• Advertisement
Sign in to follow this  

Risks Of Using Computer As Webhost?

This topic is 748 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hello,

I'm wondering what the risks are to hosting a web server (web site) on your own PC. Would it be better to use a VM instead?

Share this post


Link to post
Share on other sites
Advertisement

I can't answer your question directly, but if you end up going with a webhost, I really like A Small Orange as a webhost.

Very cheap, almost always up, amazing customer service.

 

Currently, they are having a sale where you can get 45% off of new plans (on top of the regular 17% off for buying annually), which means you can get a full year of their regular plan for $27~, and you can host multiple sites on the same plan.

 

They had a similar sale around Black Friday a month or so ago, so I pre-bought three years of service. I've been using them for two years already, so I was satisfied enough with what they had provided that it made sense to me to stock up.

 

</infomercial>

Share this post


Link to post
Share on other sites

While we're making suggestions of configure-it-yourself server hosting (as opposed to HTTP-only hosting services), OVH (based in France and in Canada, near Montréal, just inches north of the US border) offer services such as this. A large variety of O/S available. They give you a 100 Mbit internet connection and no transfer limits. Does not come with DNS hosting (for that, I suggest No-Ip), but is pretty hard to beat. Especially if you're in the States, considering the CAD$ current exchange rate.

 

Bear in mind their VPS SSD line does not guarantee uptime or SLA, as they reserve the right to "pause" the VM without notice, in order to move it between physical hosts whenever they need to reorganize their datacenter. You have to go up to their VPS Cloud line of products to get a four-nines SLA (<= 52 hours of downtime per year).

Share this post


Link to post
Share on other sites
Also keep in mind that most ISPs (at least in the US, but I imagine elsewhere) frown at running servers on standard service contracts, and so you may be subject to having your account canceled if they detect it.

But check with your ISP and contract to be sure.

Share this post


Link to post
Share on other sites
I do not recommend it. Web hosts are now extremely inexpensive (relative to the income of a typical person from the US or Western Europe). Considering the amount of your time you plan to invest in your application, spending $27 US per year for a web host is a drop in the bucket.

Share this post


Link to post
Share on other sites

The main risks:

- Security: You will never be secure. Nor your webest nor your computer (And all its data).

- Hardware: Your PC and network are nothing against a real hosting server capabilities. Low performance is the greatest risk here. (Which is very important for a website).

 

A vm won't help you if you are using the vm on your pc....

 

You need a real hosting server to do the hosting. These things are meant for hosting. (though couple of vms on a single server is already a known technology- but this is a whole another debate).

Share this post


Link to post
Share on other sites

 


I'm wondering what the risks are to hosting a web server (web site) on your own PC.

There are two axes of risk: risk to the website availability, and risk to your PC itself.

 

Availability of a website hosted on a home PC sucks, pure and simple. Your internet connection may go out at any time, you may exceed your ISPs upstream bandwidth limits, your power may go out, someone may trip over the power cable, you may reboot your PC to install updates... Any of these cause customers to be unable to reach your website.

 

As for risk to your PC, it's pretty minimal. You are punching a hole in your NAT and your firewall, but HTTP is a pretty well understood protocol, and securing off-the-shelf web server software  is a well understood problem.

 

 

 

Would it be better to use a VM instead?

You mean a VM running on the same box? See all of the above downsides, none of which a VM mitigates.

 

I have fiber internet, and around 800 Mbps upload. I won't be attempting to host a website on my own PC, though. Thanks for the advice.

Share this post


Link to post
Share on other sites
If you're going to host at home do the following :

1. Set up your Web server on a separate dmz and vlan
2. Buy a ups and use it
3. Buy a system with very low power requirements
4. Check your isp allows servers
5. Correctly configure your firewall
6. Keep your Web server updated
7. Only install what you need
8. Learn Linux and use it. You'll reboot less often and you'll have better uptime
9. Run a proper cloud based backup!
10. Run a proper cloud based backup!

The ninth is so important I mentioned it twice!

I do all the above at home and I host my version control and local mail server on it with an Internet connection of 150 mb down and 25 mb up (cable in the UK). I also pay for hosting though as this is the only way to get completely reliable service. Check out digital ocean and OVH.

Oh and if you do get hacked, pull the network cable and reinstall immediately. You DID read steps nine and ten above and action them, right) :lol: to know if you've been hacked don't wait for your isp to disconnect you and tell you - run an ids tool and run regular audits with the home version of nessus.

Have fun!

