Learning about safely hosting dynamic sites, don’t know crap so don’t take this as a guide.
I have hacked together some tools for internal use, but I’m not a professional developer or server administrator, so don’t take this as a guide, I’m just documenting some of my experiences with DIY hosting in a dangerous, not in the safety of my home/work network environment. Along the way I’ll ask community for input about my thought process and what I may be missing. You are free to poke, criticize, break or ruin any of the publicly listed resources/choices. It’s going to be a while, lot’s to learn along the way, but I’ll try and keep the post up to date.
It’s a nanode instance in Frankfurt, DE data center, with the following IPs:
Still thinking about it, will probably go one by one.
TODO, I have to take git crash course.
- Ubuntu 20.04 LTS (I know, I know - it should be arch or alpine, maybe later)
- Nginx as the web server
- PHP - PHP attracts bad “programmers” so there we go
- MySQL / maybe SQLite for the database needs
- WordPress because it’s popular
- Laravel because I found it easy to use for my internal tools hackery
- Tailwind CSS because my style and design brain parts had to be surgically removed when I jammed a crayon up my nose as a two year old child
Some time ago I started playing with Linode and found it to be really interesting. Fast forward few months and I felt comfortable hosting static websites for friends and family and their small businesses. Nginx and Linux server underneath kept themselves up to date, and there was no problems serving static .css and .html assets. I’ve learned about using ssh key pairs to keep intruders out, limiting ssh access to my home IPs, getting SSL certificates with Let’s Encrypt, setting some security headers, and so on.
Few days ago I decided to boot up a second VM and register a couple of dirt cheap ~1$ domains and host them all using different solutions. One will be WordPress, one Laravel, one vanilla PHP, and one static as before. Basically I want a honeypot to play with and get better insight into how are the bad guys probing things for vulnerabilities so I can implement some poor man’s defense strategies for the real thing. Eventually, I’m planing on converting the static sites into something more maintainable and capable of self-service content updates.
Get the server up and running, install required software and generate ssh key pairs. Setup some basic firewall rules and limit ssh access to home network IPs.
Server has been provisioned and I’ve run some basic configuration:
- Login via ssh
- Update, upgrade and reboot
- Generate ed25519 key pair on my laptop
- Copy it over to the server
- Create configuration on the laptop to connect to it using one-line ssh command
- Set firewall on the server to allow HTTP, HTTPS traffic from anywhere, allow SSH only from my home IP
- Set Linode firewall to allow HTTP, HTTPS, SSH, DNS traffic, just to prevent sending emails or anything similar in case it gets hacked. Linode DNS template is setting protocol to TCP which doesn’t work so changed it to UDP
#login ssh [email protected] #update, upgrade, reboot apt-update && apt-upgrade reboot #generate keys on laptop ssh-keygen -t ed25519 -f .ssh/linode-honeypot #copy keys over to server ssh-copy-id -i .ssh/linode-honeypot [email protected] #create/edit .ssh/config vim ./ssh/config #add configuration to it Host honeypot HostName 18.104.22.168 IdentityFile ~/.ssh/linode-honeypot User root #set firewall to deny by default and add exceptions ufw default deny ufw allow http ufw allow https ufw allow from HOME-IP to any port 22 proto tcp ufw enable #use Linode control panel to add firewall that can't be changed if the server is hacked, set it to allow HTTP, HTTPS, SSH and DNS (see screenshot bellow) #install nginx apt install nginx #create index.html file with some basic HTML, set permissions, ownership and then delete default index file vim /var/www/html/index.html chown www-data:www-data /var/www/html/index.html chmod 644 /var/www/html/index.html rm /var/www/html/index.nginx.debian.html
- Change ssh config not to allow password authentication
#open configuration file, change PasswordAuthentication from yes to no and restart ssh service vim /etc/ssh/sshd_config #PasswordAuthentication no service ssh restart
Register a domain, get a virtual host up, get SSL certificates and build a semi-convincing website with chosen $tech = [‘Static’, ‘Vanilla PHP’, ‘WordPress’, ‘Laravel’]. Rinse and repeat.
Observe. Look what people and/or bots are doing, learn and document your observations.