Hi Community,
I'm a little new to all this. I've learned a lot and now I'm planning a fun project for my personal use only.
I'd like to know, based on your knowledge and experience, if I can use a raspberry 3B(1GB RAM) to run the following services for personal use only:
Also, if you're doing something similar, please, let me know what kind of services are you running locally.
Thanks,
Raspberry PI Web Server
Last edited by Syon on Wed Jul 17, 2019 5:35 am, edited 1 time in total.
Re: Raspberry PI Web Server
I run a web server, email system, wordpress blog on a Pi 2. It is live on the internet and has been for a couple of years. Up time has been really good, last reboot was 196 days ago. You will need something like spamassasin to filter your email, you will get tons after your email gets out there at all. Also SD cards won't last that long, they have a limited number of write cycles. I use an external USB 500G drive for the root directory and only use the SD card for the boot directory.
Mark
Mark
Re: Raspberry PI Web Server
Thank you for sharing your experience!markatlnk wrote: ↑Mon Jul 15, 2019 1:50 amI run a web server, email system, wordpress blog on a Pi 2. It is live on the internet and has been for a couple of years. Up time has been really good, last reboot was 196 days ago. You will need something like spamassasin to filter your email, you will get tons after your email gets out there at all. Also SD cards won't last that long, they have a limited number of write cycles. I use an external USB 500G drive for the root directory and only use the SD card for the boot directory.
Mark
Re: Raspberry PI Web Server
i also would like to run a webserver with similar services. actually it already runs nicely on the local network.
i am wondering... how dangerous is it, if i make it accessible from the internet with port forwarding?
what do i have to look out for? the stuff on the webserver itself isn't that critical but if an attacker got access to the other pcs on my network it would be very bad. what would be a good way to secure everything? any tips, hints, links to learning resources?
i am wondering... how dangerous is it, if i make it accessible from the internet with port forwarding?

what do i have to look out for? the stuff on the webserver itself isn't that critical but if an attacker got access to the other pcs on my network it would be very bad. what would be a good way to secure everything? any tips, hints, links to learning resources?
Re: Raspberry PI Web Server
If you only expose the web services (e.g. http, https), just Keep your OS up-to-date, especially when there is an security alert issued then it is pretty safe. But if you also expose ssh, then you better take more measures to protect from attackers.
- use a long and secure password
- don't use default port (22)
- install and use fail2ban
- only use key-based authentication (not username/password) for ssh
- create and use another username and disable username 'pi' for ssh
Re: Raspberry PI Web Server
I've been running a simple webserver on a PI 2B for years now. I see a lot of attempts to try and break in to it in my daily logs, but none have been successful.
I do have external SSH enabled as well, but the pi user is long gone, and I only allow shared key logins. That also gets many attempts to break in, but none successful. I use denyhosts instead of fail2ban, but it doesn't have to do much work.
I rarely use the SSH connection. It is just there as an emergency backup if both my VPN connections are not working.
Most of this setup was working on an old laptop before I got the Pi 2B, and another old (made in 1999) before that. It has worked well for me
I will probably be upgrading most of the setup to a Pi 3B+ at a later date. The software on the 2B is very out of date, but there is a ton of custom stuff running on it and moving it to Buster will take me weeks of work.
I do have external SSH enabled as well, but the pi user is long gone, and I only allow shared key logins. That also gets many attempts to break in, but none successful. I use denyhosts instead of fail2ban, but it doesn't have to do much work.
I rarely use the SSH connection. It is just there as an emergency backup if both my VPN connections are not working.
Most of this setup was working on an old laptop before I got the Pi 2B, and another old (made in 1999) before that. It has worked well for me

I will probably be upgrading most of the setup to a Pi 3B+ at a later date. The software on the 2B is very out of date, but there is a ton of custom stuff running on it and moving it to Buster will take me weeks of work.

