Risks of hosting own website?

[gobel]

Hi guys, I read through most of your forum last night and really learned alot. I really appreciate the time put into sharing the info on your forum.

Now that I know just enough about DDNS, port forwarding, etc. to be dangerous, I'm wondering if you all could help me understand and evaluate the risks of actually hosting my own website, ftp server, opening my home network to mstsc and perhaps other services as well.

[wimiadmin]

Perfectly safe so long as you only forward the ports required and have good passwords on all of your computers.

I've hosted sites, ftp servers, mstsc, etc. from my house before. The one that seemed to get the most hack attempts was my ftp server. I simply set the ftp program to ban any IP with more than 3 unsuccessful attempts at logging in and that pretty much eliminated further hack attempts.

Also remember to keep your server and any software up to date. If it's a Linux based server, you're pretty much good to go, but if you host a phpbb forum, you'll need to religiously keep phpbb up to date.

[clanmills]

I agree with WimiAdmin here and I'd just like to add my 2¢ worth.

I prefer to have my websites hosted outside for several reasons:
1) security is somebody else's issue
2) it's up 7x24 (and somebody else can deal with reboots and stuff)
3) it's faster. Hosting at home on a DSL link limits the download speed to how fast you can upload from home (which is usually quite slow)

Having said that, the advantages of having the server at home are:
1) You have all your tools on the server (you're not limited to FTP and HTTP access to the server)
2) You can run any service you wish (Perforce, SVN, VNC, etc) in addition to HTTP.

Like most things in life, you choose what works for you. There's no right or wrong way and both will work fine.

[gobel]

The whole point of the exercise is a learning experiment. Sites I want to be up 24/7 that are "critical" (at least to the degree any of mine are) are hosted by 3rd party company, and will be for the foreseeable future.

But there are times when I've wished I could access some email on my home cpu or maybe just let somebody ftp directly to/from my machine without the hassle of using some intermediate server.

[clanmills]

Well these are also very good reasons to want to host servers at home and I'm sure you'll enjoy getting all this stuff to work. Have Fun and Good Luck. I'll be interested to hear about your experience - come back and let us know how it works out for you.

[gobel]

I failed to mention that the purpose of any of this is primarily educational in nature. I don't have any super secret data anybody might be looking for, and I have the important stuff backed up.

But there have been times when I thought it would be convenient to access email on my home machine from somewhere else or let somebody ftp directly to/from my system without the hassle of some 3rd party server.

Thanks again for the help!!

[gobel]

So I was talking to the network/system guy I work with and he recommended setting up a DMZ, but some articles I've been reading on the web today seem to suggest that DMZ setups are actually more risky than simple port forwarding with consumer level routers.

I have a Linksys RV082 VPN router and a Linksys WRT54G wireless router as well. (I also have an older VPN router on the shelf, but I think some of the ports are cooked)

I'm wondering what your thoughts are on the DMZ "feature" of the RV082 specifically...

[wimiadmin]

Yeah the DMZ is just like plugging the internet in to your server without a router/firewall as a layer of protection.

I've used the DMZ before but only for troubleshooting when ports were not forwarding correctly. Once I got that fixed, I moved the IP out of the DMZ and back behind the firewall.

[clanmills]

Hi G

I don't think I have any opinion about DMZ vs Port Forwarding. It's another choice which might be the one for you. Personally, I feel happier about only exposing ports I intend to use. Moreover, I don't keep the ports permanently open and only expose them when they may be used.

My experience with this was mostly educational. I was thinking about sharing a perforce source control server from home with somebody else. In fact that didn't materialize. Mostly, like you, I was simply curious to make it work. I wrote an article about it and you may find that helpful: http://clanmills.com/articles/portforwarding/

Subsequently one of my open-source buddies in Kuala Lumpur (half a world away from California) wanted to debug some UNIX code on my Mac. No problem - I opened up the SSH port and 5 minutes later he logged on and did his work.

Robin

[aprotosimaki]

Quote:

Originally Posted by gobel

I failed to mention that the purpose of any of this is primarily educational in nature. I don't have any super secret data anybody might be looking for, and I have the important stuff backed up.

But there have been times when I thought it would be convenient to access email on my home machine from somewhere else or let somebody ftp directly to/from my system without the hassle of some 3rd party server.

Thanks again for the help!!

Quick comment only ...

FTP sends user credentials in the clear, which means that you must never login using your Administrator/root account. It would be better to use sftp or scp instead but this does require end users to have them installed. An interesting alternative is this product, which seems to be free for home use:

http://www.appgate.com/index/products/mindterm/

Basically it implements sftp/scp/ssh via a java applet embedded in a web-page, which means that your client does not need to install ssh/scp/sftp locally. We use it our place of work and it is quite good and easy to use and does allow secure copying of files.

Alternatively, you could explore anonymous FTP services, which gets around the issue of plain text passwords (since none is used) but it does open you up to accidently becoming a warez site, if you allow uploads, which you probably shouldn't.

If you really want to push the envelope, why not explore running a VPN server on your network and only allowing access to FTP via the VPN? OpenBSD's implementation of poptop (pptp), for example, is actually quite good and easy to use.