securely setting up a web server on my home network

Discussion in 'Computer Information' started by Calvin Crumrine, Jan 8, 2004.

  1. Are there any suggestions for a site or books where I can learn more
    about securely setting up a web/email server on my home network?

    I intend to set up my own domain as soon as I find a good name that's
    available but don't want to run into space restrictions-plus I want the
    ability to try some different things without worrying about whether or
    not my host supports them.

    I have a hardware firewall on my network so I'd want the web server put
    outside that, but I'd also want it protected-how to do that?

    Calvin Crumrine, Jan 8, 2004
    1. Advertisements

  2. Calvin Crumrine

    Duane Arnold Guest

    What platform are you talking about here MS or Linux? And to be honest
    about this, if you have got to ask these kind of questions, then maybe you
    shouldn't be doing it.

    Also, to expose a Webserver to the public Internet and not have it
    protected by a NAT router device that has *limited FW like features* or a
    true FW appliance is asking for trouble.

    Duane :)
    Duane Arnold, Jan 10, 2004
    1. Advertisements

  3. IN case you didn't notice, we're talking about *learning* here-not
    *doing*. Your question (MS vs. Linux) is a good one-it's one of mine
    also. Where would you suggest I go to determine the answer?

    I've got to say that your statement "if you have got to ask these kind
    of questions, then maybe you shouldn't be doing it" is one of the worst
    responses I've ever heard to a request to *learn* the answers to the
    questions-unless you know of a way to learn those answers other than by
    either asking the questions or trial-and-error (i.e. doing it).
    Calvin Crumrine, Jan 12, 2004
  4. Calvin Crumrine

    DeMoN LaG Guest

    I've done a number of stupid things with different technologies, too many
    to count. It is part of the learning process. You just have to hope you
    don't do anything that costs a ton of money or time to clean up.

    AIM: FrznFoodClerk
    email: [email protected] (_ = m)
    website: under construction
    Need a technician in the south Jersey area?
    email/IM for rates/services
    DeMoN LaG, Jan 12, 2004
  5. Calvin Crumrine

    Duane Arnold Guest

    Both can be made equally as secure as the other as I understand it. I
    have been using MS for many years so that's where I lean towards. As for
    Linux, look into the RedHat 9 O/S series and Apache Webserver.
    Too many people run out here on the Internet that can hardly protect a
    computer period for everyday home usage, let alone setup a Webserver and
    configure it properly. And yet, they try to do it. But if you want a
    couple of books to start with on MS, that would depend upon what platform
    you'll be using NT based Pro workstation or server O/S.

    And you should check with your ISP to see if they allow a machine running
    Web service to run on the ISP's network. Many of them don't and they do
    check for it, with possible termination of your account.

    Duane :)

    Duane :)
    Duane Arnold, Jan 13, 2004
  6. Calvin Crumrine

    DeMoN LaG Guest

    I don't know if I entirely agree with this statement. Linux + Apache is
    harder to exploit than Windows + IIS (or Windows + Apache, for that
    matter). Most linux security holes let someone crash the running process,
    while most recent windows holes give complete Administrator level
    priviledges to the hacker.

    AIM: FrznFoodClerk
    email: [email protected] (_ = m)
    website: under construction
    Need a technician in the south Jersey area?
    email/IM for rates/services
    DeMoN LaG, Jan 13, 2004
  7. If I do this at all-and I hope that I will but it all depends on my
    ability to learn how to do it securely-then it will be with the
    permission of my ISP. I've already looked into that part-it will cost an
    extra $10/month for 'hosting' on my own machine. From their description
    it appears that that covers the static IP address & permission to run
    the server. I've already got 768/256Kbps cable service and if that
    proves insufficient (probably not-I'm not planning on a high-traffic
    site, just my own site on my own server more for learning than anything
    else) I can increase it.

    I'd appreciate you recommending some books-or better yet some web sites
    if there are any. (I never seem to find the time to finish technical
    books. First you read a little, then you need to set something up to
    experiment a little, then you read a little more, then something
    interrupts you & you need to tear down what you set up so you can use it
    for a production job, then you try to find the time to set it back up
    and get back to where you were so you can experiment a little more, etc.
    I'm hoping that I've got enough 'spare' machines now that I can leave
    one set up for this until I'm done-but I won't swear to it.)

