Ask Slashdot: Security Digests For the Home Network Admin? 123
New submitter halcyon1234 writes "I'm currently cutting the webhost cord, and setting up a simple webserver at home to host a couple hobby websites and a blog. The usual LAMP stuff. I have just enough knowledge to be dangerous; I know how to get everything set up and get it up to date, but not enough to be sure I'm not overlooking common, simple security configurations. And then there's the issue of new vulnerabilities being found that I'm not even aware of. The last thing I want is to contribute to someone's botnet or spam relay. What readings/subscriptions would you recommend for security discussions/heads up? Obviously I already read (too much) Slashdot daily, which I credit for hearing about some major security issues. Are there any RSS feeds or mailing lists you rely on for keeping up to date on security issues?"
Re:Check your Internet Acceptable Use documents (Score:5, Interesting)
Most American ISPs. The only Australian ISP I'm aware of who has this in their AUP is Telstra, and nobody who knows how to configure a setup like that would be using Telstra anyway. That's one of the advantages of a metered system - because the ISP gets paid more the more data you use, they have absolutely no motivation to try and limit your ability to move data. Whereas the US ISPs seem to spend more of their time figuring out how to block data-heavy protocols than actually trying to provide a service.
The single most useful thing (Score:5, Interesting)
On a publicly visible web server is to set up set the directive for the default web site (the first one in the virtual host list) to default deny to everyone. Then put your web site on a different virtual host. 99.9% of the scans I see come in by IP address, which gets them the default site. Any legitimate traffice will come in by domain name. This set up not only denies the script kiddes access to any PHP forms you've got, it convinces their 'bots to give up very quickly, which means less of a toll on your bandwidth.
(As someone noted, the standard consumer highspeed account prohibits running servers. Many commercial accounts do, too, unless you told them you're running a server of some kind. You may also have to get them to unblock port 25 if you want to run your own mail server - be very careful if you do that, though. You don't want to be a spamfest rathole without knowing it.)
Re:Check your Internet Acceptable Use documents (Score:5, Interesting)
Hosting is cheap, I don't see why you'd want to cancel it unless it's hurting the bank.
Simple: control.
I used pghoster for a while, because they provided PostgreSQL hosting. The service was fine until:
1) They switched my hosting from Linux to BSD. That unnecessarily broke all my cron jobs, which I fixed with a fair amount of grumbling about time I didn't have.
2) They made another infrastructure change. That unnecessarily broke all my cron jobs, which I fixed with a fair amount of grumbling about time I didn't have.
3) They made some other change which broke my PHP, which I fixed with a fair amount of grumbling about time I didn't have.
The bottom line was that they did not seek my input about what to change and when to change it. And their business model probably doesn't allow them to do so. After all, they have a lot of different users with a lot of conflicting demands. It's just the nature of shared hosting. I have no bad will towards the service, but the requirements of shared hosting are just incompatible with the requirements I have on my time.
So I bought a cheap block of static IP addresses ($20 extra per month) that put me into the business class of customer; the class with the terms of service explicitly allowing me to run my own servers. I've been doing this for about six years now, and I would hate to ever have to return to shared hosting.
And for those wondering why I didn't use a dynamic DNS service: I did, and they suck, suck, suck. But more importantly, I didn't want to find my Internet access sporadically terminated for violating terms of service.
So yes, there are very good reasons for wanting to avoid the major hassles of shared hosting. For me, shared hosting's lack of of control was a deal killer.
Re:Check your Internet Acceptable Use documents (Score:4, Interesting)
My ISP has never complained and none of it has ever been an issue... and in return, I've gotten a ton of experience, albeit not full blown enterprise level experience, of how to manage and run such services myself, including, for their day, a pretty massive number of incoming hits from freshmeat and slashdot when I mentioned some software I had written a decade ago (sure, the numbers were small compared to what goes on at enterprise servers, but I got to learn about throttling and whatnot to keep my then meager 384kbps uplink usable in such a situation). On top of that, there was learning about how to build/maintain NFS, LDAP, keeping filesystems backed up over the network, syncing my development box with my server with rsync, writing scripts to do things like automatically update my IP if/when it changes or to insert iptable rules for people trying to break into ssh/ftp, etc.
Yeah, I could have just paid for hosting somewhere, but I would have learned a lot less... The hobby sites were mostly for fun but I had just as much fun learning how to handle the administrator side of it all. Chances are, those of us posting at slashdot are kinda nerdy like that and if we don't do it as a profession, we still might to want to learn such things as a hobby, at which point, doing it yourself is the best way. I also ran my own pre-LFS self-compiled/configured distro before eventually switching to gentoo to semi-automate it.
Re:1 (one) tip for you (Score:3, Interesting)