen or so computers, many of which are more or less black boxes with unknown firmware and/or security characteristics.
As it stands, the only way of making a connection from outside is via OpenVPN (that's for being able to access the cameras when I'm on holiday, might as well turn it off in the mean time...), there is a single port forward configured for that. IP address changes every 24 hours, and I'm not publishing the DDNS name. So, you would need to know my DDNS name first if you were to target me. Not precisely super secret, but still I'm willing to bet you wouldn't be able to guess it just like that (nor the IP address).
Sure, you can run a port scanner over the whole subnet, and you might accidentially stumble across me and get a reply from the VPN server. But without having a certificate and knowing a password, that's not worth an awful lot. In any case, you do not know about my presence beforehand, and you can't tell a lot about what servers may or may not run here before you successfully exploited the VPN server first. That's much different from already knowing that a webserver is running here (and the exact version, which many web servers gratiously tell you). Not only are you unlikely to find me at all, but you are also likely to prefer attacking someone else who gives you easier access.
Compare that to running a web server, i.e. openly publishing the fact that you are there (and how to find you), and letting at least two more protocols cross the firewall. More if you also run version control and mail and FTP and whatnot. Protocols which are also used by readily exploitable computers (IP cameras are typically accessible over HTTP and have piss-poor firmware with little or no security or resilience to attacks). Protocols which are known to have been the vector for exploiting network printers thereafer being used to attack all other hosts on the network.
Yes, in theory a properly functional and properly configured firewall on the router will take care of that. But as a system gets more complex, errors get more likely. The likelihood of configuring something wrong is zero when there is a single rule that forwards a single port to a single machine, and everything else is silently dropped. Not so when there's a dozen other rules.
All in all, I deem running a public webserver a much higher risk, which I'm not willing to take since hosting a website in a datacenter costs next to nothing. Of course, nothing wrong with a webserver that's only visible and accessible from the LAN.
I agree that it is a risk to run a webserver at all.
You need to remember though that if you have a dedicated server or a vps or cloud based server you're responsible for updating and securing and configuring your server and it's software, so a lot of the security issues will still apply. Sure, you wouldn't potentially have your personal pc accessible from the webserver if someone hacks it, but you have the same kettle of fish to apart from that.
If you're hosting on a vps and someone hacks it and you don't know (this is likely, most of the time a rootkit will be installed and will hide the intruders presence) then everything they do will be your responsibility and potentially you can be punished monetarily or even legally for what they do.
For example they might choose to make your box a distribution node for dodgy software, illegal porn, or a staging post to hack other servers in other locations or launch ddos.
It's very hard to prove that this happened because you were hacked and not because you just went rogue.
This applies regardless of if you host at home or in a datacentre. In fact if you host at home some of the uses an intruder might have for your box are ruled out e.g. you have lower bandwidth so use for ddos or hosting illegal files is out of the question.
Unless you use bulk shared hosting where someone else updates the webserver for you (in which case you can't trust them to do it regularly or correctly) and you don't have root, or you can pay a lot for managed hosting you can't avoid these issues...
You need to remember though that if you have a dedicated server or a vps or cloud based server you're responsible for updating and securing and configuring your server and it's software, so a lot of the security issues will still apply. Sure, you wouldn't potentially have your personal pc accessible from the webserver if someone hacks it, but you have the same kettle of fish to apart from that.
If you're hosting on a vps and someone hacks it and you don't know (this is likely, most of the time a rootkit will be installed and will hide the intruders presence) then everything they do will be your responsibility and potentially you can be punished monetarily or even legally for what they do.
For example they might choose to make your box a distribution node for dodgy software, illegal porn, or a staging post to hack other servers in other locations or launch ddos.
It's very hard to prove that this happened because you were hacked and not because you just went rogue.
This applies regardless of if you host at home or in a datacentre. In fact if you host at home some of the uses an intruder might have for your box are ruled out e.g. you have lower bandwidth so use for ddos or hosting illegal files is out of the question.
Unless you use bulk shared hosting where someone else updates the webserver for you (in which case you can't trust them to do it regularly or correctly) and you don't have root, or you can pay a lot for managed hosting you can't avoid these issues...
You need to remember though that if you have a dedicated server or a vps or cloud based server you're responsible for updating and securing and configuring your server and it's software, so a lot of the security issues will still apply. Sure, you wouldn't potentially have your personal pc accessible from the webserver if someone hacks it, but you have the same kettle of fish to apart from that.
The whole point of this thread is that running a webserver off your home connection is a risk to your personal assets. The whole point of hosting in a dedicated environment (be that a datacenter or your own specially crafted network) is to secure your personal assets. So just ignoring the fact that your home PC is vulnerable is a bit disingenuous.
If you're hosting on a vps and someone hacks it and you don't know (this is likely, most of the time a rootkit will be installed and will hide the intruders presence) then everything they do will be your responsibility and potentially you can be punished monetarily or even legally for what they do.
For example they might choose to make your box a distribution node for dodgy software, illegal porn, or a staging post to hack other servers in other locations or launch ddos.
It's very hard to prove that this happened because you were hacked and not because you just went rogue.
This applies regardless of if you host at home or in a datacentre. In fact if you host at home some of the uses an intruder might have for your box are ruled out e.g. you have lower bandwidth so use for ddos or hosting illegal files is out of the question.
Unless you use bulk shared hosting where someone else updates the webserver for you (in which case you can't trust them to do it regularly or correctly) and you don't have root, or you can pay a lot for managed hosting you can't avoid these issues...
Nobody is claiming that hosting in a dedicated environment is going to magically make the security challenges go away. This feels immensely straw-man to me and I frankly don't understand what point you're trying to make.
Again, the whole point of the thread is risks to your own PC. To mitigate those risks you use a datacenter or you set up a secure, physically isolated network to host on from your home - assuming you can legally do so based on your ISP's service agreements. None of that implies that the job of hosting gets any easier one way or another.
It easily reads as any risk... Not just risks to your PC.Again, the whole point of the thread is risks to your own PC.
e.g. legal/contractual risks have already been discussed, which aren't going to damage your home network (directly).
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
