[NOOB] DIY website hosting, a deeper dive

Disclaimer

I have hacked together some tools for internal use, but I’m not a professional developer or server administrator, so don’t take this as a guide, I’m just documenting some of my experiences with DIY hosting in a dangerous, not in the safety of my home/work network environment. Along the way I’ll ask community for input about my thought process and what I may be missing. You are free to poke, criticize, break or ruin any of the publicly listed resources/choices. It’s going to be a while, lot’s to learn along the way, but I’ll try and keep the post up to date.

Resources

Server

It’s a nanode instance in Frankfurt, DE data center, with the following IPs:

• 172.105.247.84
• 2a01:7e01::f03c:93ff:fe37:184d

Domains

Still thinking about it, will probably go one by one.

Repos

TODO, I have to take git crash course.

Major tech

• Ubuntu 20.04 LTS (I know, I know - it should be arch or alpine, maybe later)
• Nginx as the web server
• PHP - PHP attracts bad “programmers” so there we go
• MySQL / maybe SQLite for the database needs
• WordPress because it’s popular
• Laravel because I found it easy to use for my internal tools hackery
• Tailwind CSS because my style and design brain parts had to be surgically removed when I jammed a crayon up my nose as a two year old child

The spark

Some time ago I started playing with Linode and found it to be really interesting. Fast forward few months and I felt comfortable hosting static websites for friends and family and their small businesses. Nginx and Linux server underneath kept themselves up to date, and there was no problems serving static .css and .html assets. I’ve learned about using ssh key pairs to keep intruders out, limiting ssh access to my home IPs, getting SSL certificates with Let’s Encrypt, setting some security headers, and so on.

The plan

Few days ago I decided to boot up a second VM and register a couple of dirt cheap ~1$ domains and host them all using different solutions. One will be WordPress, one Laravel, one vanilla PHP, and one static as before. Basically I want a honeypot to play with and get better insight into how are the bad guys probing things for vulnerabilities so I can implement some poor man’s defense strategies for the real thing. Eventually, I’m planing on converting the static sites into something more maintainable and capable of self-service content updates.

Stage one

Get the server up and running, install required software and generate ssh key pairs. Setup some basic firewall rules and limit ssh access to home network IPs.

Server has been provisioned and I’ve run some basic configuration:

• Login via ssh
• Update, upgrade and reboot
• Generate ed25519 key pair on my laptop
• Copy it over to the server
• Create configuration on the laptop to connect to it using one-line ssh command
• Set firewall on the server to allow HTTP, HTTPS traffic from anywhere, allow SSH only from my home IP
• Set Linode firewall to allow HTTP, HTTPS, SSH, DNS traffic, just to prevent sending emails or anything similar in case it gets hacked. Linode DNS template is setting protocol to TCP which doesn’t work so changed it to UDP

Commands

#login
ssh [email protected]
#update, upgrade, reboot
apt-update && apt-upgrade
reboot
#generate keys on laptop
ssh-keygen -t ed25519 -f .ssh/linode-honeypot
#copy keys over to server
ssh-copy-id -i .ssh/linode-honeypot [email protected]
#create/edit .ssh/config
vim ./ssh/config
#add configuration to it
Host honeypot
    HostName 172.105.247.84
    IdentityFile ~/.ssh/linode-honeypot
    User root
#set firewall to deny by default and add exceptions
ufw default deny
ufw allow http
ufw allow https
ufw allow from HOME-IP to any port 22 proto tcp
ufw enable
#use Linode control panel to add firewall that can't be changed if the server is hacked, set it to allow HTTP, HTTPS, SSH and DNS (see screenshot bellow)
#install nginx
apt install nginx
#create index.html file with some basic HTML, set permissions, ownership and then delete default index file
vim /var/www/html/index.html
chown www-data:www-data /var/www/html/index.html
chmod 644 /var/www/html/index.html
rm /var/www/html/index.nginx.debian.html

Screenshot 2022-02-07 at 18.37.542482×1296 278 KB

• Change ssh config not to allow password authentication

#open configuration file, change PasswordAuthentication from yes to no and restart ssh service
vim /etc/ssh/sshd_config
#PasswordAuthentication no
service ssh restart

Stage two

Register a domain, get a virtual host up, get SSL certificates and build a semi-convincing website with chosen $tech = [‘Static’, ‘Vanilla PHP’, ‘WordPress’, ‘Laravel’]. Rinse and repeat.

Stage three

Observe. Look what people and/or bots are doing, learn and document your observations.

Stage four

?

Stage five

Profit.

you want us to pentest it or are you looking to honeypot real hackers?.
if you want us to hack it then, safe-harbour?.

Yes safe-harbor as long as you don’t use it for anything malicious, say to launch an attack at someone else. You are free to attack it, the server at the listed IPs and any websites it will soon host. Let me know if you manage to break in and I don’t notice for a couple of days

The index page will display the following GUID, just to identify it as a safe target. I mean, I could be lying about having ownership of that server.

3981a85a-8581-4204-b50a-12699b8421ae

ok. did a scan.
not a lot there
an index.html is all that showed up with gobuster
nmap showed 2 ports.
80 and 443 open but 80 just shows the hash.

so there’s nothing running that’s exploitable assuming you patched your nginx server.

for your logs, you should find 2 nmap scans. and 3 gobuster scans.
1 for 1000 ports.
the other all ports
the gobuster scans were just 3 different wordlists.

I’d expect as much, I however do think things will be more complicated once the first domain i up, it should attract much more attention once the websites are up. Should be soon enough.

OK, so I have been observing for a couple of days and I’m getting some interesting attempts even with no domains hosted just yet.

#Gobuster (presumably HEXiT) snooping looks interesting. Lots of links that look like
#the ones where site gets Japanese SEO hack
[08/Feb/2022:07:50:03 +0000] "GET /t1800-50. HTTP/1.1" 404 134 "-" "gobuster/3.1.0"
[08/Feb/2022:07:50:03 +0000] "GET /t1780 HTTP/1.1" 404 134 "-" "gobuster/3.1.0"

#Some good old WordPress. Still no WP deployed.
[08/Feb/2022:09:52:49 +0000] "GET /web/wp-includes/wlwmanifest.xml HTTP/1.1" 404 564 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
[08/Feb/2022:09:52:50 +0000] "GET /wordpress/wp-includes/wlwmanifest.xml HTTP/1.1" 404 564 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
#A shit ton more WP sniffing

#Smells like Laravel specific things, even tho there is no Laravel app deployed.
[09/Feb/2022:13:12:16 +0000] "GET /.env HTTP/1.1" 404 197 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
[09/Feb/2022:10:22:13 +0000] "GET /_ignition/execute-solution HTTP/1.1" 404 197 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
[09/Feb/2022:06:13:09 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 197 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)

# Some PhpStorm stuff, first time I see this
[09/Feb/2022:08:29:49 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 262 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)

Anyway… I’m thinking about posting logs to go along with my thoughts and plans, should I censor out the IPs?

you kinda have to remove the ip’s if your gonna post the info here or you will be doxing them.

as for the scans yeah the 7:50 am one was me. (i was behind a vpn so its not my real ip)
i didnt do any wordpress scans or others once a realised there was no directory structure.
no robots.txt. no .htaccess or other files that should have show up with a working website and server.
so it was pointless to try and do more…
i would have tried the cve for the nginx server version but i didnt wanna brick yer server

Could you link the CVE? Straight out of the box, nice!