Share this post


Link to post
Share on other sites

Honestly it's not worth it. You can get away with hosting private, low-availability or low-bandwidth services locally, but for anything more serious such as a public website or a game server you will never meet an acceptable uptime, someone might flood your residential line (super easy) or, worse, if you have a data cap and have a shitty ISP you may find overnight that you've gone 300% over, have been charged $600 over-cap and have had your subscription suspended.

 

You can get a shared VPS for as low as a couple dollars a month and a dedicated server for $30/mo or less, the difference is they will be sitting in a data center connected to a fat network pipe, will have better uptime, and you can actually use them for mostly anything you want (for many ISP's hosting commercial servers, torrenting hubs or even game servers is against their terms of service).

 

Also don't forget that if you host a server at home that is separate from your own desktop/laptop/whatever (which is probably a good idea) then you also need to pay for the electricity to run it; and you may find that comes out about as (or more) expensive than just renting hosting... having an appliance running 24/7 is actually pretty costly these days even if it doesn't draw much!

Share this post


Link to post
Share on other sites

Resort to using DigitalOcean $5 a month. Downside you have to set up your server to hose websites (easy after your first time and tons of tutorials especially for ubuntu 14). Upside if you learn a little about being a system admin and if you break it destroy the droplet and create a new one, great for learning and you pay for time it is active not $5 per droplet unless it is up a month. I currently run 6 servers off DigitalOcean and I am very pleased with their services.

Share this post


Link to post
Share on other sites

Honestly it's not worth it


Financially yes. It's so not worth it.

As a hobby same as gamedev, and as a learning experience it's so much more than worth it.

Don't ever expect to match paid for dedicated or virtual hosting with your home setup, but if you want to learn how Linux works, learn how to secure and Maintain a server without risk to a real service, and have something you can poke at when you're bored sometimes then there's nothing quite like it...

I started ten years ago when living with my parents after moving back from university.

Back then I home hosted 5 servers, proper 1U rack mount kit and good quality hardware.

These days after settling down and growing up a bit I run a Repurposed laptop with battery and Screen removed that runs 24/7 in the utility cupboard hosting all kinds of hobbyist stuff like a media server, git repository, Web server, ssh, and more.

It costs me less to run per day than the TV set top box.

If you want to do it to learn then DO IT, just don't do it expecting to best paid hosting in terms of uptime or bandwidth even if you have gigabit Internet, a generator and a ups...

Enjoy!

Share this post


Link to post
Share on other sites
Also is it an American thing to be charged a lot for crappy Internet with data caps, low upstream, extra charges for going over, and contracts that say you can't even open a Listening port on your public ip?

Sounds backwards as hell to me, things like that are generally dead here in the UK except on mobile contracts which are and always will be living in the dark ages :lol:

Share this post


Link to post
Share on other sites

Also is it an American thing to be charged a lot for crappy Internet with data caps, low upstream, extra charges for going over, and contracts that say you can't even open a Listening port on your public ip?


You forgot low downstream as well. laugh.png 

Fwiw, data caps on non-mobile connections are far less common, though the ISPs have been trying to introduce it.

Share this post


Link to post
Share on other sites

Also is it an American thing to be charged a lot for crappy Internet with data caps, low upstream, extra charges for going over, and contracts that say you can't even open a Listening port on your public ip?

That's an Australian thing sad.png
The typical connection here is ADSL technology on old copper lines that are way past their usable lifetime and held together with electrical tape and plastic bags - a few Mbps down and a few hundred Kbps up, a few hundred GB per month data limit, with excess usage either capped to 1Mbps downspeed, or charged at ~$1/GB. And yes, a clause in the contract telling you that hosting services on a residential plan counts as "unreasonable usage" ("commercial" plans will cost 10x more just because).
 
From what I hear, the US is similar, except in areas where companies like Google have started laying fibre optic networks to disrupt the old copper business smile.png

Share this post


Link to post
Share on other sites


Fwiw, data caps on non-mobile connections are far less common, though the ISPs have been trying to introduce it.
Where do you live? From my (BC, Canada) experience and the (California, USA) experience of a couple friends, combined up&downstream data caps in the 100-200 GB range are pretty typical of current services, and such caps of varying sizes have been standard operating practice for all "cable internet" ISPs (as in, through a Cable TV provider) ever since their general-populace introductions in the late 90s.

 

The actual enforcement of such caps tends to be arbitrary and hit-and-miss here in BC, but that doesn't mean the caps are not part of the written and actionable terms of service.