    I have versions of Win2K Pro, Win2K Server, WinXP Home, and WinXP Pro. I
    assume that Win2K Server would be my best choice in the Windows line,
    but I'm actually leaning more towards WinXP Pro. In either case our
    Webmaster at work has advised me to use Apache rather than IIS-if I
    decide on Windows at all.

    My only problem with Linux is that I don't know it-is it fear of the
    unknown or is it just fear of the learning curve? If I decide on Linux
    should I set up a Linux workstation first & learn to use/secure that
    before I complicate it by setting it up as a web server? Linux sounds
    very attractive, but I can't abandon Windows-that would mean abandoning
    all my customers. It would have to be a sideline for me so how expert
    could I really become with it?
    Calvin Crumrine, Jan 13, 2004
  8. I'd really like to learn Linux-but I don't have any customers who use it
    so the time I devote to it would be on my own nickel. Same is true of
    the hardware/resources I use for it.

    I think I've finally gotten enough hardware that I can devote some to it
    but the time is still going to be a problem. Are there any resources you
    would recommend to learn about it? Particularly about making it secure.
    Calvin Crumrine, Jan 13, 2004
  9. Calvin Crumrine

    Duane Arnold Guest

    I have read some articles where hackers were able to hack right to the
    Kernel of the Linux O/S. I don't know if one can hack to the protected
    O/S of an NT based O/S. Yes, there have been recent exploits on the MS
    O/S. But I think that most who were exploited didn't apply the security
    updates to the O/S that would have dealt with them. Or the machine was
    sitting out on the Internet with a root based account in use on the
    machine at the time of the exploit, so that a compromise of the machine
    could take place based on the security context of an account that had
    Admin priv(s), being used by the hacker.

    Root Tool Kits or backdoor Trojans can be applied to both O/S(s), if not
    configured properly or one does something on their behalf to cause the
    exploit. Once malware hits the machine using a Linux or MS O/S and is
    able to execute, it's over.

    Duane :)
    Duane Arnold, Jan 14, 2004
  10. I think you're right about people who were hacked didn't apply the
    proper security updates-but I have two issues with that.

    First, it's a full-time job figuring out which of the many, many,
    Windows updates are needed. The *only* way of minimizing that job is to
    apply all of them-and that leads to my second issue:

    Second, it's a more than full-time job to test updates before you apply
    them. Historically Microsoft has issued updates that on far too many
    occasions have done more harm than good-so I don't blame *anyone* for
    being slow to apply updates.

    Given that the basic problem is with the number of updates, which has
    more, Windows or Linux? (And to be fair, we should probably look at a
    similar period of time-but I suspect that the only time period we could
    agree would be appropriate would be the next year or so, about which we
    have no data.)
    Calvin Crumrine, Jan 14, 2004
  11. Calvin Crumrine

    DeMoN LaG Guest

    This is entirely true, but MS makes it far to easy to exploit. Everyone in
    XP home by default is an administrator.

    Also, consider that Linux has security patches probably daily if you count
    everything done to the open source stuff. MS probably has just as many bug
    fixes a day, except the source isn't open and we don't see the changes they
    are making.

    Finally, to configure linux to not do dumb things and look ready to
    exploit, you simply install it. To do the same on Windows requires
    installing it, installing a dozen security patches, changing a few options
    here and there, installing a decent firewill application, and possibly

    AIM: FrznFoodClerk
    email: [email protected] (_ = m)
    website: under construction
    Need a technician in the south Jersey area?
    email/IM for rates/services
    DeMoN LaG, Jan 14, 2004
  12. Calvin Crumrine

    Duane Arnold Guest

    I look for three words *Critical Security Update*. If it has those words,
    it will be applied to the machines at all times. And in general, I apply
    all recommenced fixes or upgrades etc. etc. I don't want to be caught like
    Tech Support on the job the next day after, as they raced around corporate
    applying all things they had ignored up to that point when the RPC exploit

    As for the security of the Webserver, I would suggest using IIS on the
    Server Edition of Win2K, because IIS on the Server Edition as security
    features that are not available on the Workstation edition. On the
    Directory Tab, IP Security is not applicable on the Workstation version.
    But you can cover that on the workstation version and supplement the Server
    version using IPsec.

    something simple

    The nuts and bolts on the howto(s)

    I would suggest going to the library and see if they have two books that
    can be checkout or purchase them.

    1) Windows 2000 Server Resource Kit Book Book Chapter 18 Implementing
    TCP/IP Security in the WIn2k SRKB along with other chapters as needed.

