By self hosted website I mean, a website that is hosted on my computer and made available through port forwarding by the router. I have apache2 as the web server to serve the http requests. How to make the website and my whole home network that is connected to the same router secure. I assume that my home network would be vulnerable too if the web server is vulnerable. Is apache secure enough independently without any external configurations?
1 Like
I’m far from an expert here, but I have picked up a few things managing some of my own servers.
Apache is pretty secure when configured correctly, but you are right that your network is more vulnerable when you have an internet facing machine on it. A truism in computer security is that you cannot be perfectly safe from hacking. By taking a few steps, you can make yourself a much more difficult target, and thus not worth the effort. Here’s what I would do:
- Make sure your router is up to date.
- Configure your router’s firewall such that the only external traffic going into your network are through ports 80 and 443, which get routed to your server. Open other ports very judiciously.
- If your router supports it, put your server on a DMZ (demilitarized zone). This is like a separate network that is intended for internet facing connections. If your server gets compromised, the rest of your network won’t be at risk. This will make SSH and other remote connections very difficult, though.
- Configure your server’s firewall properly. Only allow in the traffic you absolutely must allow. If possible, restrict remote access to a single machine. Even better, keep a monitor and keyboard attached.
- Only run the services you need. I would not use FTP as SFTP is more secure and runs over the same port as SSH. If you’re not using a database, make sure none are running. Ideally, this thing should be a web server, and a web server only. Everything else adds risk.
- If you’re running Linux and you need SSH, setup
fail2ban. This will IP ban anyone who tries to login remotely and fails after a few times (default is 5, I think). IP bans are easy to get around, but it’s still annoying for the hacker and takes time away from what they want to do. - If you’re using SSH, make sure you disable password access and that you use RSA keys. DigitalOcean has a good walkthrough of that.
- Run through this guide on Apache security
- Running an anti-virus like ClamAV wouldn’t be a bad idea. If you’ve properly configured access to your server, then malware shouldn’t be high on your list of concerns (unless you allow people to upload to your server, then may the force be with you). Still, it doesn’t really hurt, especially as your server will probably be idle more than not.
There’s probably something that I’m missing or forgetting here. If you are running a database, other considerations will apply. Remember that the website you’re hosting can also be a security risk if it responds to any user input. Following these suggestions will seriously reduce your surface area for attackers, though.
2 Likes
I always thought that the ports didn’t matter unless it was 80. My ISP seems to have blocked port 80. So I used to use any other random port. But now that you’ve raised concerns, I think I’ll switch to port 443 as it’s the only option now. Thanks for the post, it was pretty useful. 
443 is what your browser will use for a secure (HTTPS) connection, if you get it set up. Your ISP has blocked port 80 because running a web server from your home is likely a violation of the terms of service, and 443 will probably not work either. Which port you set up would be moot because if ports 80/443 are blocked, there’s just no way for a web browser to connect. Such is the control they exert on us 