Share this post


Link to post
Share on other sites

 

Fwiw, data caps on non-mobile connections are far less common, though the ISPs have been trying to introduce it.
Where do you live? From my (BC, Canada) experience and the (California, USA) experience of a couple friends, combined up&downstream data caps in the 100-200 GB range are pretty typical of current services, and such caps of varying sizes have been standard operating practice for all "cable internet" ISPs (as in, through a Cable TV provider) ever since their general-populace introductions in the late 90s.

 

Grew up in California (and used Comcast, and enjoyed the service contrary to their more recent negative reputation), moved to Kansas City (and used first AT&T (*vomit*) and then Time Warner), and now live out in rural Missouri using a low-bandwidth over-the-air connection provided by tiny ISP.

 

I should clarify that I never read the fine print of the cable contracts, but that I was never knowingly was charged for overages and never noticed dropping downstream speeds for going over limits. It's possible I did have such caps and just never reached it.

 

I know that those types of contracts are common with mobile phones - and I had mobile phone contracts that tried to charge me $350 for data overages that I didn't actually use (contrary to popular belief, I don't send 4KB of data consistently every five minutes, for 18 hours a day, without ceasing, including while I'm asleep (as if it was running in a different timezone). I don't know what caused it, but my best guess was a virus on my non-smartphone/flip-phone, as odd as that sounds).

 

I know that many cable companies in more recent years have been trying to push datacaps and overage charges, but I've never personally bumped into data caps, so if my contracts had them, they were high enough up that it tolerated all the video-streaming/online-gaming/downloading that me and my siblings threw at it.

Share this post


Link to post
Share on other sites
On the isp I use the only limitation is that during peak times which are weekends and 5 pm to 11 pm the isp automatically identifies the highest 1% of users by bandwidth used and throttles certain types of non http traffic (mostly peer to peer and bittorrent) to around 10% of the usual. Considering normal is 150 mbps and I'm rarely ever in the top 1% for the area and never use the throttled protocols, I never get throttled...

It also helps that most of my usage is also outside of the Peak hours between 9am and 5pm when i work from home... :)

Share this post


Link to post
Share on other sites

There are risks to any hosting.  The question should be, "Am I okay with the risks of putting my personal machine out on the internet as a web host?".  The risks are commonly:

  • Scalability: This model is hard to scale to match load with increased growth as it requires more hardware (quickly).  This makes services like DigitalOcean and Amazon great; click button, scale.
  • Maintainability:  Are you willing to put in the time to put in effort keep software (Apache, etc) up to date to avoid the continual stream of exploits from being used? Some hosting providers may do this, many do not
  • Data loss: Are you willing to accept the loss of anything on that machine and anything on the associated network to be lost in the worst case event?  
  • Extra costs: Are you willing to put up the cash for a static IP and beefy connection that hosting requires?  Hosting providers amortize this cost over several thousand clients.  If you are going to do this for real, you probably want to do this unless you like pissed off clients.

Note that VMs don't actually solve most of these issues except the data loss issue.  Typically though once in, you can route out on your local network to "find" things as an attack vector unless you have some network skillz.  I don't recommend doing what you want to do.

Share this post


Link to post
Share on other sites

There are risks to any hosting.  The question should be, "Am I okay with the risks of putting my personal machine out on the internet as a web host?".  The risks are commonly:

  • Scalability: This model is hard to scale to match load with increased growth as it requires more hardware (quickly).  This makes services like DigitalOcean and Amazon great; click button, scale.
  • Maintainability:  Are you willing to put in the time to put in effort keep software (Apache, etc) up to date to avoid the continual stream of exploits from being used? Some hosting providers may do this, many do not
  • Data loss: Are you willing to accept the loss of anything on that machine and anything on the associated network to be lost in the worst case event?  
  • Extra costs: Are you willing to put up the cash for a static IP and beefy connection that hosting requires?  Hosting providers amortize this cost over several thousand clients.  If you are going to do this for real, you probably want to do this unless you like pissed off clients.

Note that VMs don't actually solve most of these issues except the data loss issue.  Typically though once in, you can route out on your local network to "find" things as an attack vector unless you have some network skillz.  I don't recommend doing what you want to do.

Great points!

But what of the ability to control your own security? I might be wrong (and out to learn if i am, thats the whole point...) ...but i guess you could plug lapses in security loop-holes if you are in control , where your ISP might fail. So control of your own security might be an advantage - security of very big name ISPs have fail regularly.