    2) Win Security Resource Kit Book Chapter 21 Implementing Security for MS
    IIS 5.0 and it also talks about *Best Practices* for IIS security. It also
    provides additional information and article links such as below. And read
    other chapters as needed.;en-us;315669

    These I have found and used the suggestions.

    Hell, since the core compontes of the NT based PRO and Server are just
    about the same, a lot in the link can be applied to both versions of the
    O/S(s). However, not everything such as TCP/IP Security is being covered as
    opposed to the books.

    Security Topologies you can implement.,5171179~root=security,1~mode=flat

    Most likely, that NAT router with BS firewall (I got one too) meets the
    specs below.

    WatchGuard, Cisco, etc FW appliances meet the spec below has a nice price on WatchGaurd Firebox III SOHO 6. Hopefully,
    I'll get one soon to continue my education.

    I do use BlackIce on all my machines. Why, because that damn IDS works and
    you cannot account for shit coming down Port 80 to IIS for valid network
    traffic between machines. BI protects the services on the machine, it has
    good logging and it has that Application Control and will stop a *Drive

    Since you made me feel bad about my initial response to your post, this is
    something I just found out about this past weekend. I watched it go into
    action on a Website. <g>


    Duane :)
    Duane Arnold, Jan 14, 2004
  13. That HostsToggle is cool-I used the hosts file several years ago to
    block ads but eventually abandoned it because of the problems that
    HostsToggle solves. I don't understand your statement about it going
    into action on a Webiste though-unless you're talking about using it on
    your machine & watching it work when you visited a Website. I guess that
    makes sense.

    Thanks for all the links-looks like I'll spend the next couple of weeks
    doing a lot of reading.
    Calvin Crumrine, Jan 14, 2004
  14. Calvin Crumrine

    Duane Arnold Guest

    Yes, that what I mean. Someone in another NG had mentioned that a site was a *drive by* site. So I tested HOST on the site. IE stopped the
    download and BlackIce would have done that too. But when I tried to leave
    the site, the NT login screen popped-up for a login because of
    being applied to a DNS in the HOST file.

    Good luck to you on your mission.

    Duane :)
    Duane Arnold, Jan 14, 2004
  15. Calvin Crumrine

    Duane Arnold Guest

    The way I look at that. It's an opportunity to make money as more and more
    house holds and small businesses doing networking need to have things
    configured properly and most of them are coming to MS not Linux.

    Duane :)
    Duane Arnold, Jan 14, 2004
  16. Which is a *real* strong argument for putting Microsoft out of business.
    Sure, making crappy cars is good for mechanics-but it's not so good for
    the US, now is it?
    Calvin Crumrine, Jan 15, 2004
  17. Calvin Crumrine

    Duane Arnold Guest

    Now do you really think that's going to happen? People working for MS or
    any business for that matter have mouths to feed, cars, and homes to make
    payments and kids to put through college. Do you really think that they
    are going to let something like Linux just take over the market? You can
    bet that MS will stop anything that becomes a threat, by any means
    necessary. Yeah, Linux may be good, but on the other hand, Linux has not
    put one dime in my pockets. And that's all that counts as far as I am
    concerned. Yeah, Linux will get its little share of the market and share
    it with the others who are sharing that same little share.

    Do you think MS is going to let happen to it like what happened to IBM? I
    would not count on that if I were you.
    Duane Arnold, Jan 15, 2004
  18. Do you think that IBM would have let it happen if it could have
    prevented it? Maybe-*maybe*-Microsoft will learn from IBM's mistakes. I
    don't see any sign of it so far. It seems far more likely to me that
    Microsoft is arrogant enough to believe that it *can't* happen to them
    because they don't make that kind of mistake. And if that's what they
    believe, as their corporate culture, then eventually it *will* happen to
    them & all those people with mouths to feed, etc. will be running around
    asking "What happened?"

    It's happened before-often. Those who won't learn from history are
    condemned to repeat it.
    Calvin Crumrine, Jan 15, 2004
  19. Calvin Crumrine

    Night_Seer Guest

    IBM is doing pretty good htese days...they have a hand in all three next
    gen consoles, plus AMD. I thinkt he only way to really learn from your
    mistakes is to make them first sometimes.
    Night_Seer, Jan 15, 2004
  20. You might make your server more secure if you put it on a different port
    then 80. For a home netowrk webserver that should be fine. I do okay with
    an Apache server on port 81.
    Andrew Watiker, Jan 16, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.