Running a secure server
and other self-hosting madness
December 4, 2015 — January 19, 2021
Or at least somewhat more secure servers.
So many parts to this! I am not an expert at any of them. Moreover, it’s a difficult specialist trade to get good at. But we can make some starts.
The risk profile is that I might want to run an internet server and I don’t want to get drive-by hacked by port-sniffing randoms with embarrassing ease. Securing cloud machine against their hosts or other cloud users is a whole other level about which I know nothing, as opposed to the nearly-nothing that I know about securing a host in general.
1 Baseline: Making sure you are not instantly p3wned
Start with a hardened OS if possible.
Then lock it down, e.g. securing Ubuntu: My first 10 minutes on a server, basic how to harden ubuntu server. Get a firewall.
2 SSL/TLS
An important detail to use modern web services is SSL, a notoriously tedious process. Some pro tips for SSL certs by Reinout van Rees.
This recently got easier and cheaper with Let’s Encrypt. I think this is close to RFC 8555 - Automatic Certificate Management Environment (ACME).
Useful links:
- dehydrated letsencrypt/acme client implemented as a shell-script
- ACME client protocol
- client software letsencryptnosudo might still work?
- the full-stack webserver caddy is a web server with integrated letsencrypt
- EFF certbot “Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.”
- Apparently certbot is a bit of a mess and I see LEGO recommended instead (Let’s Encrypt client and ACME library written in Go)
- most commercial static hosts handle this automatically for you
- Jeremy Gale, How to set up a free dynamic hostname with SSL cert using Google Domains
3 Private development servers
4 Proper Online Servers
I’m not the guy to tell you how to run real secure webservers that actually transfer significant information.
OTOH, I do occasionally need to fake SSL so that I can demo fancy javascript online.
Here is how to do that using Cloudflare. (NB If you are not aware of how the following is in fact a fake SSL then you are not qualified to do real security on websites.)
Summary: Don’t use it for actual server-side applications, because it will behave as if it’s secure while leaking information, but it’s ok for developing browser apps that don’t meaningfully communicate with the server.
Oh wait, you actually want to do the SSL thing?
Here’s a basic emergency guide to doing it with commodity webhosting: Letsencrypt thing with webfaction by Nick Doty.
5 General services
Use tor hidden services to not even expose your server’s existence?
6 Lan serving stuff
ClearOS maybe?