Setting up your bespoke firewall with special algorithm could be an advantage 

 

Don't trust the "understood" models of securing a web hosting package. If you have anything on your PC that you wouldn't want a random stranger traipsing through, then don't open that PC to the internet, and ideally don't put it on a network next to a PC that's opened up.


In other words, the only really good way to hide your sensitive data (cookies, password files, credit card info, kinky porn, whatever) is to make sure that nothing can talk to that machine without first being authorized by you. Fortunately, most NAT routers have firewalls that do a great job of this, until you go and poke holes in them. Put your web host in a separate network or a DMZ at a bare minimum - assuming the (all good) arguments above about bandwidth and availability haven't yet dissuaded you.

Not stating the following as an expert on this topic but as a thought process as it occurs to me, thus I stand to be corrected.

Would such authorization be in real time or be manual? If its real-time then its an algorithm and can be hacked. If its manual thats backward as non-real-time system are not practical for most applications

 

 

Also is it an American thing to be charged a lot for crappy Internet with data caps, low upstream, extra charges for going over, and contracts that say you can't even open a Listening port on your public ip?

Sounds backwards as hell to me, things like that are generally dead here in the UK except on mobile contracts which are and always will be living in the dark ages

 

A bit off topic; I promise this is not America bashing as i love the US a lot, But with mobile contracts in the states, things are really bad. I mean when you get charged for receiving calls as it is in the states, then thats really really backward

Share this post


Link to post
Share on other sites

 

Also is it an American thing to be charged a lot for crappy Internet with data caps, low upstream, extra charges for going over, and contracts that say you can't even open a Listening port on your public ip?


You forgot low downstream as well. laugh.png

 

 

Now that is a German thing, not an American one.

It's 5 months since I ordered 50Mbit/s upstream downstream (heck, I wish you could even have 50Mbit up...) for my home which is the fastest that 1&1 offers chez moi (although they do offer 100Mbit/s in other locations, and Telekom says 100Mbit/s would be no problem in my place either, but they say a lot, and little of it is true).

Well, that's 5 months since order, and 2 months since last heard of being told "real soon now".

As it stands, I pay for 16Mbit/s downstream, and get about 13.5MBit/s down (and ca. 1.05 up) and a lot of excuses (long cables and whatnot, which is demonstrably a lie, they just didn't book enough capacity on the fiber carrier) as well as references to the fine print which says "up to". I told my neighbour who lives in the next house down the road, and he replied: "Why! You're lucky, I wish I had 13.5, I'm getting 7.5".

Financially, it's not much of a difference since the rate is the same for 16 and 50 and 100 either way (only if you order 6 or 2 it gets like 5€ cheaper).

So basically, they're unable to provide 16Mbit/s as promised, but they intend to deliver 50MBit/s. Which is just a joke because in every other half-civilized country you meanwhile have 200MBit/s unless you live where the water flows over the border of the world.

 

Thumbs up for a high-tech country.

Edited by samoth

Share this post


Link to post
Share on other sites

 

But what of the ability to control your own security? I might be wrong (and out to learn if i am, thats the whole point...) ...but i guess you could plug lapses in security loop-holes if you are in control , where your ISP might fail. So control of your own security might be an advantage - security of very big name ISPs have fail regularly.

Setting up your bespoke firewall with special algorithm could be an advantage 

 

So if you setup your own cloud in say Amazon Web Services (AWS) for example:

  • You control the DNS with Route 53 and have to manage this for any change of machine IP modifications, etc
  • You control the machines that the DNS routes too
  • You control the security groups (basically a simplified firewall) of what ports are exposed, what machines can talk to other machines, etc...Yes, you control your own security here.
  • You can control what machines can access what data (external stores (S3 buckets, Glacier, RDS, etc)
  • You control how it scales by either doing it manually or using a service like Elastic Beanstalk
  • You will quickly learn about automating deployments as doing so in this kind of environment doesn't scale manually
  • You control when/where security updates are applied and also though must provide some heads up to a customer or then again you get to learn about having redundancy/fail-overs.  So that means that you get to learn about something called load balancers not to mention an automation framework such as Chef, Puppet, SaltStack, etc.
  • You learn how much it really costs to self-host...shiz ain't cheap as it scales

The more that I think this thru if your goal is to learn, why aren't you doing this?  

 

Note: There are many good alternatives to Amazon such as DigitalOcean.  Please check them out; I just used AWS here as it is what I presently use for my stack.  If you want to give it a shot, ping me and I can help you with the initial setup.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement