Raspberry PI Web Server

[Syon]

Hi Community,

I'm a little new to all this. I've learned a lot and now I'm planning a fun project for my personal use only.

I'd like to know, based on your knowledge and experience, if I can use a raspberry 3B(1GB RAM) to run the following services for personal use only:

• NextCloud

• Taiga.io

• Passbolt

• Wallabag

• Matecat

Also, if you're doing something similar, please, let me know what kind of services are you running locally.
Thanks,

[markatlnk]

I run a web server, email system, wordpress blog on a Pi 2. It is live on the internet and has been for a couple of years. Up time has been really good, last reboot was 196 days ago. You will need something like spamassasin to filter your email, you will get tons after your email gets out there at all. Also SD cards won't last that long, they have a limited number of write cycles. I use an external USB 500G drive for the root directory and only use the SD card for the boot directory.

Mark

[Syon]

I run a web server, email system, wordpress blog on a Pi 2. It is live on the internet and has been for a couple of years. Up time has been really good, last reboot was 196 days ago. You will need something like spamassasin to filter your email, you will get tons after your email gets out there at all. Also SD cards won't last that long, they have a limited number of write cycles. I use an external USB 500G drive for the root directory and only use the SD card for the boot directory.

Mark

Thank you for sharing your experience!

[spock]

i also would like to run a webserver with similar services. actually it already runs nicely on the local network.

i am wondering... how dangerous is it, if i make it accessible from the internet with port forwarding?

what do i have to look out for? the stuff on the webserver itself isn't that critical but if an attacker got access to the other pcs on my network it would be very bad. what would be a good way to secure everything? any tips, hints, links to learning resources?

[bertlea]

If you only expose the web services (e.g. http, https), just Keep your OS up-to-date, especially when there is an security alert issued then it is pretty safe. But if you also expose ssh, then you better take more measures to protect from attackers.

• use a long and secure password

• don't use default port (22)

• install and use fail2ban

Even better:

• only use key-based authentication (not username/password) for ssh

• create and use another username and disable username 'pi' for ssh

[rpdom]

I've been running a simple webserver on a PI 2B for years now. I see a lot of attempts to try and break in to it in my daily logs, but none have been successful.

I do have external SSH enabled as well, but the pi user is long gone, and I only allow shared key logins. That also gets many attempts to break in, but none successful. I use denyhosts instead of fail2ban, but it doesn't have to do much work.
I rarely use the SSH connection. It is just there as an emergency backup if both my VPN connections are not working.

Most of this setup was working on an old laptop before I got the Pi 2B, and another old (made in 1999) before that. It has worked well for me

I will probably be upgrading most of the setup to a Pi 3B+ at a later date. The software on the 2B is very out of date, but there is a ton of custom stuff running on it and moving it to Buster will take me weeks of work.

[DougieLawson]

Changing from port 22 is a pain in tail, every SSH client defaults to port 22. If there's an intrusion detector that's active and effective then having a few hackers come knocking on the door and getting turned away isn't a problem, it's a minor inconvenience (until it blocks me).

Disabling ssh with passwords is 100% essential.
My pi userid got renamed to something different.

I have TCP ports 22, 80, 443 and UDP port 1194 open to the public internet.

[jbudd]

Changing from port 22 is a pain in tail, every SSH client defaults to port 22.
Disabling ssh with passwords is 100% essential.

I mostly use MobaXterm as an ssh client. It's not too hard to remember to type ssh -p 45678 pi@mydomain. I think Putty has a form where you enter the port number, less straightforward.

Of course, using an obscure port number like that doesn't prevent bots from finding the open port and trying to login.
In practice though, according to my fail2ban logs, they never have.

SSH login using keys is more secure but I have found it frustrating.
I don't understand which key files go where and how to use them - If I manage to get the key to work with MobaXterm, does that mean Putty will work too? How can I login from a new computer or using Termux on my phone? etc...

So I find ssh with password login much less of a pain than the more secure option.

Maybe you can suggest a simple and thorough explanation of ssh using keys?

[Heater]

I think that if you want publicly facing servers that are running all that junk and you are worried about the safety of your local LAN then you should not have the servers on your local LAN. Separate them. Use firewalls.

[Andyroo]

Changing from port 22 is a pain in tail, every SSH client defaults to port 22.
...

In the case of the Mac you can change the port by editing .ssh/config and adding

Code: Select all

Host raspberrypi 
  User pi
  HostName 192.168.1.123
  Port 54321

You can also use Host * to change all hosts.

This can still be overridden from Terminal e.g.

Code: Select all

ssh -p 22 fred@192.168.1.123

would connect to host raspberrypi as fred on port 22 overriding the above config.

[DougieLawson]

If you move the port the things that find your system are more hostile (not just the script kiddies) if they get in worse things will happen. It's much easier to leave it at port 22 and spend your time ensuring it's secured from every unauthorised break-in attempt.

My fail2ban rules have no time-out, when you're blocked you're blocked forever (or until I clean out the sqlite3 database that fail2ban uses).

[Syon]

Thanks for all replies, guys. It will be local only.

[chwe]

Up time has been really good, last reboot was 196 days ago.

means your last kernelupdate was 196 days ago? I don't think that raspbian supports LIVEPATCH.. Doesn't sound like a best practice approach to me.

I had a SBC exposed as a webserver for a long time in my network. IMO it also depends how well the rest of your network is secured.. Assuming for whatever reason they gain access to your SBC make sure that there aren't many other low hanging fruits to mess around (so probably no WindowsXP in the same network ).. Keep the system updated and yes, this means that the Pi should be rebooted from time to time (it doesn't hurt when the uptime counter isn't that high ) and only expose services to the internet which take security serious means check CVEs of the software used, if they notoriously fail I don't trust them.

If you don't need SSH accessible from outside, don't use it.. Only keys no passwords, and if not absolutely needed I wouldn't expose a sudoer... actually I never needed sudo for maintenance (well the page didn't had much traffic and a downtime of a few hours wasn't an issue, or at least not one I cared about)..

[rpdom]

Up time has been really good, last reboot was 196 days ago.

means your last kernelupdate was 196 days ago? I don't think that raspbian supports LIVEPATCH.. Doesn't sound like a best practice approach to me.

Meh, whatever. Secure system is secure if you are careful.

Code: Select all

 07:50:50 up 405 days

Pi 2B running old software, no longer supported. Ports 80 and 22 exposed. Various security software and logging in place. Various attempts on both ports for years. None successful. I am planning to upgrade, but there is a shedload of stuff running on that Pi that will break my home network if it fails for any length of time. The uptime would have been longer, but the disk failed and I had to replace it and restore from my backups. That took an hour or so. I didn't lose anything important.

[emilfr]

I've been running my personal mail server, webmail UI (only on https), dhcp and dns (dnscrypt), cups, vpn and several other service on rpi2 and rpi3 (some services running in cluster mode) and been running for more than two years now.

There is not enough security measures after you expose your services to the internet, so yeah, things like fail2ban, and ssh keys, personal certificate plus 2FA are your best friends for remote access.

[chwe]

Meh, whatever. Secure system is secure if you are careful.

and it's not careful if you rely on software which isn't updated since months/years. Especially for software which gets regular updates such as the kernel.

Code: Select all

 07:50:50 up 405 days

Pi 2B running old software, no longer supported. Ports 80 and 22 exposed. Various security software and logging in place. Various attempts on both ports for years. None successful. I am planning to upgrade, but there is a shedload of stuff running on that Pi that will break my home network if it fails for any length of time. The uptime would have been longer, but the disk failed and I had to replace it and restore from my backups. That took an hour or so. I didn't lose anything important.

Maybe on a Raspbian Jessie? (hopefully not). I don't get this uptime at all. If it really hurts you when there's a smaller number you might find something to fill it with a bogus number. I'm proud that none of my SBCs has an uptime longer than a week, they get updated weekly which results in a downtime of 30sec to 2min to bring back all services they provide and guess what, it feels good that they come back every-time without issues when I update them (in fact they're updated by scripts so I don't even have to do something here). I have boards which have an 'overall uptime' more or less the time debian stretch was available for them (honestly, I never updated a Jessie to stretch, and they were down for a few days to move my flat ).
IMO it doesn't matter how long you didn't spot any evidence that your system got corrupted. The questions should be, what if? What if your system gets corrupted.. The Britains should be familiar with the case it hits them https://www.theverge.com/2017/5/12/1563 ... ry-bitcoin. They probably also didn't thought this can happen.. Turns out they were wrong. Don't get me wrong, I don't think that your RPi being down cause you don't want to update your system has the same impact as this one.. But is the uptime number worth it?

[rpdom]

Maybe on a Raspbian Jessie?

Still running Wheezy on that Pi. Kernel is unimportant. Uptime is unimportant. Stability and security is important and I keep track of both of those. It has been my profession for decades.

The software works. I don't allow anything in that can harm it. I read log reports every day.

[spock]

I think that if you want publicly facing servers that are running all that junk and you are worried about the safety of your local LAN then you should not have the servers on your local LAN. Separate them. Use firewalls.

yes, i will look into setting up two separate networks and firewalls. as far as i have seen it also makes sense to use a DMZ? but i will have to look into that too...

[Heater]

I have come to think that it's best not to think in terms of "local LAN" and "internet.

That leads one to assuming "local LAN = safe", "public internet = dangerous".

That leads one to building firewalls around the local LAN and feeling good about it.

Well guess what? Any machine that can reach the net or be reached from the net can be compromised. If it's inside your local LANs safe harbor you now have a potential attacker on the inside!

So what about this:

1) Treat all machines as if they were directly connected to the public internet.

2) Treat all machines on your local LAN as if they were on the public internet and potentially attackers.

3) Secure every machine from attack, from every other machine, on your local LAN or otherwise.

Am I paranoid?

[W. H. Heydt]

I mostly use MobaXterm as an ssh client. It's not too hard to remember to type ssh -p 45678 pi@mydomain. I think Putty has a form where you enter the port number, less straightforward.

PuTTY lets you set up the port number when you create config, which you can then save and use easily.

As for the "what port to use?" Any decent router will let you forward whatever port you want to a specified port on a device. This will you could forward port 12345 to port 22 on the Pi and leave port 22 on the *router* closed off.