Unreadable squiggle
- DougieLawson
- Posts: 40583
- Joined: Sun Jun 16, 2013 11:19 pm
- Location: A small cave in deepest darkest Basingstoke, UK
- Contact: Website Twitter
Re: Raspberry PI Web Server
Changing from port 22 is a pain in tail, every SSH client defaults to port 22. If there's an intrusion detector that's active and effective then having a few hackers come knocking on the door and getting turned away isn't a problem, it's a minor inconvenience (until it blocks me).
Disabling ssh with passwords is 100% essential.
My pi userid got renamed to something different.
I have TCP ports 22, 80, 443 and UDP port 1194 open to the public internet.
Disabling ssh with passwords is 100% essential.
My pi userid got renamed to something different.
I have TCP ports 22, 80, 443 and UDP port 1194 open to the public internet.
Any language using left-hand whitespace for syntax is ridiculous
Any DMs sent on Twitter will be answered next month.
Fake doctors - are all on my foes list.
Any requirement to use a crystal ball or mind reading will result in me ignoring your question.
Any DMs sent on Twitter will be answered next month.
Fake doctors - are all on my foes list.
Any requirement to use a crystal ball or mind reading will result in me ignoring your question.
Re: Raspberry PI Web Server
I mostly use MobaXterm as an ssh client. It's not too hard to remember to type ssh -p 45678 pi@mydomain. I think Putty has a form where you enter the port number, less straightforward.Changing from port 22 is a pain in tail, every SSH client defaults to port 22.
Disabling ssh with passwords is 100% essential.
Of course, using an obscure port number like that doesn't prevent bots from finding the open port and trying to login.
In practice though, according to my fail2ban logs, they never have.
SSH login using keys is more secure but I have found it frustrating.
I don't understand which key files go where and how to use them - If I manage to get the key to work with MobaXterm, does that mean Putty will work too? How can I login from a new computer or using Termux on my phone? etc...
So I find ssh with password login much less of a pain than the more secure option.
Maybe you can suggest a simple and thorough explanation of ssh using keys?
Re: Raspberry PI Web Server
I think that if you want publicly facing servers that are running all that junk and you are worried about the safety of your local LAN then you should not have the servers on your local LAN. Separate them. Use firewalls.
Memory in C++ is a leaky abstraction .
Re: Raspberry PI Web Server
In the case of the Mac you can change the port by editing .ssh/config and addingDougieLawson wrote: ↑Wed Jul 17, 2019 11:04 pmChanging from port 22 is a pain in tail, every SSH client defaults to port 22.
...
Code: Select all
Host raspberrypi
User pi
HostName 192.168.1.123
Port 54321
This can still be overridden from Terminal e.g.
Code: Select all
ssh -p 22 fred@192.168.1.123
- DougieLawson
- Posts: 40583
- Joined: Sun Jun 16, 2013 11:19 pm
- Location: A small cave in deepest darkest Basingstoke, UK
- Contact: Website Twitter
Re: Raspberry PI Web Server
If you move the port the things that find your system are more hostile (not just the script kiddies) if they get in worse things will happen. It's much easier to leave it at port 22 and spend your time ensuring it's secured from every unauthorised break-in attempt.
My fail2ban rules have no time-out, when you're blocked you're blocked forever (or until I clean out the sqlite3 database that fail2ban uses).
My fail2ban rules have no time-out, when you're blocked you're blocked forever (or until I clean out the sqlite3 database that fail2ban uses).
Any language using left-hand whitespace for syntax is ridiculous
Any DMs sent on Twitter will be answered next month.
Fake doctors - are all on my foes list.
Any requirement to use a crystal ball or mind reading will result in me ignoring your question.
Any DMs sent on Twitter will be answered next month.
Fake doctors - are all on my foes list.
Any requirement to use a crystal ball or mind reading will result in me ignoring your question.
Re: Raspberry PI Web Server
Thanks for all replies, guys. It will be local only.
Re: Raspberry PI Web Server
means your last kernelupdate was 196 days ago?

I had a SBC exposed as a webserver for a long time in my network. IMO it also depends how well the rest of your network is secured.. Assuming for whatever reason they gain access to your SBC make sure that there aren't many other low hanging fruits to mess around (so probably no WindowsXP in the same network


If you don't need SSH accessible from outside, don't use it.. Only keys no passwords, and if not absolutely needed I wouldn't expose a sudoer... actually I never needed sudo for maintenance (well the page didn't had much traffic and a downtime of a few hours wasn't an issue, or at least not one I cared about)..
Re: Raspberry PI Web Server
Meh, whatever. Secure system is secure if you are careful.
Code: Select all
07:50:50 up 405 days
Unreadable squiggle
Re: Raspberry PI Web Server
I've been running my personal mail server, webmail UI (only on https), dhcp and dns (dnscrypt), cups, vpn and several other service on rpi2 and rpi3 (some services running in cluster mode) and been running for more than two years now.
There is not enough security measures after you expose your services to the internet, so yeah, things like fail2ban, and ssh keys, personal certificate plus 2FA are your best friends for remote access.
There is not enough security measures after you expose your services to the internet, so yeah, things like fail2ban, and ssh keys, personal certificate plus 2FA are your best friends for remote access.
RPI Zero W || RPI 2B || 2x RPI 3B || 2x RPI 4B4G
Re: Raspberry PI Web Server
and it's not careful if you rely on software which isn't updated since months/years. Especially for software which gets regular updates such as the kernel.
Maybe on a Raspbian Jessie? (hopefully not). I don't get this uptime at all. If it really hurts you when there's a smaller number you might find something to fill it with a bogus number.rpdom wrote: ↑Fri Jul 19, 2019 6:56 amPi 2B running old software, no longer supported. Ports 80 and 22 exposed. Various security software and logging in place. Various attempts on both ports for years. None successful. I am planning to upgrade, but there is a shedload of stuff running on that Pi that will break my home network if it fails for any length of time. The uptime would have been longer, but the disk failed and I had to replace it and restore from my backups. That took an hour or so. I didn't lose anything important.Code: Select all
07:50:50 up 405 days


IMO it doesn't matter how long you didn't spot any evidence that your system got corrupted. The questions should be, what if? What if your system gets corrupted.. The Britains should be familiar with the case it hits them https://www.theverge.com/2017/5/12/1563 ... ry-bitcoin. They probably also didn't thought this can happen.. Turns out they were wrong. Don't get me wrong, I don't think that your RPi being down cause you don't want to update your system has the same impact as this one.. But is the uptime number worth it?
Re: Raspberry PI Web Server
Still running Wheezy on that Pi. Kernel is unimportant. Uptime is unimportant. Stability and security is important and I keep track of both of those. It has been my profession for decades.
The software works. I don't allow anything in that can harm it. I read log reports every day.
Unreadable squiggle
Re: Raspberry PI Web Server
yes, i will look into setting up two separate networks and firewalls. as far as i have seen it also makes sense to use a DMZ? but i will have to look into that too...
Re: Raspberry PI Web Server
I have come to think that it's best not to think in terms of "local LAN" and "internet.
That leads one to assuming "local LAN = safe", "public internet = dangerous".
That leads one to building firewalls around the local LAN and feeling good about it.
Well guess what? Any machine that can reach the net or be reached from the net can be compromised. If it's inside your local LANs safe harbor you now have a potential attacker on the inside!
So what about this:
1) Treat all machines as if they were directly connected to the public internet.
2) Treat all machines on your local LAN as if they were on the public internet and potentially attackers.
3) Secure every machine from attack, from every other machine, on your local LAN or otherwise.
Am I paranoid?
That leads one to assuming "local LAN = safe", "public internet = dangerous".
That leads one to building firewalls around the local LAN and feeling good about it.
Well guess what? Any machine that can reach the net or be reached from the net can be compromised. If it's inside your local LANs safe harbor you now have a potential attacker on the inside!
So what about this:
1) Treat all machines as if they were directly connected to the public internet.
2) Treat all machines on your local LAN as if they were on the public internet and potentially attackers.
3) Secure every machine from attack, from every other machine, on your local LAN or otherwise.
Am I paranoid?
Memory in C++ is a leaky abstraction .
-
- Posts: 14070
- Joined: Fri Mar 09, 2012 7:36 pm
- Location: Vallejo, CA (US)
Re: Raspberry PI Web Server
PuTTY lets you set up the port number when you create config, which you can then save and use easily.
As for the "what port to use?" Any decent router will let you forward whatever port you want to a specified port on a device. This will you could forward port 12345 to port 22 on the Pi and leave port 22 on the *router* closed off.