I am thinking about setting up a modest web server using some old hardware and Ubuntu 12.04 or Debian 6. I am aware that by exposing a machine on my LAN to the outside world I become vulnerable to security breaches and attacks. That being, and since I have almost no experience into securing computers using Linux, I would like to ask for some recommendations about what I should do to secure this web server, especially since there are other computers in my home LAN which contain sensitive information (about home-banking accounts and such). Thank you very much.
Hardening a Home Server
home-serverSecurityself-hosting
Related Solutions
This is a complex question, but putting together a simple system to protect your father-in-law's confidential information should not be that difficult.
Your first suggestion of using separate addresses for separate services probably won't make much of a difference. If someone (say, Mallory) is intercepting email in the network, then they can probably intercept any forwards you make; therefore all services are vulnerable to attack if you are using only one domain for all accounts. Mallory can simply search for any emails containing *@example.com
in the To field and assume they're all being forwarded to the hidden address. Just knowing what the email address for a given account on a given service is gives Mallory an advantage, as that's what is authenticated to the service and that's what she will use to compromise it. Even creating email accounts off your domain simply increases the number of vulnerable nodes.
One way that you can considerably improve security is by enabling SSL for all protocols on the mail client used to fetch from the server. That way you eliminate at least one vulnerable hop where Mallory can intercept the plaintext of the emails. Also, contrary to what you've stated, it is very likely that sensitive services are using SSL to send you mail via SMTP, or that you can enable that somehow.
That's the most you can do on the network end. If the service refuses to use SSL-SMTP, it's probably not going to be very secure at all. There's a lot you can do to improve security on the local end, however. You should take standard precautions such as creating a firewall and disabling unused network services, as well as making sure that all your passwords are strong (16 characters or more). The LAMP server can be hardened with Grsecurity or a similar system to prevent buffer overflow attacks. Creating a virtual encrypted drive is of dubious utility, seeing as that unless you want your email to be undeliverable 90% of the time, the drive must be unlocked for you to receive it. Picture a physical mailbox with a padlock!
The local system presumably being used to retrieve email from the server using (SSL-)POP3 can be hardened as well if it's Linux. If you're serious about local security, the whole drive should be TrueCrypted (it's not actually on standby waiting for mail all the time) because applications leak an unbelievable amount of data throughout the whole system in caches and logs, rendering a solely encrypted local mailbox somewhat irrelevant.
So there's a little you can do for the network, a lot you can do for the server, and more you can do for the local system. Remember that the weakest part of your whole security system is the passwords.
Best Answer
FIrst, you are probably aware of that but if you have dynamic IP, you'll need a dynamic DNS like DynDNS or DNSexit.
On the securing part, I think using
iptables
(or a firewall GUI like firestarter if you prefer) opening only port 80 for inbound connection is sufficient for a home server if you don't need to open ssh port (port 22) or ftp (21) and you will not install a mail server.If your site have a login page or if you need to open ssh, ftp or smtp, I would recomment to at least install something like fail2ban to ban IP who try connections without success so they don't try forever.
One important thing to note is that you must have a look at your logs, to keep an eye on them easily install
logwatch
(should be in your default repositories on Debian & Ubuntu) to alert you by mail daily or weekly. You'll rapidly learn to find what's wrong by reading them frequently.If you need to connect from outside to administer the server, use a VPN and anyways, keep the OS always updated!
Update: For SSH and sftp, I think fail2ban + only ssh keys (or keys + password but not only password) is the minimum you need (and do not allow root access).
If the machines you use to connect have fixed IP, open the firewall only for these incoming IP.
An encrypted VPN (I use openvpn) helps a lot to secure your access too.
Have a look here for the 'quick' official tutorial, in 15-30 minutes you'll have a working VPN server for one client - one server. For a better setup with client certificate authentication and a CA (your free own CA) you'll have to take a few more minutes :D
If your sites require MySQL or for any other reason you need to administer MySQL (or another database) from internet, if you don't use a VPN, use a ssh tunnel so you connect to a local port on your machine and the tunnel encrypts the connection to the server so you don't need to open the database port, have a look at the
-L
and-D
arguments inman ssh
.I would not install phpmyadmin to listen on a public IP as that opens your database to the world. If you need I can put an example script for a tunnel here.